©2019 by Raghavendra Kambhampati

AWS SA Associate Practice Questions-8

151. Which of the following statements is true of tagging an Amazon EC2 resource?

A. You don’t need to specify the resource identifier while terminating a resource.

B. You can terminate, stop, or delete a resource based solely on its tags.

C. You can’t terminate, stop, or delete a resource based solely on its tags.

D. You don’t need to specify the resource identifier while stopping a resource.

Answer: C

Explanation:

You can assign tags only to resources that already exist. You can’t terminate, stop, or delete a resource based solely on its tags; you must specify the resource identifier.

Reference: http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/Using_Tags.html

152. You have been setting up an Amazon Virtual Private Cloud (Amazon VPC) for your company,including setting up subnets. Security is a concern, and you are not sure which is the best security practice for securing subnets in your VPC. Which statement below is correct in describing the protection of AWS resources in each subnet?

A. You can use multiple layers of security, including security groups and network access control lists (ACL).

B. You can only use access control lists (ACL).

C. You don’t need any security in subnets.

D. You can use multiple layers of security, including security groups, network access control lists (ACL) and CIoudHSM.

Answer: A

Explanation:

A subnet is a range of IP addresses in your VPC. You can launch AWS resources into a subnet that you select. Use a public subnet for resources that must be connected to the Internet, and a private subnet for resources that won’t be connected to the Internet.

To protect the AWS resources in each subnet, you can use multiple layers of security, including security groups and network access control lists (ACL).

Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_|ntroduction.htmI

153. You have been asked to tighten up the password policies in your organization after a serious security breach, so you need to consider every possible security measure. Which of the following is not an account password policy for IAM Users that can be set?

A. Force IAM users to contact an account administrator when the user has allowed his or her password to expue.

B. A minimum password length.

C. Force IAM users to contact an account administrator when the user has entered his password incorrectly.

D. Prevent IAM users from reusing previous passwords.

Answer: C

Explanation:

IAM users need passwords in order to access the AWS Management Console. (They do not need passwords if they will access AWS resources programmatically by using the CLI, AWS SDKs, or the APIs.)You can use a password policy to do these things: Set a minimum password length.Require specific character types, including uppercase letters, lowercase letters, numbers, and non-alphanumeric characters. Be sure to remind your users that passwords are case sensitive. Allow all IAM users to change their own passwords.Require IAM users to change their password after a specified period of time (enable password expiration).Prevent IAM users from reusing previous passwords.Force IAM users to contact an account administrator when the user has allowed his or her password to expue.

Reference: http://docs.aws.amazon.com/|AM/Iatest/UserGuide/Using_ManagingPasswordPoIicies.htm|

154. Your organization is in the business of architecting complex transactional databases. For a variety of reasons, this has been done on EBS. What is AWS’s recommendation for customers who have architected databases using EBS for backups?

A. Backups to Amazon S3 be performed through the database management system.

B. Backups to AWS Storage Gateway be performed through the database management system.

C. If you take regular snapshots no further backups are required.

D. Backups to Amazon Glacier be performed through the database management system.

Answer: A

Explanation:

Data stored in Amazon EBS volumes is redundantly stored in multiple physical locations as part of normal operation of those services and at no additional charge.

However, Amazon EBS replication is stored within the same availability zone, not across multiple zones;therefore, it is highly recommended that you conduct regular snapshots to Amazon S3 for long-term data durability.

For customers who have architected complex transactional databases using EBS, it is recommended that backups to Amazon S3 be performed through the database management system so that distributed transactions and logs can be checkpointed.

AWS does not perform backups of data that are maintained on virtual disks attached to running instances on Amazon EC2.

Reference: http://d0.awsstatic.com/whitepapers/Security/AWS%20Security%20Whitepaper.pdf

155. You have three Amazon EC2 instances with Elastic IP addresses in the US East (Virginia) region, and you want to distribute requests across all three IPs evenly for users for whom US East (Virginia) is the appropriate region. How many EC2 instances would be sufficient to distribute requests in other regions?

A. 3

B. 9

C. 2

D. 1

Answer: D

Explanation:

If your application is running on Amazon EC2 instances in two or more Amazon EC2 regions, and if you have more than one Amazon EC2 instance in one or more regions, you can use latency-based routing to route traffic to the correct region and then use weighted resource record sets to route traffic to instances within the region based on weights that you specify.For example, suppose you have three Amazon EC2 instances with Elastic IP addresses in the US East (Virginia) region and you want to distribute requests across all three IPs evenly for users for whom US East (Virginia) is the appropriate region. Just one Amazon EC2 instance is sufficient in the other regions, although you can apply the same technique to many regions at once.

Reference: http://docs.aws.amazon.com/Route53/Iatest/DeveIoperGuide/Tutorials.html

156. A user has created a CIoudFormation stack. The stack creates AWS services, such as EC2 instances,ELB, AutoScaIing, and RDS. While creating the stack it created EC2, ELB and AutoScaIing but failed to create RDS. What will C|oudFormation do in this scenario?

A. Rollback all the changes and terminate all the created services

B. It will wait for the user’s input about the error and correct the mistake after the input

C. CIoudFormation can never throw an error after launching a few services since it verifies all the steps before launching

D. It will warn the user about the error and ask the user to manually create RDS

Answer: A

Explanation:

AWS CIoudFormation is an application management tool which provides application modeling, deployment,configuration, management and related activities. The AWS CIoudFormation stack is a collection of AWS resources which are created and managed as a single unit when AWS CIoudFormation instantiates a template. If any of the services fails to launch, C|oudFormation will rollback all the changes and terminate or delete all the created services.

Reference: http://aws.amazon.com/c|oudformation/faqs/

157. A major client who has been spending a lot of money on his internet service provider asks you to set up an AWS Direct Connection to try and save him some money. You know he needs high-speed connectivity. Which connection port speeds are available on AWS Direct Connect?

A. 500Mbps and 1Gbps

B. 1Gbps and 10Gbps

C. 100Mbps and 1Gbps

D. 1Gbps

Answer: B

Explanation:AWS Direct Connect is a network service that provides an alternative to using the internet to utilize AWS cloud services.Using AWS Direct Connect, data that would have previously been transported over the Internet can now be delivered through a private network connection between AWS and your datacenter or corporate network.1Gbps and 10Gbps ports are available. Speeds of 50Mbps, 100Mbps, 200Mbps, 300Mbps, 400Mbps, and 500Mbps can be ordered from any APN partners supporting AWS Direct Connect.

Reference: https://aws.amazon.com/directconnect/faqs/

158. In Amazon EC2, what is the limit of Reserved Instances per Availability Zone each month?

A. 5

B. 20

C. 50

D. 10

Answer: B

Explanation:

There are 20 Reserved Instances per Availability Zone in each month.

Reference: http://docs.aws.amazon.com/generaI/latest/gr/aws_service_Iimits.html

159. You have just finshed setting up an advertisement server in which one of the obvious choices for a service was Amazon Elastic Map Reduce( EMR) and are now troubleshooting some weird cluster states that you are seeing. Which of the below is not an Amazon EMR cluster state?

A. STARTING

B. STOPPED

C. RUNNING

D. WAITING

Answer: B

Explanation:

Amazon Elastic Map Reduce (EMR) is a web service that enables businesses, researchers, data analysts,and developers to easily and cost-effectively process vast amounts of data.Amazon EMR historically referred to an Amazon EMR cluster (and all processing steps assigned to it) as a“c|uster”. Every cluster has a unique identifier that starts with “j-“.The different cluster states of an Amazon EMR cluster are listed below. STARTING — The cluster provisions, starts, and configures EC2 instances. BOOTSTRAPPING — Bootstrap actions are being executed on the cluster. RUNNING — A step for the cluster is currently being run.WAITING — The cluster is currently active, but has no steps to run. TERMINATING – The cluster is in the

process of shutting down. TERMINATED – The cluster was shut down without error.

TERMINATED_W|TH_ERRORS – The cluster was shut down with errors.

Reference: https://aws.amazon.com/elasticmapreduce/faqs/

160. The AWS CIoudHSM service defines a resource known as a high-availability (HA) ,which is a virtual partition that represents a group of partitions, typically distributed between several physical HSMs for high-availability.

A. proxy group

B. partition group

C. functional group

D. relational group

Answer: B

Explanation:

The AWS CIoudHSNI service defines a resource known as a high-availability (HA) partition group, which is a virtual partition that represents a group of partitions, typically distributed between several physical HSMs for high-availability.

Reference: http://docs.aws.amazon.com/cloudhsm/latest/userguide/configuring-ha.htmI

161. Is it possible to get a history of all EC2 API calls made on your account for security analysis and operational troubleshooting purposes?

A. Yes, by default, the history of your API calls is logged.

B. Yes, you should turn on the CIoudTraiI in the AWS console.

C. No, you can only get a history of VPC API calls.

D. No, you cannot store history of EC2 API calls on Amazon.

Answer: B

Explanation:

To get a history of all EC2 API calls (including VPC and EBS) made on your account, you simply turn on C|oudTrai| in the AWS Management Console.

Reference: https://aws.amazon.com/ec2/faqs/

162. You have just set up your first Elastic Load Balancer (ELB) but it does not seem to be configured properly. You discover that before you start using ELB, you have to configure the listeners for your load balancer. Which protocols does ELB use to support the load balancing of applications?

A. HTTP and HTTPS

B. HTTP, HTTPS , TCP, SSL and SSH

C. HTTP, HTTPS , TCP, and SSL

D. HTTP, HTTPS , TCP, SSL and SFTP

Answer: C

Explanation:

Before you start using Elastic Load BaIancing(ELB), you have to configure the listeners for your load balancer. A listener is a process that listens for connection requests. It is configured with a protocol and a port number for front-end (client to load balancer) and back-end (load balancer to back-end instance) connections.Elastic Load Balancing supports the load balancing of applications using HTTP, HTTPS (secure HTTP),

TCP, and SSL (secure TCP) protocols. The HTTPS uses the SSL protocol to establish secure connections over the HTTP layer. You can also use SSL protocol to establish secure connections over the TCP layer.The acceptable ports for both HTTPS/SSL and HTTP/TCP connections are 25, 80, 443, 465, 587, and 1024-65535.

Reference:

http://docs.aws.amazon.com/E|asticLoadBaIancing/latest/DeveIoperGuide/elb-listener-config.htmI

163. After setting up some EC2 instances you now need to set up a monitoring solution to keep track of these instances and to send you an email when the CPU hits a certain threshold. Which statement below best describes what thresholds you can set to trigger a CIoudWatch Alarm?

A. Set a target value and choose whether the alarm will trigger when the value is greater than (>), greater than or equal to (>=), less than (<), or less than or equal to (<=) that value.

B. Thresholds need to be set in IAM not CIoudWatch

C. Only default thresholds can be set you can’t choose your own thresholds.

D. Set a target value and choose whether the alarm will trigger when the value hits this threshold

Answer: A

Explanation:

Amazon CIoudWatch is a monitoring service for AWS cloud resources and the applications you run on AWS. You can use Amazon CIoudWatch to collect and track metrics, collect and monitor log files, and set alarms. When you create an alarm, you first choose the Amazon CIoudWatch metric you want it to monitor. Next,

you choose the evaluation period (e.g., five minutes or one hour) and a statistical value to measure (e.g.,Average or Maximum).

To set a threshold, set a target value and choose whether the alarm will trigger when the value is greater than (>), greater than or equal to (>=), less than (<), or less than or equal to (<=) that value.

Reference: http://aws.amazon.com/cIoudwatch/faqs/

164. After moving an E-Commerce website for a client from a dedicated server to AWS you have also set up auto scaling to perform health checks on the instances in your group and replace instances that fail these checks. Your client has come to you with his own health check system that he wants you to use as it

has proved to be very useful prior to his site running on AWS. What do you think would be an appropriate response to this given all that you know about auto scaling?

A. It is not possible to implement your own health check system. You need to use AWSs health check system.

B. It is not possible to implement your own health check system due to compatibility issues.

C. It is possible to implement your own health check system and then send the instance’s health information directly from your system to Cloud Watch.

D. It is possible to implement your own health check system and then send the instance’s health information directly from your system to Cloud Watch but only in the US East (N. Virginia) region.

Answer: C

Explanation:

Auto Scaling periodically performs health checks on the instances in your group and replaces instances that fail these checks. By default, these health checks use the results of EC2 instance status checks to determine the health of an instance. If you use a load balancer with your Auto Scaling group, you can optionally choose to include the results of Elastic Load Balancing health checks.Auto Scaling marks an instance unhealthy if the calls to the Amazon EC2 action DescribeInstanceStatus

returns any other state other than running, the system status shows impaired, or the calls to Elastic Load Balancing action DescribeInstanceHeaIth returns OutOfService in the instance state field.After an instance is marked unhealthy because of an Amazon EC2 or Elastic Load Balancing health check,it is scheduled for replacement.

You can customize the health check conducted by your Auto Scaling group by specifying additional checks or by having your own health check system and then sending the instance’s health information directly from your system to Auto Scaling.

Reference: http://docs.aws.amazon.com/AutoScaIing/latest/Deve|operGuide/healthcheck.html

165. When does the billing of an Amazon EC2 system begin?

A. It starts when the Status column for your distribution changes from Creating to Deployed.

B. It starts as soon as you click the create instance option on the main EC2 console.

C. It starts when your instance reaches 720 instance hours.

D. It starts when Amazon EC2 initiates the boot sequence of an AM instance.

Answer: D

Explanation:

Billing commences when Amazon EC2 initiates the boot sequence of an AM instance. Billing ends when the instance terminates, which could occur through a web services command, by running “shutdown -h”, or through instance failure. When you stop an instance, Amazon shuts it down but doesn/Et charge hourly usage for a stopped instance, or data transfer fees, but charges for the storage for any Amazon EBS

volumes.

Reference: http://aws.amazon.com/ec2/faqs/

166. You havejust discovered that you can upload your objects to Amazon S3 using MuItipart Upload API.You start to test it out but are unsure of the benefits that it would provide. Which of the following is not a benefit of using multipart uploads?

A. You can begin an upload before you know the final object size.

B. Quick recovery from any network issues.

C. Pause and resume object uploads.

D. It’s more secure than normal upload.

Answer: D

Explanation:

MuItipart upload in Amazon S3 allows you to upload a single object as a set of parts. Each part is a contiguous portion ofthe object’s data. You can upload these object parts independently and in any order.If transmission of any part fails, you can re-transmit that part without affecting other parts. After all parts of your object are uploaded, Amazon S3 assembles these parts and creates the object. In general, when

your object size reaches 100 MB, you should consider using multipart uploads instead of uploading the object in a single operation.

Using multipart upload provides the following advantages:

Improved throughput—You can upload parts in parallel to improve throughput.

Quick recovery from any network issues—SmaIIer part size minimizes the impact of restarting a failed upload due to a network error.

Pause and resume object upIoads—You can upload object parts over time. Once you initiate a multipart upload there is no expiry; you must explicitly complete or abort the multipart upload.Begin an upload before you know the final object size—You can upload an object as you are creating it.

Reference: http://docs.aws.amazon.com/AmazonS3/latest/dev/uploadobjusingmpu.htmI

167. What is the data model of DynamoDB?

A. Since DynamoDB is schema-less, there is no data model.

B. “Items”, with Keys and one or more Attribute; and “Attribute”, with Name and Value.

C. “TabIe”, a collection of Items; “Items”, with Keys and one or more Attribute; and “Attribute”, with Name and Value.

D. “Database”, which is a set of “TabIes”, which is a set of “Items”, which is a set of “Attributes”.

Answer: C

Explanation:

The data model of DynamoDB is: “TabIe”, a collection of Items;“Items”, with Keys and one or more Attribute; “Attribute”, with Name and Value.

Reference: http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/DataModeI.html

168. What happens to Amazon EBS root device volumes, by default, when an instance terminates?

A. Amazon EBS root device volumes are moved to IAM.

B. Amazon EBS root device volumes are copied into Amazon RDS.

C. Amazon EBS root device volumes are automatically deleted.

D. Amazon EBS root device volumes remain in the database until you delete them.

Answer: C

Explanation:

By default, Amazon EBS root device volumes are automatically deleted when the instance terminates.

Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/terminating-instances.html

169. Which of the following would you use to list your AWS Import/Exportjobs?

A. Amazon RDS

B. AWS Import/Export Web Service Tool

C. Amazon S3 REST API

D. AWS Elastic Beanstalk

Answer: C

Explanation:

You can list AWS Import/Export jobs with the ListJobs command using the command line client or REST API.

Reference: http://docs.aws.amazon.com/AWSImportExport/latest/DG/ListingYourJobs.html

170. A gaming company comes to you and asks you to build them infrastructure for their site. They are not sure how big they will be as with all start ups they have limited money and big ideas. What they do tell you is that if the game becomes successful, like one of their previous games, it may rapidly grow to millions of users and generate tens (or even hundreds) of thousands of writes and reads per second. After

considering all of this, you decide that they need a fully managed NoSQL database service that provides fast and predictable performance with seamless scalability. Which of the following databases do you think

would best fit their needs?

A. Amazon DynamoDB

B. Amazon Redshift

C. Any non-relational database.

D. Amazon SimpIeDB

Answer: A

Explanation:

Amazon DynamoDB is a fully managed NoSQL database service that provides fast and predictable performance with seamless scalability. Amazon DynamoDB enables customers to offload the

administrative burdens of operating and scaling distributed databases to AWS, so they don’t have to worry about hardware provisioning, setup and configuration, replication, software patching, or cluster scaling.Today’s web-based applications generate and consume massive amounts of data. For example, an online game might start out with only a few thousand users and a light database workload consisting of 10 writes per second and 50 reads per second. However, if the game becomes successful, it may rapidly grow to millions of users and generate tens (or even hundreds) of thousands of writes and reads per second. It may also create terabytes or more of data per day. Developing your applications against Amazon DynamoDB enables you to start small and simply dial-up your request capacity for a table as your requirements scale, without incurring downtime. You pay highly cost-efficient rates for the request capacity you provision, and let Amazon DynamoDB do the work over partitioning your data and traffic over sufficient server capacity to meet your needs. Amazon DynamoDB does the database management and administration, and you simply store and request your data. Automatic replication and failover provides built-in fault tolerance, high availability, and data durability. Amazon DynamoDB gives you the peace of mind that your database is fully managed and can grow with your application requirements. Reference:

http://aws.amazon.com/dynamodb/faqs/

171. Mike is appointed as Cloud Consultant in Netcrak Inc. Netcrak has the following VPCs set-up in the US East Region:A VPC with CIDR block 10.10.0.0/16, a subnet in that VPC with CIDR block 10.10.1.0/24 A VPC with CIDR block 10.40.0.0/16, a subnet in that VPC with CIDR block 10.40.1.0/24Netcrak Inc is trying to establish network connection between two subnets, a subnet with CIDR block 10.10.1.0/24 and another subnet with CIDR block 10.40.1.0/24. Which one of the following solutions should

we recommend to Netcrak Inc?

A. Create 2 Virtual Private Gateways and configure one with each VPC.

B. Create one EC2 instance in each subnet, assign Elastic IPs to both instances, and configure a set up Site-to-Site VPN connection between both EC2 instances.

C. Create a VPC Peering connection between both VPCs.

D. Create 2 Internet Gateways, and attach one to each VPC.

Answer: C

Explanation:

A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IP addresses. EC2 instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account within a single region.AWS uses the existing infrastructure of a VPC to create a VPC peering connection; it is neither a gateway

nor a VPN connection, and does not rely on a separate piece of physical hardware.

Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-peering.htm|

172. A favored client needs you to quickly deploy a database that is a relational database service with minimal administration as he wants to spend the least amount of time administering it. Which database would be the best option?

A. Amazon Simp|eDB

B. Your choice of relational AMs on Amazon EC2 and EBS.

C. Amazon RDS

D. Amazon Redshift

Answer: C

Explanation:

Amazon Relational Database Service (Amazon RDS) is a web service that makes it easy to set up, operate,and scale a relational database in the cloud. It provides cost-efficient and resizable capacity while managing time-consuming database administration tasks, freeing you up to focus on your applications and business.

Amazon RDS gives you access to the capabilities of a familiar MySQL, Oracle, SQL Server, or PostgreSQL database engine. This means that the code, applications, and tools you already use today with your existing databases can be used with Amazon RDS. Amazon RDS automatically patches the database software and backs up your database, storing the backups for a user-defined retention period and enabling

point-in-time recovery.

Reference: https://aws.amazon.com/running_databases/#rds_anchor

173. You’re trying to delete an SSL certificate from the IAM certificate store, and you’re getting the message “Certificate: <certificate-id> is being used by CIoudFront.” Which of the following statements is probably the reason why you are getting this error?

A. Before you can delete an SSL certificate, you need to either rotate SSL certificates or revert from using a custom SSL certificate to using the default CIoudFront certificate.

B. You can’t delete SSL certificates . You need to request it from AWS.

C. Before you can delete an SSL certificate, you need to set up the appropriate access level in IAM

D. Before you can delete an SSL certificate you need to set up https on your server.

Answer: A

Explanation:

CIoudFront is a web service that speeds up distribution of your static and dynamic web content, for example, .htmI, .css, .php, and image files, to end users.

Every CIoudFront web distribution must be associated either with the default CIoudFront certificate or with a custom SSL certificate. Before you can delete an SSL certificate, you need to either rotate SSL certificates (replace the current custom SSL certificate with another custom SSL certificate) or revert from using a custom SSL certificate to using the default CIoudFront certificate.

Reference: http://docs.aws.amazon.com/AmazonCIoudFront/latest/Deve|operGuide/Troubleshooting.htm|

174. How many types of block devices does Amazon EC2 support?

A. 4

B. 5

C. 2

D. 1

Answer: C

Explanation:

Amazon EC2 supports 2 types of block devices.

Reference:

http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/block-device-mapping-concepts.html

175. You need to set up security for your VPC and you know that Amazon VPC provides two features that you can use to increase security for your VPC: Security groups and network access control lists (ACLs). You start to look into security groups first. Which statement below is incorrect in relation to security groups?

A. Are stateful: Return traffic is automatically allowed, regardless of any rules.

B. Evaluate all rules before deciding whether to allow traffic.

C. Support allow rules and deny rules.

D. Operate at the instance level (first layer of defense).

Answer: C

Explanation:

Amazon VPC provides two features that you can use to increase security for your VPC:Security groups—Act as a firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level and supports allow rules only.Network access control lists (ACLs)—Act as a firewall for associated subnets, controlling both inbound and outbound traffic at the subnet level and supports allow rules and deny rules.

Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Security.html

176. You are setting up some IAM user policies and have also become aware that some services support resource-based permissions, which let you attach policies to the service’s resources instead of to IAM users or groups. Which of the below statements is true in regards to resource-level permissions?

A. All services support resource-level permissions for all actions.

B. Resource-level permissions are supported by Amazon CIoudFront

C. All services support resource-level permissions only for some actions.

D. Some services support resource-level permissions only for some actions.

Answer: D

Explanation:

AWS Identity and Access Management is a web service that enables Amazon Web Services (AWS) customers to manage users and user permissions in AWS. The service is targeted at organizations with multiple users or systems that use AWS products such as Amazon EC2, Amazon RDS, and the AWS Management Console. With IAM, you can centrally manage users, security credentials such as access keys, and permissions that control which AWS resources users can access.

In addition to supporting IAM user policies, some services support resource-based permissions, which let you attach policies to the service’s resources instead of to IAM users or groups. Resource-based permissions are supported by Amazon S3, Amazon SNS, and Amazon SQS.The resource-level permissions service supports IAM policies in which you can specify individual resources using Amazon Resource Names (ARNs) in the poIicy’s Resource element.Some services support resource-level permissions only for some actions.

Reference: http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_SpecificProducts.html

177. A user wants to increase the durability and availability of the EBS volume. Which of the below mentioned actions should he perform?

A. Take regular snapshots.

B. Create an AMI.

C. Create EBS with higher capacity.

D. Access EBS regularly.

Answer: A

Explanation:

In Amazon Web Services, Amazon EBS volumes that operate with 20 GB or less of modified data since their most recent snapshot can expect an annual failure rate (AFR) between 0.1% and 0.5%. For this reason, to maximize both durability and availability of their Amazon EBS data, the user should frequently

create snapshots of the Amazon EBS volumes.

Reference: http://media.amazonwebservices.com/AWS_Storage_Options.pdf

178. In relation to AWS CIoudHSM, High-availability (HA) recovery is hands-off resumption by failed HA group members.Prior to the introduction of this function, the HA feature provided redundancy and performance, but required

that a failed/lost group member be reinstated.

A. automatically

B. periodically

C. manually

D. continuosly

Answer: C

Explanation:

In relation to AWS CIoudHS|VI, High-availability (HA) recovery is hands-off resumption by failed HA group members.Prior to the introduction of this function, the HA feature provided redundancy and performance, but required

that a failed/lost group member be manually reinstated.

Reference: http://docs.aws.amazon.com/cloudhsm/latest/userguide/ha-best-practices.html

179. You have created a Route 53 latency record set from your domain to a machine in Northern Virginia and a similar record to a machine in Sydney.When a user located in U S visits your domain he will be routed to:

A. Northern Virginia

B. Sydney

C. Both, Northern Virginia and Sydney

D. Depends on the Weighted Resource Record Sets

Answer: A

Explanation:

If your application is running on Amazon EC2 instances in two or more Amazon EC2 regions, and if you have more than one Amazon EC2 instance in one or more regions, you can use latency-based routing to route traffic to the correct region and then use weighted resource record sets to route traffic to instances within the region based on weights that you specify. For example, suppose you have three Amazon EC2 instances with Elastic IP addresses in the US East (Virginia) region and you want to distribute requests across all three IPs evenly for users for whom US East (Virginia) is the appropriate region. Just one Amazon EC2 instance is sufficient in the other regions,

although you can apply the same technique to many regions at once.

Reference: http://docs.aws.amazon.com/Route53/Iatest/DeveIoperGuide/Tutorials.html

180. Any person or application that interacts with AWS requires security credentials. AWS uses these credentials to identify who is making the call and whether to allow the requested access. You have just set up a VPC network for a client and you are now thinking about the best way to secure this network. You set up a security group called vpcsecuritygroup. Which following statement is true in respect to the initial

settings that will be applied to this security group if you choose to use the default settings for this group?

A. Allow all inbound traffic and allow no outbound traffic.

B. Allow no inbound traffic and allow all outbound traffic.

C. Allow inbound traffic on port 80 only and allow all outbound traffic.

D. Allow all inbound traffic and allow all outbound traffic.

Answer: B

Explanation:

Amazon VPC provides advanced security features such as security groups and network access control lists to enable inbound and outbound filtering at the instance level and subnet level.AWS assigns each security group a unique ID in the form sg-xxxxxxxx. The following are the initial settings for a security group that you create:Allow no inbound traffic Allow all outbound traffic

Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html

181. You are using Amazon SES as an email solution but are unsure of what its limitations are. Which statement below is correct in regards to that?

A. New Amazon SES users who have received production access can send up to 1,000 emails per 24-hour period, at a maximum rate of 10 emails per second.

B. Every Amazon SES sender has a the same set of sending limits

C. Sending limits are based on messages rather than on recipients

D. Every Amazon SES sender has a unique set of sending limits

Answer: D

Explanation:

Amazon Simple Email Service (Amazon SES) is a highly scalable and cost-effective email-sending service for businesses and developers. Amazon SES eliminates the complexity and expense of building an in-house email solution or licensing, installing, and operating a third-party email service for this type of

email communication.Every Amazon SES sender has a unique set of sending limits, which are calculated by Amazon SES on an ongoing basis:

Sending quota — the maximum number of emails you can send in a 24-hour period. Maximum send rate —the maximum number of emails you can send per second.

New Amazon SES users who have received production access can send up to 10,000 emails per 24-hour period, at a maximum rate of 5 emails per second. Amazon SES automatically adjusts these limits upward,as long as you send high-quality email. If your existing quota is not adequate for your needs and the system has not automatically increased your quota, you can submit an SES Sending Quota Increase case at any time.Sending limits are based on recipients rather than on messages. You can check your sending limits at any time by using the Amazon SES console.

Note that if your email is detected to be of poor or questionable quality (e.g., high complaint rates, high bounce rates, spam, or abusive content), Amazon SES might temporarily or permanently reduce your permitted send volume, or take other action as AWS deems appropriate.

Reference: https://aws.amazon.com/ses/faqs/

182. Having just set up your first Amazon Virtual Private Cloud (Amazon VPC) network, which defined a default network interface, you decide that you need to create and attach an additional network interface, known as an elastic network interface (ENI) to one of your instances. Which of the following statements is

true regarding attaching network interfaces to your instances in your VPC?

A. You can attach 5 EN|s per instance type.

B. You can attach as many ENIs as you want.

C. The number of ENIs you can attach varies by instance type.

D. You can attach 100 ENIs total regardless of instance type.

Answer: C

Explanation:

Each instance in your VPC has a default network interface that is assigned a private IP address from the IP address range of your VPC. You can create and attach an additional network interface, known as an elastic network interface (ENI), to any instance in your VPC. The number of EN|s you can attach varies by

instance type.

183. A for a VPC is a collection of subnets (typically private) that you may want to designate for your backend RDS DB Instances.

A. DB Subnet Set

B. RDS Subnet Group

C. DB Subnet Group

D. DB Subnet Collection

Answer: C

Explanation:

DB Subnet Groups are a set of subnets (one per Availability Zone of a particular region) designed for your DB instances that reside in a VPC. They make easy to manage Multi-AZ deployments as well as the conversion from a Single-AZ to a Mut|i-AZ one.

Reference: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.RDSVPC.htmI

184. Amazon Elastic Load Balancing is used to manage traffic on a fileet of Amazon EC2 instances,distributing traffic to instances across all availability zones within a region. Elastic Load Balancing has all the advantages of an on-premises load balancer, plus several security benefits.Which of the following is not an advantage of ELB over an on-premise load balancer?

A. ELB uses a four-tier, key-based architecture for encryption.

B. ELB offers clients a single point of contact, and can also serve as the first line of defense against attacks on your network.

C. ELB takes over the encryption and decryption work from the Amazon EC2 instances and manages it centrally on the load balancer.

D. ELB supports end-to-end traffic encryption using TLS (previously SSL) on those networks that use secure HTTP (HTTPS) connections.

Answer: A

Explanation:

Amazon Elastic Load Balancing is used to manage traffic on a fleet of Amazon EC2 instances, distributing traffic to instances across all availability zones within a region. Elastic Load Balancing has all the advantages of an on-premises load balancer, plus several security benefits:Takes over the encryption and decryption work from the Amazon EC2 instances and manages it centrally on the load balancer Offers clients a single point of contact, and can also serve as the first line of defense against attacks on

your network When used in an Amazon VPC, supports creation and management of security groups associated with your Elastic Load Balancing to provide additional networking and security options Supports end-to-end traffic encryption using TLS (previously SSL) on those networks that use secure HTTP (HTTPS) connections. When TLS is used, the TLS server certificate used to terminate client connections

can be managed centrally on the load balancer, rather than on every individual instance.

Reference:

http://d0.awsstatic.com/whitepapers/Security/AWS%20Security%20Whitepaper.pdf

185. You have set up an S3 bucket with a number of images in it and you have decided that you want anybody to be able to access these images, even anonymous users. To accomplish this you create a bucket policy. You will need to use an Amazon S3 bucket policy that specifies a in the principal element,which means anyone can access the bucket.

A. hash tag (#)

B. anonymous user

C. wildcard (*)

D. S3 user

Answer: C

Explanation:

You can use the AWS Policy Generator to create a bucket policy for your Amazon S3 bucket. You can then use the generated document to set your bucket policy by using the Amazon S3 console, by a number of third-party tools, or via your application.

You use an Amazon S3 bucket policy that specifies a wildcard (*) in the principal element, which means anyone can access the bucket. With anonymous access, anyone (including users without an AWS account) will be able to access the bucket.

Reference: http://docs.aws.amazon.com/IAM/|atest/UserGuide/iam-troubleshooting.htm|#d0e20565

186. You have been asked to build AWS infrastructure for disaster recovery for your local applications and within that you should use an AWS Storage Gateway as part of the solution. Which of the following best describes the function of an AWS Storage Gateway?

A. Accelerates transferring large amounts of data between the AWS cloud and portable storage devices .

B. A web service that speeds up distribution of your static and dynamic web content.

C. Connects an on-premises software appliance with cloud-based storage to provide seamless and secure integration between your on-premises IT environment and AWS’s storage infrastructure.

D. Is a storage service optimized for infrequently used data, or “cold data.”

Answer: C

Explanation:

AWS Storage Gateway connects an on-premises software appliance with cloud-based storage to provide seamless integration with data security features between your on-premises IT environment and the Amazon Web Services (AWS) storage infrastructure. You can use the service to store data in the AWS cloud for scalable and cost-effective storage that helps maintain data security. AWS Storage Gateway

offers both volume-based and tape-based storage solutions: Volume gateways Gateway-cached volumes Gateway-stored volumes Gateway-virtual tape library (VTL)

Reference:

http://media.amazonwebservices.com/architecturecenter/AWS_ac_ra_disasterrecovery_07.pdf

187. An organization has a statutory requirement to protect the data at rest for the S3 objects. Which of the below mentioned options need not be enabled by the organization to achieve data security?

A. MFA delete for S3 objects

B. Client side encryption

C. Bucket versioning

D. Data replication

Answer: D

Explanation:

AWS S3 provides multiple options to achieve the protection of data at REST. The options include Permission (Policy), Encryption (Client and Server Side), Bucket Versioning and MFA based delete. The user can enable any of these options to achieve data protection. Data replication is an internal facility by

AWS where S3 replicates each object across all the Availability Zones and the organization need not enable it in this case.

Reference: http://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf

188. In Amazon CIoudFront, if you use Amazon EC2 instances and other custom origins with CIoudFront, it is recommended to .

A. not use Elastic Load Balancing

B. restrict Internet communication to private instances while allowing outgoing traffic

C. enable access key rotation for CIoudWatch metrics

D. specify the URL of the load balancer for the domain name of your origin server

Answer: D

Explanation:

In Amazon CIoudFront, you should use an Elastic Load Balancing load balancer to handle traffic across multiple Amazon EC2 instances and to isolate your application from changes to Amazon EC2 instances.When you create your CloudFront distribution, specify the URL of the load balancer for the domain name of your origin server.

Reference:

http://docs.aws.amazon.com/AmazonC|oudFront/latest/DeveIoperGuide/CustomOriginBestPractices.htmI

189. What is the time period with which metric data is sent to CIoudWatch when detailed monitoring is enabled on an Amazon EC2 instance?

A. 15 minutes

B. 5 minutes

C. 1 minute

D. 45 seconds

Answer: C

Explanation:

By default, Amazon EC2 metric data is automatically sent to CIoudWatch in 5-minute periods. However,you can, enable detailed monitoring on an Amazon EC2 instance, which sends data to CIoudWatch in 1-minute periods

Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-cloudwatch.htmI

190. A government client needs you to set up secure cryptographic key storage for some of their extremely confidential data. You decide that the AWS CIoudHSM is the best service for this. However, there seem to be a few pre-requisites before this can happen, one of those being a security group that has certain ports open. Which of the following is correct in regards to those security groups?

A. A security group that has port 22 (for SSH) or port 3389 (for RDP) open to your network.

B. A security group that has no ports open to your network.

C. A security group that has only port 3389 (for RDP) open to your network.

D. A security group that has only port 22 (for SSH) open to your network.

Answer: A

Explanation:

AWS CIoudHSM provides secure cryptographic key storage to customers by making hardware security modules (HSMs) available in the AWS cloud.AWS C|oudHSM requires the following environment before an HSM appliance can be provisioned. A virtual private cloud (VPC) in the region where you want the AWS CIoudHSM service.One private subnet (a subnet with no Internet gateway) in the VPC. The HSM appliance is provisioned into this subnet.One public subnet (a subnet with an Internet gateway attached). The control instances are attached to this subnet.

An AWS Identity and Access Management (IAM) role that delegates access to your AWS resources toAWS CIoudHSM. EC2 instance, in the same VPC as the HSM appliance, that has the SafeNet client software installed.This instance is referred to as the control instance and is used to connect to and manage the HSM appliance.

A security group that has port 22 (for SSH) or port 3389 (for RDP) open to your network. This security group is attached to your control instances so you can access them remotely.

191. Which of the following features are provided by Amazon EC2?

A. Exadata Database Machine, Optimized Storage Management, Flashback Technology, and Data Warehousing

B. Instances, Amazon Machine Images (AMIs), Key Pairs, Amazon EBS Volumes, Firewall, Elastic IP address, Tags, and Virtual Private Clouds (VPCs)

C. Real Application Clusters (RAC), Elasticache Machine Images (EMIs), Data Warehousing, Flashback Technology, Dynamic IP address

D. Exadata Database Machine, Real Application Clusters (RAC), Data Guard, Table and Index Partitioning,and Data Pump Compression

Answer: B

Explanation:

Amazon EC2 provides the following features: Virtual computing environments, known as instances;Pre-configured templates for your instances, known as Amazon Machine Images (AMIs), that package the bits you need for your server (including the operating system and additional software).Various configurations of CPU, memory, storage, and networking capacity for your instances, known as instance types· Secure login information for your instances using key pairs (AWS stores the public key, and you store the private key in a secure place)· Storage volumes for temporary data that’s deleted when you stop or terminate your instance, known as instance store volumes

· Persistent storage volumes for your data using Amazon Elastic Block Store (Amazon EBS), known as Amazon EBS volumes· MuItipIe physical locations for your resources, such as instances and Amazon EBS volumes, known as regions and Availability Zones· A firewall that enables you to specify the protocols, ports, and source IP ranges that can reach your instances using security groups· Static IP addresses for dynamic cloud computing, known as Elastic IP addresses· Metadata, known as tags, that you can create and assign to your Amazon EC2 resources· Virtual networks you can create that are logically isolated from the rest of the AWS cloud, and that you can

optionally connect to your own network, known as virtual private clouds (VPCs).

Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/concepts.html

192. In Amazon Elastic Compute Cloud, which ofthe following is used for communication between instances in the same network (EC2-Classic or a VPC)?

A. Private IP addresses

B. Elastic IP addresses

C. Static IP addresses

D. Public IP addresses

Answer: A

Explanation:

A private IP address is an IP address that’s not reachable over the Internet. You can use private IP addresses for communication between instances in the same network (EC2-Classic or a VPC).

Reference:

http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/using-instance-addressing.htmI

193. A friend tells you he is being charged $100 a month to host his WordPress website, and you tell him you can move it to AWS for him and he will only pay a fraction of that, which makes him very happy. He then tells you he is being charged $50 a month for the domain, which is registered with the same people that set it up, and he asks if it’s possible to move that to AWS as well. You tell him you aren’t sure, but will look

into it. Which of the following statements is true in regards to transferring domain names to AWS?

A. You can’t transfer existing domains to AWS.

B. You can transfer existing domains into Amazon Route 53’s management.

C. You can transfer existing domains via AWS Direct Connect.

D. You can transfer existing domains via AWS Import/Export.

Answer: B

Explanation:

With Amazon Route 53, you can create and manage your public DNS records with the AWS Management Console or with an easy-to-use API. If you need a domain name, you can find an available name and register it using Amazon Route 53. You can also transfer existing domains into Amazon Route 53’s management.

Reference: http://aws.amazon.com/route53/

194. Are penetration tests allowed as long as they are limited to the customer’s instances?

A. Yes, they are allowed but only for selected regions.

B. No, they are never allowed.

C. Yes, they are allowed without any permission.

D. Yes, they are allowed but only with approval.

Answer: D

Explanation:

Penetration tests are allowed after obtaining permission from AWS to perform them. Reference:

http://aws.amazon.com/security/penetration-testing/

195. A user has created an ELB with the availability zone US-East-1A. The user wants to add more zones to ELB to achieve High Availability. How can the user add more zones to the existing ELB?

A. The user should stop the ELB and add zones and instances as required

B. The only option is to launch instances in different zones and add to ELB

C. It is not possible to add more zones to the existing ELB

D. The user can add zones on the fly from the AWS console

Answer: D

Explanation:

The user has created an Elastic Load Balancer with the availability zone and wants to add more zones to the existing ELB. The user can do so in two ways:From the console or CLI, add new zones to ELB;Launch instances in a separate AZ and add instances to the existing ELB.

Reference:

http://docs.aws.amazon.com/EIasticLoadBaIancing/latest/DeveIoperGuide/enable-disable-az.html

196. What happens to data on an ephemeral volume of an EBS-backed EC2 instance if it is terminated or if it fails?

A. Data is automatically copied to another volume.

B. The volume snapshot is saved in S3.

C. Data persists.

D. Data is deleted.

Answer: D

Explanation:

Any data on the instance store volumes persists as long as the instance is running, but this data is deleted when the instance is terminated or if it fails (such as if an underlying drive has issues). After an instance store-backed instance fails or terminates, it cannot be restored.

Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/RootDeviceStorage.htmI

197. A user is sending bulk emails using AWS SES. The emails are not reaching some of the targeted audience because they are not authorized by the ISPs. How can the user ensure that the emails are all delivered?

A. Send an email using DKINI with SES.

B. Send an email using SMTP with SES.

C. Open a ticket with AWS support to get it authorized with the ISP.

D. Authorize the ISP by sending emails from the development account.

Answer: A

Explanation:

Domain Keys Identified MaiI (DKIM) is a standard that allows senders to sign their email messages and ISPs, and use those signatures to verify that those messages are legitimate and have not been modified by a third party in transit.

Reference: http://docs.aws.amazon.com/ses/latest/DeveloperGuide/dkim.html

198. In AWS CIoudHSM, in addition to the AWS recommendation that you use two or more HSM appliances in a high-availability configuration to prevent the loss of keys and data, you can also perform a remote backup/restore of a Luna SA partition if you have purchased a:

A. Luna Restore HSNI.

B. Luna Backup HSM.

C. Luna HSNI.

D. Luna SA HSM.

Answer: B

Explanation:

In AWS CIoudHSM, you can perform a remote backup/restore of a Luna SA partition if you have purchased a Luna Backup HSM.

Reference:

http://docs.aws.amazon.com/cloudhsm/latest/userguide/cloud-hsm-backup-restore.html

199. A user has launched a large EBS backed EC2 instance in the US-East-1a region. The user wants to achieve Disaster Recovery (DR) for that instance by creating another small instance in Europe. How can the user achieve DR?

A. Copy the instance from the US East region to the EU region

B. Use the “Launch more like this” option to copy the instance from one region to another

C. Copy the running instance using the “|nstance Copy” command to the EU region

D. Create an AMI of the instance and copy the AMI to the EU region. Then launch the instance from the EU AMI

Answer: D

Explanation:

To launch an EC2 instance it is required to have an AMI in that region. If the AMI is not available in that region, then create a new AMI or use the copy command to copy the AMI from one region to the other region.

Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/CopyingAMIs.htmI

200. AWS Identity and Access Management is a web service that enables Amazon Web Services (AWS) customers to manage users and user permissions in AWS. In addition to supporting IAM user policies,some services support resource-based permissions. Which of the following services are supported by resource-based permissions?

A. Amazon SNS, and Amazon SQS and AWS Direct Connect.

B. Amazon S3 and Amazon SQS and Amazon EIastiCache.

C. Amazon S3, Amazon SNS, Amazon SQS, Amazon Glacier and Amazon EBS.

D. Amazon Glacier, Amazon SNS, and Amazon CIoudWatch

Answer: C

Explanation:

In addition to supporting IAM user policies, some services support resource-based permissions, which let you attach policies to the service’s resources instead of to IAM users or groups. Resource-based permissions are supported by Amazon S3, Amazon SNS, Amazon SQS, Amazon Glacier and Amazon EBS.

Reference: http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_SpecificProducts.htm|