AWS Certified Solutions Architect – Associate Objective’s

AWS-BEGGINER

1) AWS S3 is a database service.
False

Explanation
S3 is a storage service.

2) What are some of the common features or services offered by cloud services providers, such as AWS, iCloud, and Dropbox? (Choose three)
Storage, Computing Power, Virtualization

Explanation
Cloud services providers offer many features and services that include, but are lot limited to, storage, computing power, and virtualization. Internet access is not offered by cloud services providers.

3) What are the four primary benefits of using cloud services?
High availability, fault tolerant, scalability and elasticity.

Explanation
Although cost and speed can be benefits of using cloud services, they are not always benefits. Sometimes using cloud services can cost more than using on-premise. High availability, fault tolerant, scalability, and elasticity are benefits in all circumstances.

4) Scalability is the ability of a system to increase AND decrease in size based on demand.
False

Explanation
Scalability is the ability to increase in size as demand increases. Elasticity is term commonly used to describe the ability to both grow AND shrink based on demand.

5) A VPC can be described as your own “private section” of AWS?
True

6) What are common uses of AWS RDS?
Store and access customer account information, Keep a catalog of your company’s inventory

Explanation
Web hosting is a common use of EC2, and mass storage is a common use of S3.

7) What best describes AWS EC2?
A virtual computer used primarily for its processing power.

Explanation
EC2 is not a database or storage service. Also, on-premise server computers are not a part of AWS.

8) AWS regions are groupings of AWS data centers and availability zones that are spread out across the globe.
True

9) In very simple terms, what is the “cloud”?
A computer located somewhere else that you utilize in some fashion.

Explanation
The “cloud” is made up of computers owned by people/organization that lease usage of those computers to others.

10) AWS is a cloud services provider.
True

###############################

1) IAM policies can be directly attached to? (Choose all that apply.)
Roles, Users, Groups

Explanation
IAM policies can be directly attached to IAM roles, users and groups. IAM policies can only be applied to other AWS services (indirectly) through IAM roles.

2) If a user has access to S3 through a group with an S3 policy attached, what happens if that user is removed from the group?
The user no longer has access to S3

3) IAM is where you manage your AWS users and their access to AWS features and services.
True

4) Multi-Factor Authentication (MFA) is an important part of account security that should be set on your “root” account.
True

Explanation
MFA is part of AWS’s best practices for IAM account security.

5) If you want to grant S3 access to an EC2 instance, what should you do?
Create an EC2 Role and attach an S3 access policy to it

Explanation
You can only assign permissions another AWS service through IAM roles (with a policy attached to the role).

############

1) What is the proper structure of AWS Global Infrastructure?
Regions -> Availability Zones -> Data Centers -> AWS Services

2) A VPC is a shared resource between you and many other AWS users.
False
Explanation
A VPC is your private, logically isolated section of AWS.

3) VPC is an abbreviation for:
Virtual Private Cloud

4) An Internet Gateway MUST be attached to a VPC for AWS resources, such as an EC2 instance, to have access to the Internet.
True
Explanation
If a VPC does NOT have an IGW attached, then NO resources inside of the VPC can access the Internet.

5) Route Tables are what direct the flow of traffic between resources within a VPC.
True

6) What is the security layer that allows/denies data from entering or exiting a subnet?
Network Access Control List (NACL)
Explanation
NACLs provide security on the SUBNET level.

7) Availability Zones allow for this type of cloud architecture:
Highly available and fault tolerant architecture
Explanation
By utilizing multiple availability zones, cloud architects can create highly available and fault tolerant architecture.

#############################

1) S3 stands for Simple Storage Solutions.
Correct answer
False
Explanation
S3 stands for Simple Storage Service

2) Which of the following is NOT a storage class?
Correct answer
Quick Access

Explanation
The four S3 storage classes include Standard, Reduced Redundancy, Infrequent Access and Glacier. Quick Access does not exist.

3) An S3 bucket name can have any name and format you like.
Correct answer
False

Explanation
S3 names must be unique across all AWS accounts worldwide, and must follow specific naming rules.

4) What is the S3 feature that allows to you store and access older iterations of objects?
Correct answer
Versioning

Explanation
If versioning is enabled, S3 will keep track of and store older versions of a file each time a newer version is uploaded.

5) S3 is a bulk storage service where you can store any type of file.
Correct answer
True

6) By setting proper permissions on the object level, you can allow the public to download the object via a URL.
Correct answer
True

7) What feature MUST be used to change an object’s storage class to Glacier?
Correct answer
Lifecycles

Explanation
The only way to set an objects storage class to Glacier is through object lifecycles.

8) If you have an object that is easily reproducible and must be quickly accessible, what would be the best storage class to use for it?
Correct answer
Reduced Redundancy

Explanation
You should only use Reduced Redundancy for objects that are easily reproducible due to it’s lower durability rating. As a trade-off, it is a cheaper storage class than standard.

#################

1) Security Groups allow you to set both allow AND deny rules.
False
Explanation
You can only configure ALLOW rules for security groups. If there is not an explicit allow rules for a certain traffic type, then that traffic type will be denied.

2) Which of the following is NOT a component of EC2?
Screen resolution
Explanation
When launching an EC2 instance, you need to select the AMI, Storage and Instance Type. Screen resolution is NOT something you choose.

3) Public IP addresses are assigned to every EC2 instance by default, and Private IP addresses are optional and must be manually configured.
False
Explanation
Every EC2 instance is automatically assigned a private IP address. Public IP addresses are optional, but are required for direct Internet access.

4) EBS Volumes are your instances processing power (CPU).
False
Explanation
EBS volumes are the instances storage (hard drive).

5) What best describes IOPS?
Read/write performance of storage volumes, Input/output operations per second
Explanation
IOPS stand for Input/output operations per second and are a measure of a storage volume’s read/write performance.

6) If you were to remove the route to the IGW from a route table, what would happen to traffic inside the VPC?
Traffic could be sent between EC2 instances inside the VPC but would not reach the Internet
Explanation
Through the route table, resources inside of the VPC can always communicate with each other. However, the route table MUST have a designated route to the IGW for there to be Internet access.

7) Which of the following best describes an AMI?
A prepreconfigured package that provides the information required to launch an EC2 instance

8) EC2 stands for Elastic Compute Cloud.
True

#############################

1) What best describes the difference between RDS and DynamoDB?
RDS databases store data in tables using columns and rows, while DynamoDB stores data in JSON-like, name-value documents.

2) RDS stand for Relational Database Service.
True

3) Which of the following are SQL database engines?
MySQL, Amazon Aurora

Explanation
Amazon Aurora and MySQL are RDS/SQL database engines. DynamoDB is a NoSQL database offering, which are NOT SQL database engines.

4) What term describes the practice of using SSH to access a resource without a public IP address via a resource with a public IP address (inside of a VPC)?
SSH tunneling

5) Amazon RDS databases do not have a GUI in the AWS console.
True

Explanation
To access/use an RDS database, you need to log in to the database using third party SQL software.

6) Amazon Aurora offers free tier usage.
False

Explanation
There are free tier options available for all other RDS engines and DynamoDB, but not for Aurora.

###################################

1) SNS stand for Super Notification Service.
False

Explanation
SNS Stands for Simple Notification Service.

2) What are two primary use cases of SNS?
To notify the AWS account owner when current monthly billings reach a certain amount, To alert a system admin of an EC2 failure

3) Subscribers can consist of HTTP, SMS and email endpoints.
True

4) What best describes the definition of SNS?
SNS allows you to automate the sending of email and text messages, based on events that happen in your AWS account.

5) What are the three main components of SNS?
Topics, subscriber and publishers

##################

1) CloudWatch is a service that allows you to send messages from one resource to another, within a VPC.
False
Explanation
CloudWatch is a service that allows you to monitor various metrics inside your AWS account.

2) CloudWatch alarms are based on thresholds you create for specific CloudWatch metrics.
True

3) What are the three states of a CloudWatch alarm?
Alarm, insufficient data, ok

Explanation
At any given time, a CloudWatch Alarm can be in one of three states. “Alarm” if the threshold you set has been triggered, “Ok” if the threshold you set has not been triggered, and “insufficient data” if an alarm hasn’t yet (or can’t) retrieve the required data to determine if the threshold has been triggered (or not).

4) Which of the following is a commonly used CloudWatch metric.
CPU utilization

Explanation
CPU utilization is a great metric to measure how much of your EC2 instances’ compute capacity is being used.

5) CloudWatch alarms can trigger SNS topics.
True

##############################################

1) ELB stands for Elastic Load Balancer?
True

2) Even if you are only using one EC2 instance to run an application, you should still use an ELB.
False

Explanation
Using an ELB with only one EC2 instance would provide NO additional benefit, and you would be charged money for using it.

3) If you are using an ELB to serve web traffic to EC2 instances, what traffic MUST be allowed on the ELB’s security group, while also maintaining AWS security best practices?
HTTP/Port 80

Explanation
All Traffic/All Ports would work as it will allow HTTP traffic over port 80, but AWS best practices requires that you ONLY allow the LEAST amount of traffic types to meet the needs of your application. Therefore, HTTP/Port 80 is the only answer that satisfies the requirements.

4) What best describes the purpose of an ELB?
To evenly distribute traffic between EC2 instances

Explanation
An ELB’s main purpose is to evenly distribute traffic between EC2 instances. An ELB can detect an unhealthy instance and divert traffic from it, but it cannot terminate an EC2 instance.

5) Health checks are required so that the ELB does not serve traffic to an unhealthy EC2 instance.
True

########################################

1) Auto Scaling is used as a security feature in AWS.
False

Explanation
Auto Scaling is not an AWS security feature.

2) Auto Scaling is the process of scaling up and scaling down the number of EC2 instances based on traffic demands.
True

3) What best describes how you are charged for using Auto Scaling?
Auto Scaling is free to use, but you are responsible to pay for any AWS resources that Auto Scaling provisions

4) Which is NOT a benefit of auto scaling?
Sending messages

Explanation
Auto scaling provides automation that contributes to highly available and fault tolerant architecture. Auto scaling is not used to send messages (you are thinking of SNS).

5) What are the main two components of Auto Scaling?
Launch configuration and Auto Scaling group

#############################

1) A web browser only needs the common language domain name to locate a web server on the Internet.
False

Explanation
A web browser must have the IP address of a web server to locate it on the Internet.

2) When you type a domain name (linuxacademy.com) into a web browser, what best describes the process that occurs to deliver the website content back to the browser?
The browser sends a request to a DNS server asking for the IP address associated with the domain name.

Explanation
For a web browsers to request data from a web server, it must know the IP address of the web server. If given a domain name (instead of an IP address), the browser “asks” a DNS server to translate the web domain into it’s IP address.

3) DNS servers are used to translate common language web domains into IP addresses.
True

4) What best describes Route 53?
A service to register domains and configure DNS records

Explanation
Route 53 is the AWS service for managing domain names and DNS record sets.

5) In a highly available and fault tolerant architecture with multiple EC2 instances hosting a website, what is the purpose of Route 53?
To populate external DNS servers with domain/IP address information AND to route incoming traffic to the ELB.

Explanation
Route 53 automatically sends your DNS record information to DNS servers AND it is also where you decide where traffic request for that domain/IP address are routed.

#####################################

1) AWS Lambda is a server-specific compute platform.
False

Explanation
Lambda is a serverless compute platform. EC2 would be an example of a server-specific platform.

2) What are the current languages that Lambda supports?
Node.js, Java, C#, and Python

Explanation
Lambda currently supports Node.js, Java, C# and Python!

3) When using Lambda, you are charged for use even when your code is NOT running.
False

Explanation
You are only charged (by the millisecond) for how long it takes you code to run each time it is executed.

4) What AWS service will Lambda eventually replace?
EC2

5) What are the two primary ways you are charged for using Lambda?
Execution requests and execution duration

Explanation
The two primary ways you are charged for using Lambda are the number of time your code is executed (execution request), and how long it takes for your code to execute (execution duration).

######################################

1) Each Availability Zone can house one or more AWS data centers.
True

Explanation
Each Availability Zone has at least one AWS data center and sometimes up to 5 or 6 data centers.

2) As a Solutions Architect, you should alway strive to meet AWS best practices.
True

Explanation
Following AWS best practices guidelines is a very important part of learning to be and being a CSA.

3) What are the two primary ways that AWS users interface with AWS?
AWS CLI, AWS Console

Explanation
AWS IRC and AWS OPP do not exist.

4) What are the main benefits of AWS regions? (select two)
Regions allow you to place AWS resources in the area of the world closest to your customers who access those resources., Regions allow you to design applications to conform to specific laws and regulations for specific parts of the world.

Explanation
Regions are groupings of AWS resources that are located all around the world. This allows for you, as the architect, to provision AWS resources in areas of the world that make sense for your application needs and to where you are serving traffic. In addition, certain companies may be subject to government rules and regulations that require data to be stored in a certain location. AWS services and pricing will vary from region to region.

5) What best describes the concept of elasticity?
The ability of a system to increase and decrease in size.

Explanation
Elasticity is defined as the ability to both increase and decrease. In architecting applications, this usually refers to the ability of an application to increase and decrease server capacity on demand.

6) Besides regions and their included availability zones, which of the following is another “regional” data center location used for content distribution?
Edge Location

Explanation
An edge location is an AWS data center that is primarily used for content delivery. There are edge locations located in multiple a countries around the world.

7) Availability Zones work together, across regions, to allow for highly available and fault tolerant applications.
False

Explanation
Availability zones do NOT span across regions. Availability zones DO provide for highly available and fault tolerant architecture – but an AZ is contained within a region.

8) What are the benefits of an Availability Zone? (choose two)
Each availability zone is isolated from each other so ensure fault tolerance., Availability Zones have direct, low latency connections to each other.

Explanation
Availability Zones are isolated from each other within each specific region to endure a natural disaster or some other outage and work together via across low latency connections.

9) Fault tolerance is a system ability to continue to operate even when one of it’s components fail.
True

Explanation
A fault tolerant system is one where one or several components can fail but still maintain availability.

10) What best describes the concept of high availability?
A durable system that can operate for long periods of time without failure.

Explanation
High availability refers to a system that has been tested to be durable and to have its components highly or always available to its users.

#############################3

1) API Access Keys are required to make programmatic call to AWS from which of the following?
AWS CLI, Windows PowerShell, Direct HTTP call using the API

Explanation
If you are logged in to the AWS console and managing AWS resources that way, you do not need API keys. API keys are needed when working “programmatically” through CLI, PowerShell, Direct HTTP calls, and SDK API access.

2) What are the main benefits of IAM groups? (select two)
Assign IAM permission policies to more than one user at a time., Easier user/policy management.

Explanation
Assign IAM permission policies to more than one user at a time and easier user/policy management are two primary benefits of using IAM groups. Allow for EC2 instances to gain access to S3 is the purpose of Roles, not Groups, and creating policies is not part of the groups feature.

3) With IAM access policies, an explicit ALLOW always overrides an explicit DENY.
False

Explanation
If an IAM access policy has both an allow rule and a deny rule for the same service, the DENY rule will supersede the allow rule.

4) By default, when an IAM user is created, it has an non-explicit “deny” for all AWS services.
True

Explanation
When a new IAM user is created, that user has NO access to any AWS services. This is called a non-explicit “deny”. For that user, access must be explicitly allowed via IAM permission and access policies.

5) Best practice is to NEVER store or pass IAM credentials to an EC2 instance.
True

Explanation
For best security practice, you should never store or pass IAM credentials to an EC2 instance.

6) What best describes the “Principal of Least Privilege”?
Users should be granted permission to access only resources they need to do their assigned job.

Explanation
“Principal of Least Privilege” is viewed as a security best practice by only allowing for user to have the exact amount of access they need to do their job.

7) What best describes an IAM role?
A role is something that another entity can “assume.”

Explanation
A role is something that another entity can “assume” – where the entity is another AWS resource like an EC2 instance. AWS resources cannot have permission polices directly applied to them, so to access another resource they must “assume” a role and gain permissions assigned to the role.

8) The common use for IAM is to manage what? (choose all that apply)
Multi-Factor Authentication, Roles, API Keys

Explanation
IAM is used to manage users and their access to AWS, and AWS service, as well as access for one AWS resource to another. Including: Users Groups Roles Access Policies API Keys Password Polices Multi-Factor Authentication

9) Only one IAM policy can be attached to a user at a time.
False

Explanation
IAM user can have many IAM permission policies attached to them at the same time. Either directly attached or through groups.

10) Which of the following is NOT required as part of AWS’s suggested “best practices” for new accounts.
Give all users admin access

Explanation
Giving all users admin access would be considered against best practices.

#####################

1) If data is traveling from a customer, over the open Internet, to a web site you are hosting on and EC2 instance in an AWS VPC, what is the order of components that data will travel through?
IGW -> Route Table -> NACL -> Subnet -> Security Group -> EC2 Instance

Explanation
As traffic comes into the VPC from the open Internet, it first must be passed through an IGW. A route table will then direct traffic to the subnet that the instance is located in. However, before the traffic can enter the subnet, it must pass through the NACL protecting the subnet. Once inside the subnet, the date must pass through another security layer (the Security Group) before finally reaching the EC2 instance.

2) What best describes an AWS VPC?
An AWS VPC closely resembles a traditional on-premise network, with the benefit of AWS infrastructure.

Explanation
AWS VPCs were designed to make the transition from using an on-premise data center to the cloud very easy. In doing so, VPC were organized to resemble on-premise data centers while also providing the benefits of using AWS infrastructure. You do not have order or set up any of your own hardware, and it is also important to note that a VPC must be contained within only ONE AWS region.

3) A VPC can have up to 5 Internet Gateways attached at any given time.
False

Explanation
An VPC can only have ONE IGW attached at a time.

4) Private subnets are associated with a route table that has an IGW attached, and public subnets are associated with a route table that does not have an IGW attached.
False

Explanation
It is the exact opposite. For a subnet to be considered public, it must have a route to the Internet. Having a route to the Internet means that it must be associated with a route table that points to the IGW.

5) All subnets, regardless of being public or private, can communicate with each other inside of a VPC.
True

Explanation
Since each route table as a local target with the destination of the VPCs CIDR block range, all subnets within a VPC can communicate with each other.

6) In the default VPC, all subnets have a route to the Internet.
True

Explanation
By default, the default VPC’s subnets are all associated with a route table that has an Internet Gateway attached.

7) An AWS VPC offers which of the following benefits? (select three)
The ability to have both public and private subnets, Ability to extend your on-premise network to the cloud via VPN, Provides a DNS server for your VPC

Explanation
Managing user access rights is handled by IAM, not VPCs.

8) NACLs are stateless, and security groups are stateful.
True

Explanation
NACLs are stateless, which means that return request traffic must have an allow rule set up for that return traffic to enter or leave the subnet. Security groups are stateful, which means that return request traffic does not need an allow rule set up for that return traffic to enter or leave the security group.

9) What are the two layers of security provided by AWS in the VPC?
Security Groups and NACLs

Explanation
Security Groups and NACLs are the two parts of the VPC Security Layers. Security Groups are a firewall on the instance level, and NACLs are a firewall on the subnet Level.

10) What best describes how NACLs rules work?
Rules are evaluated by rule number, from lowest to highest, and executed immediately when a matching allow/deny rule is found.

Explanation
NACL rules are evaluated from lowest rule number to highest rule number. In addition, as rules are being evaluated, if a matching allow/deny rule is found, it is immediately executed. Meaning that if you have both an allow rule and a deny rule for the same type of traffic, the rule with the lower rule number will be executed and the other will be ignored.

####################################################################################

1) What happens to data stored on an instance store volume when an EC2 instance is stopped or shutdown?
The data will be deleted

Explanation
Since instance store volumes are ephemeral, data will NOT be persistent and WILL be deleted is the instance is stopped or shut down.

2) IOPS are measured in what size “chunks?”
256KB

Explanation
IOPS are measures in chucks of 256KB or smaller.

3) What best describes how EBS snapshots work?
Only a volume’s first snapshot will store the entire volume. Each subsequent snapshot will only store the changes from the last snapshot.

4) If you are designing an application that requires fast (10Gbps), low-latency connections between EC2 instances, what EC2 feature should you use?
Placement groups are a clustering of EC2 instances in one availability zone with fast (10Gbps) connections between them. This service has been created and used for applications that need extremely low-latency connections between instances.

5) If you are running a legacy application that has hard coded static IP addresses and is running on an EC2 instance, what is the best failover solution that allows you to keep the same IP address on a new instance?
Elastic IP address

Explanation
Elastic IP addresses (EIPs) are designed to be attached/detached and moved from one EC2 instance to another. They are a great solution for keeping a static IP address and moving it to a new instance if the current instance fails. This will reduce or eliminate any downtime uses may experience.

6) You are a Solutions Architect and your company is interested in moving some workload to AWS. You are concerned that it will be very challenging to manage and control all of the EC2 servers that will need to be deployed. Specifically, how to insure that fellow employees are installing the company approved operating system version, with the right libraries and runtimes, and with the proper configuration settings. What EC2 feature will best allow you to control this?
You can have a company policy stipulating that any new instance must be launched using a custom Amazon Machine Image (AMI) which specifies exactly which software and associated settings you want to have installed on every new EC2 instance.

Explanation
AMIs are what dictate the instances operating system and other software settings. You can customize the instance that you launch from a public AMI and then save that configuration as a custom AMI. Your company policy can then stipulate that all EC2 instances must be launched using only your custom AMI.

Further Reading
https://linuxacademy.com/cp/courses/lesson/course/1002/lesson/3/module/119

7) You work in the IT department of a Fortune 500 financial services company. Your company has hundreds of servers and also uses VMware for certain applications. You happened to run into one of the senior directors in the hallway today and she told you that she had just read an article on cloud computing that mentioned EC2 instances and was wondering what that was. What would be the best analogy to use in explaining to her what EC2 is?
EC2 is analogous to our internal VMware environment and provides companies with virtual servers that run in the cloud
EC2 is AWS’ virtual server service. Since these are “virtual” servers – they mimic (or similarly resemble) on premise servers running VMware.
8) Your company has been thinking about moving it’s networking resources over to AWS. Your boss is particularly interested in the AWS shared responsibility model, as it will allow him to offload some traditional responsibilities to AWS. He says that he is happy that AWS will now handle the following responsibilities listed below. However, you know that he is wrong and that AWS does not handle all of them as part of the shared responsibility model. Which of the following four (4) items do you need to tell him are not handled by AWS?

Security Groups, Applying an SSL Certificate to an ELB, Installation of custom firewall software

Explanation
In the shared responsibility model, AWS is responsible for DDOS protection, port scanning protection, and ingress network filtering. You are responsible for managing Security Groups, Applying an SSL Certificate to an ELB, and Installation of custom firewall software.

9) An Amazon Machine Image (AMI) is what details the virtual hardware specifications of the EC2 instance.
False

Explanation
AMIs are what dictate the instances operating system and other software settings. It is the “instance type” which determines the instances virtual hardware.

10) What command should you run if you want to view an instance’s user-data?
curl http://169.254.169.254/latest/user-data

Explanation
You must use the curl command and have the proper IP address in the command.

11) If you are running an application in a production environment and must add a new EBS volume with data from a snapshot, what should you do to avoid degraded performance during the volume’s first use?
Initialize the data by readying each storage block on the volume

Explanation
Volumes created from an EBS snapshot must be initialized. Initializing occurs the first time a storage block on the volume is read – and the performance impact can be impacted by up to 50%. You can avoid this impact in production environments by manually reading all the blocks.

12) What best describes the characteristics of EBS volumes?
They are persistent and can live past the lifetime of the instance

Explanation
EBS volumes are network-attached, persistent storage volumes. They are designed to live past the life of an EC2 instance and be attached/detached at will.

13) A key pair is a combination of a public and private key that is used for authenticating users when logging into an EC2 instance.
True

Explanation
The public key pair is stored on the instance, and the private key is given to you when the instance is created.

1) What happens when an EC2 instance that is being served traffic from an ELB becomes unhealthy?
The ELB will stop serving traffic to it and divert it’s traffic to a healthy instance.

Explanation
The ELB will stop serving traffic to it and divert it’s traffic to a healthy instance – as this is all it can do. It is Auto Scaling which can take an unhealthy instance, terminate it, and replace it with a new instance.

2) If you want to create architecture that meets the minimum requirement for high availability and fault tolerance, which option would you choose?
An ELB distributing traffic to an Auto Scaling group that has a minimum of two instances that are located in separate Availability Zones.

Explanation
Having a minimum of two instances is required in case of them fails and is no longer “available.” Two AZs are required in case of one of them fails and is no longer “available.” Auto Scaling is required so that failed instance will be automatically terminated and replaced with healthy instance OR to increase the amount of instances if demand increases. (improving availability and fault tolerance).

3) What is the proper solution you should enact to prevent your application from crashing due to a sudden increase in demand?
Auto Scaling

Explanation
Auto Scaling is what provides your architecture with the ability to automate the process of adding more instances to avoid crashes (if the case of sudden increase in demand). Scaling polices are PART of Auto Scaling but are not the overall solution.

4) An SSL certificate can be applied to an ELB.
True

Explanation
You can apply an SSL certificate to an ELB and have that as the central point for your secure connection before passing the traffics onto subsequent EC2 instances.

5) What best describes the purpose of an Elastic Load Balancer?
To evenly distribute traffic among multiple EC2 instances in separate Availability Zones.

Explanation
An ELB is used BEST when it is distributing traffic to EC2 instances located in separate Availability Zones. This provides for higher availability and is more fault tolerant than distributing traffic to EC2 instances in the same AZ.

6) Elasticity is a primary benefit of using Auto Scaling.
True

Explanation
Auto Scaling provides elasticity to your architecture by automating the process of easily scaling up OR down the number of instances being used by your application.

7) If your application is continually crashing due to high demand, you should make sure the Elastic Load Balancer has the proper scaling polices for adding new instances when needed.
False

Explanation
Is it Auto Scaling that contains scaling policies (which dictate the cloudwatch thresholds for adding/removing instances)

8) What are the two main components of AWS Auto Scaling?
Launch configuration and Auto Scaling groups

Explanation
A launch configuration is an EC2 template that will be used by the Auto Scaling group. The Auto Scaling group holds the rules that govern when instances will be provisioned or terminated.

9) An ELB can serve traffic instances located inside a private subnet.
True

Explanation
Placing instances in a private subnet creates a higher level of security for the data stored on them. By using an ELB, the ELB can take public traffic from the open Internet and route into private subnets (and back out).

10) What best describes a scaling policy?
A set of CloudWatch metric thresholds that dictate when to add or remove instances from the Auto Scaling group.

Explanation
Scaling policies belong to the Auto Scaling group. The policies themselves dictate (via chosen CloudWatch metrics thresholds) when instances should be added or removed.

1) You have provisioned several EC2 instances into private subnets; however, you now have the problem of not being able to download any new software packages or updates. Which if of the following provides the best solution?
Create a NAT Gateway in a public subnet and create a route to it in the route table associated with the private subnets.

Explanation
A NAT gateway provides the most secure solution for granting EC2 instances in private subnet the ability to download software packages. However, the NAT gateway MUST be placed in a public subnet, and a route to it must be created in the route table associated with the private subnets.

2) What best describes the difference between a bastion host and a NAT gateway?
A bastion host is used is used as a “gateway” for traffic that is destined for instances located in a private subnet, whereas a NAT gateway provides instances in a private subnet with a route to the Internet.

Explanation
A bastion host is used is used as a “gateway” for traffic that is destined for instances located in a private subnet, whereas a NAT gateway provides instances in a private subnet with a route to the Internet. A NAT does provide protection for instances in a private subnet, but its primary goal is to allow instances in the private subnet a route to the Internet (to download software packages).

3) A NAT Gateway will only allow return traffic if that traffic has been specifically asked for by an internal resource.
True

Explanation
A NAT Gateway will not allow any unsolicited traffic through. All traffic that passes through it MUST have been asked for by a resource inside the VPC.

4) What are two primary requirements of a NAT Gateway (or NAT instance)?
A NAT gateway must be provisioned into a public subnet, and it must part of the private subnet’s route table.

Explanation
A NAT gateway must be provisioned into a public subnet (so that it has a route to the internet), and it must part of the private subnets route table (so that the private instances have a route to the NAT gateway). A NAT gateway does not require a bastion host to work (but can be used in combination).

5) You work for a company that has been experiencing attacks on its network. Management has asked that your design a solution that will provide increased security for EC2 instances containing sensitive data, while still allowing employees to access the data when needed. Which of the following suggestions is best?
Place the EC2 instances into private subnets, and set up a bastion host so employees can access them.

Explanation
Placing EC2 instances into private subnets is a great way to increase their security, since they will no longer be directly accessible from any host outside of the VPC. Adding a bastion host to the architecture will allow authorized users to gain access to the internal resources (instances in private subnets) while providing an additional “hardened” layer of security.

1) If you have an EBS volume in Availability Zone us-east-1d and you want to attach it to an EC2 instance in Availability Zone us-east-1a, what procedure should you follow?
Create a snapshot of the volume in us-east-1d. Then create a new volume from the snapshot, choosing to place it in us-east-1a. Then attach the new volume to the instance.

Explanation
EBS volumes cannot be used across Availability Zones; however, since snapshots are stored in S3, new volumes can be created from a snapshot and placed into any Availability Zone.

2) You have an application currently running on five EC2 instances as part of an Auto Scaling group. For the past 30 minutes all five instances have been running at 100 CPUUtilization; however, the Auto Scaling group has not added any more instances to the group. What is the most likely cause? (choose two)
The Auto Scaling group’s MAX size is set at five., You already have 20 on-demand instances running.

Explanation
The number of instances in an Auto Scaling group cannot exceed its set MAX limit, regardless of scale-up policies. Also, unless you request an increase from AWS, you cannot have more than 20 on-demand instances running at one time.

3) If traffic is being blocked from entering a subnet, the issue is most likely with the security group.
False

Explanation
NACLS are the security layer for a subnet (not security groups)

4) If you are unable to download software packages to an EC2 instance, that means you have definitely provisioned it in a private subnet.
False

Explanation
There can be many reasons why you cannot download software packages besides the instance being provisioned in a private subnet. For example, creating an instance without a public IP address or not having the proper ports open on the security group can cause issues downloading software.

5) You keep getting an error why you try to attach an IGW to a VPC. What is the most likely cause of the error?
An IGW is already attached to the VPC.

Explanation
A VPC can only have one IGW attached to it at a time.

6) You cannot peer two VPC that located in different AWS regions.
True

Explanation
VPC must be in the same region if you with to peer them.

7) You are running an analysis on traffic that is accessing your web application. However, you notice that the IP address for every visitor is the IP address of the Elastic Load Balancer. How should fix this problem so that the logs reflect the IP address of the originating host?
Enable access logs on the ELB and store them in an S3 bucket.

8) You are using a T2 instance type and are starting to notice that most of the time your application is running very slow. What would be an appropriate course of action?
Move the application to a large instance type.

Explanation
T2 instance types rely on “burstable” CPU credits for processing power. If you application is constantly using all the CPU credits, then you may experience slow downs when you run out of credits. The solution to this would be to move the application to an instance running a large instance type.

9) You have an ELB distributing traffic a fleet of EC2 instances inside your VPC, evenly spread across two Availability Zones. However, you realize that only half of our instances are actually receiving traffic. What is the most likely cause of this problem?
Cross-zone load balancing has not been enabled.

Explanation
Cross-zone load balancing must be enabled for it to serve traffic to more than one availability zone. All the other answers would affect more than half the fleet of instances or not affect them at all.

10) You have just provisioned a fleet of EC2 instances and realized that none of them have a public IP address. What settings would need to be changed for the next fleet of instances to be created with public IP addresses?
Modify the auto-assign public IP setting on the subnet.

Explanation
The auto assigning of IP addresses resides in the settings of the SUBNET you are provisioning the instances in. By default, new subnets have auto-assign IP addresses disabled.

1) You are currently running an application on AWS that host customers’ photo albums. For each main photo uploaded, your application generates a thumbnail for use in the mobile version of the application. What is the most cost effective storage solution, while also providing the highest level of availability and durability?
Use the standard storage class for the main photos and the reduced redundancy storage class for the thumbnails.

Explanation
Since the customers’ main photos cannot be reproduced, storing them in the standard storage class will provide the highest level of availability and durability. The thumbnails can be easily reproduced from the main photos, so you can store them in reduced redundancy storage, which how lower durability – but is cheaper than standard.

2) Your company has petebytes of data that it wants to move from their on-premise network to AWS. What AWS solution should you use?
AWS Snowball

Explanation
Snowball is a service provided by AWS for moving extremely large (petabytes) of data into AWS.

3) S3 can be used as an option for lost-cost, reliable web hosting for dynamic web sites.
False

Explanation
S3 can be used as an option for lost-cost, reliable web hosting for STATIC (not dynamic) web sites.

4) What is the object durability and availability advertised by AWS for their S3 standard storage service?
Durability of 99.999999999% and availability of 99.99%

Explanation
S3 standard storage class is advertised as having object durability of 99.999999999% (known as 11 nines) and availability of 99.99%

5) The S3 infrequent access (S3-IA) storage class has object durability of 99.999999999% and availability of 99.90%
True

Explanation
S3-IA has the same durability as S3-standard but has a slightly slower availability since these objects are expected to be accessed much less frequently.

6) If need to upload a file to S3 that is 500MB in size., what data transit option should you use?
Multi-part upload

Explanation
Multi-part upload should be used uploading any file over 100MB in size (up to 5GB in size). Single operation upload cloud be used but is not recommended. Import/export and Snowball are used for datasets that are larger than 5GB.

7) All S3 buckets are private by default.
True

8) What best describes what occurs when you suspend object versioning?
All existing objects retain their current and past versions, and no new versions are created when updated object are uploaded.

Explanation
When you suspend versioning, S3 retains all current and existing past versions. However, all new objects will overwrite the existing current version. No new versions will be created.

9) You work for a hospital that is required to store patient’s medical records for a minimum of 10 years. Most of these records will never be accessed but must be made available upon request (within a few hours). What is the most cost-effective storage option?
Glacier

Explanation
Glacier is AWS solution for archival storage, which is designed for long-term storage of data that is very rarely accessed.

10) Through what process are objects moved from the standard storage class to Glacier?
Lifecycle policies

Explanation
Objects uploaded and stored using the standard storage class must use lifecycles to move them to Glacier.

1) Which of the following is NOT a distributed framework supported by EMR?
ElasticMappings

Explanation
EMR is a service which deploys out EC2 instances based off the Hadoop framework, and also supports Apache Spark, HBase, Presto and Flink.

2) A Kinesis consumer can include AWS services such as Redshift and S3.
True

Explanation
Consumers can include Redshift and S3, but also other services like DynamoDB OR a real-time dashboard/kinesis enabled app.

3) In EMR, data mapped to a cluster of master/slave nodes for processing.
True

4) EMR allows you to access the underlining operating system?
True

5) In what two scenarios would you want to use AWS Kinesis?
Mobile data capture., Capturing gaming data.

Explanation
Kinesis is great for collecting gaming data, such as player actions – AND capturing data from IoT sensors and mobile devices.

6) What is the purpose of a Kinesis producer?
To collect and send data into a Kinesis stream.

Explanation
Kinesis producers include things like IoT sensors and mobile devices that collect data and send it into the Kinesis stream.

7) If you want to process data in real-time, what AWS service should you use.
Kinesis

Explanation
Kinesis is AWS’ service for processing data in real-time, and outputting it to a dashboard or other AWS services.

8) If your Kinesis stream needs additional processing power, what component will you need to add more of?
Shards

Explanation
You can scale out a Kinesis stream by adding more “shards”.

1) An alias record set contains a pointer to an AWS-specific resource.
True

Explanation
An alias record set contains a point to an AWS-specific resource and is used to direct traffic to ELBs, CF distributions, and S3 buckets.

2) If you want to point a domain name to an AWS elastic load balancer in Route 53, how would you need to configure the record set?
Alias with a type “A” record set

Explanation
You will need to configure the record set as a type “A” alias. An alias allows you to point the domain to an AWS-specific endpoint, such as an ELB, Cloudfront distribution, or S3 bucket (as opposed to just an IPv4 IP address).

3) A CloudFront origin is the source of the object, and an edge location is where the object is cached.
True

4) What is a main benefit of using a CloudFront distribution?
Reduces load on your applications resources

Explanation
Once an object is cached at an edge location, all other requests for that object will be handled by the edge location, not your application. This can significantly reduce the amount of times your resources are hit.

5) What is an absolute rule when using an S3 bucket for Route 53 DNS failover?
The S3 bucket must be the same as the domain name

Explanation
To use an S3 bucket for Route 53 DNS failover, the bucket name must match the domain name.

6) You have set up a CloudFront distribution but find that instead of each edge location serving up objects that should be cached, your application’s origins are being hit for each request. What could be a possible cause of this behavior?
The cache expiration time is set to zero

Explanation
If the cache expiration time is not set (or set to zero), then CF will not cache objects at the edge location. This will prompt the behavior where the edge location will have to request the same object from the origin for reach request.

7) CloudFront caching is based off of the object’s file type.
False

Explanation
CloudFront caching is based off of the object’s file name (not it’s type).

8) You are migrating your existing web application from your on-premise data center to the AWS cloud. As part of testing your AWS infrastructure, you only want to have 20% of traffic to hit AWS resources and the other 80% to hit your on-premise resources. What record set routing policy should you choose to accomplish this?
Weighted

Explanation
A weighted routing policy allows for “manual” load balancing between different endpoints.

9) A public hosted zone should be used for routing traffic within a VPC, and a private hosted zone should be used for routing Internet traffic for a domain.
False

Explanation
The opposite is true: A public hosted zone should be used for routing Internet traffic for a domain. , and a private hosted zone should be used for routing traffic within a VPC.

10) Your CloudFront distribution is performing well, but you are still getting too many request at the origin locations. What could be one way to increase CloudFront performance?
Increase the cache expiration time

Explanation
If your cache expiration times are too short, you may have request from the edge location to the origin occurring when they are not required. If you increase the cache expiration date, you should experience less hits to the origin.

1) You have set up an AWS Direct Connect connection for your company but still want to create a backup solution in case the Direct Connect connections fails. What solution should use as the backup?
AWS virtual private network

Explanation
A virtual private network is a great backup solution for AWS direct connect. A virtual private network provides the same access, just with fewer benefits.

2) You cannot have an Internet gateway and a virtual private gateway attached to a VPC at the same time. A VPC either needs to be set up for public or private use.
False

Explanation
A VPC can have both an IGW and a VPG attached at the same time (but only one of each).

3) VPC peering does not allow transitive connections.
True

4) What two components are required to establish a VPN connection?
Virtual Private Gateway and Customer Gateway

Explanation
The VPG and Customer Gateway are the two “connectors” on both sides of the VPN connection (and both are required).

5) An AWS VPN connection does not have built in redundancy.
False

Explanation
An AWS VPC connection automatically has two parallel IPsec tunnels for redundancy

6) If you need a dedicated, low latency connection to AWS from your on-premises data center, what solution should you choose?
AWS Direct Connect

Explanation
AWS Direct Connect is a service that provides a dedicated network connection between your data center and one of AWS’s Direct Connect locations. One of the main benefits of Direct Connect is a low-latency connection.

7) You can peer VPCs that are in two separate accounts and in two different AWS regions.
False

Explanation
You can peer VPCs that are in two different AWS accounts, but they must be in the same region.

8) You are trying to establish a VPC peering connection but are having difficulties locating the other VPC. What is most likely the cause?
The other VPC is in a different region

Explanation
For a VPC peering connection to be established, both VPCs must be in the same region.

9) If AWS asks you to configure the connection between your on-premise data center and a Direct Connect Authorized Provider, what would you be configuring?
The cross-network connection

Explanation
The cross-network connection is the connection between your on-premise data center and the Direct Connect Authorized Provider.

10) You have been asked to set up architecture that extends the AWS VPC to your company’s on-premise data center. What do you need to set up to accomplish this?
Virtual Private Network

Explanation
You will need to set up and configure a virtual private network. A VPN is what allows you to extend subnets in side your VPC to your on-premise data center.

11) What best describes a Customer Gateway?
An on-premises, physical device that acts as the “connector” for the VPN connection.

Explanation
The Customer Gateway is a physical or software application that is located at your on-premise data center. It is the VPN connector on the data center side (of the connection) and must be configured with a static public IP address.

12) With Direct Connect, a Public Virtual Interface allows you to interface with resources inside a VPC, like an EC2 instance via its private IP address.
False

Explanation
A Public Virtual Interface allows you to interface with AWS resources that have a public endpoint (like S3 or DynamoDB).

1) What are three attributes of DynamoDB?
Fully-managed, A NoSQL database platform, Uses key-value store

Explanation
DynamoDB is fully-managed (you have no access to the underlining OS), it is a NoSQL database platform, and it uses a schemaless key-value store.

2) What are the “engine” options for ElastiCache?
Redis & Memcached

Explanation
Redis & Memcached are the two engine options for ElastiCache

3) You have to make your own backups of RDS databases, AWS does not automate the process
False

Explanation
AWS provides automated backups of RDS databases, which are point-in-time snapshots.

4) What database service offers petabyte-scale data warehousing?
Redshift

Explanation
Redshift offers petabyte-scale data warehousing that is generally used for big-data analytics.

5) How does using ElastiCache help to improve database performance?
It can store high-taxing queries

Explanation
ElastiCache is designed for large, high-performance or taxing queries. it can store the queries to alleviate hits to the database.

6) When setting up a DynamoDB database, you need to select the instance size and storage type.
False

Explanation
When setting up a DynamoDB database, you only need to specify the required throughput capacity. There is no instance size or storage type to choose from. AWS scales compute power with your needs.

7) What are two benefits of using read replicas?
Creates elasticity in RDS, Improves performance of the primary database by taking workload from it

Explanation
You can add/remove read replicas based on demand, so it creates elasticity for RDS. Read replicas can take read only workloads off of the primary database – thus improving performance.

8) What database service should you choose if you need petabyte-scale data warehousing?
Redshift

Explanation
Redshift is for petabyte-scale data warehousing.

9) A read replica can be promoted to the primary instance.
True

10) The Availability Zone that your RDS database instance is located in is suffering from outages, and you have lost access to the database. What could you have done to prevent losing access to your database (in the event of this type of failure) without any downtime?
Enabled multi-AZ failover

Explanation
If multi-AZ failover is enabled, a duplicate copy of the database is kept in a separate AZ. If there is failure in the primary database’s AZ, AWS will automatically swatch the CNAME DNS record from the primary to the failover backup instance.

1) SWF guarantees the order in which tasks are executed, where SQS does not guarantee the order that messages will be delivered.
True

2) What service should you choose if you want to sent notifications via text message to a system administrator?
SNS

Explanation
SNS (Simple Notification Service) is the AWS service that provides the ability to send notifications to various endpoints, with SMS (test messages) being one of them.

3) An SQS Message is?
A set of instructions stored in an SQS queue that can be up to 256KB in size

Explanation
An SQS message can be up to 256KB in size of text (in any format) and is used to relay instructions from one instance to another (via an SQS queue).

4) What is the purpose of an SWF decision task?
It tells the decider the state of the work flow execution.

Explanation
A decision task is used to communicate (back to the decider) that a given task has been completed.

5) SNS can be used to send push notifications to Android and iOS mobile devices.
True

Explanation
Push notifications to mobile devices is one of the available endpoint options for SNS.

6) What best describes decoupled architecture?
A system architecture of multiple components that can process information without being connected.

Explanation
A loosely coupled (or decoupled) system is one that has multiple components but can work independently of each other. So if one fails, the other components can continue to work.

7) If your applications architecture is currently tightly coupled, what AWS service should you use to decouple the application?
None of the above

Explanation
SQS (Simple Queue Service), and to a lesser extent SWF (Simple Workflow) can be used to decouple application components.

8) How long can an SWF workflow execution last?
1 year

Explanation
An SWF workflow execution lasts up to 1 year.

1) Why does stopping and starting an instance (usually) fix a System Status Check error?
Stopping and starting an instance causes the instance to be provisioned on different AWS hardware.

Explanation
Unless you have dedicated tenancy enabled, stopping and starting an instance will generally cause it to be launched onto different AWS host hardware.

2) CloudTrail can log API calls from?
All of the above

Explanation
AWS is basically one big API call, so it does not matter if the API calls from the command line, SDK, or console, they are all logged by CloudTrail.

3) System Status Checks are software-related issues that we need to troubleshoot and fix.
False

Explanation
Instance Status Check are software related issue that we need to troubleshoot and fix. System Status Checks are AWS hardware/software issues that we have no control over.

4) Which of the following CloudWatch EC2 metrics will require a custom script to enable?
Memory Utilization

Explanation
Custom scripts are needed to enable OS level monitoring of EC2 instances. Memory Utilization falls into that category, while CPU Credit Usage and Utilization does not (those are host level metrics).

5) CloudTrail is an API Logging service.
True

6) CloudTrail is a service that allows you to view resource level metics, and create alarms based on metric thresholds.
False

Explanation
CloudWatch is a service that allows you to view resource level metics, and create alarms based on metric thresholds.

1) When designing cloud services, what design elements should you always consider? (select all that apply)
Design for failure , Create self-healing application environments, Decouple applications

Explanation
When designing cloud architecture, you always want to start by designing for failure, and create self-healing whenever possible. Decoupling your application is also best practice. However, you should always use a MIN of TWO Availability Zones. Only using one Availability Zone does not allow for high availability.

2) When designing for elasticity and scalability, you always want to scale UP instead of OUT.
False

Explanation
When designing for elasticity and scalability, you want to strive for scaling out (adding more instances) instead of scaling up (increasing instance sizes). However, you must make sure you start with the proper instance size.

3) Perfect Forward Secrecy is used to offer SSL/TLS cipher suites for which two AWS services?
Cloudfront and Elastic Load Balancing

4) What AWS service, if used as part of your application’s architecture, has an added benefit of helping to mitigate DDoS attacks from hitting your back-end instances?
CloudFront

Explanation
When CloudFront is used as part of your application’s architecture, traffic from a DDoS attack will most likely be redirected to the cached data at an edge location (instead of being routed to your applications EC2 instances).

5) In the shared security responsibility model, what are items that you are responsible for managing? (choose all that apply)
Guest operating systems, AMIs

Explanation
AWS is responsible for everything physical. That includes the security of the physical hardware at their data centers and their network infrastructure. You are responsible for selecting and managing the security for AMI and the OS you install on instances.

6) What service is best for logging all actions taken against the AWS API?
CloudTrail

Explanation
Cloudtrail is AWS’s logging service that can be used to log all actions taken inside your AWS account.

7) What feature should you utilize if auto scaling and load balancing are not available?
Elastic IP address setup for failover to “stand-by” instances

Explanation
Setting up an Elastic IP address and having it ready for failover is a great solution when other services that provide high availability and fault tolerance are not available.

8) What best describes Recovery Time Objective (RTO)?
The time it takes after a disruption to restore operations back to its regular service level.

Explanation
The Recovery Time Objective (RTO) is the time it takes after a disruption to restore operations back to its regular service level (as defined by a company’s operational level agreement).

9) S3 offers 256-bit encryption for data-at-rest.
True

Explanation
S3 offers 256-bit encryption for data-at-rest, which is an option you an turn on/off. AWS manages the keys and will decrypt the data when you request to download it.

10) What best describes CloudHSM?
A dedicated appliance that is used to store security keys

Explanation
CloudHSM (which is not a feature specific to AWS) is a dedicated appliance that is used to store security keys.

11) What it is called when you have a minimal version of your production environment running (which can be easily increased in size) as a disaster recovery solution?
Pilot light

Explanation
A pilot light is the practice of having an minimally active version of of your environment set up and running in a separate region. If there is catastrophic failure on your primary environment, you can quickly spin up the pilot light environment to become your primary environment.

#################################################################################

1) Your supervisor asks you to create a highly available website which serves static content from EC2 instances. Which of the following is not a requirement to accomplish this goal?
An SQS queue

Explanation
While an SQS queue can be an important part of a multi-step decoupled web application, it is not necessary to host a highly available static website on EC2. An auto scaling group configured to deploy EC2 instances in multiple subnets located in multiple availability zones allows an application to remain online despite an instance or AZ failure.

2) When designing an application architecture utilizing EC2 instances and the ELB, to determine the instance size required for your application what questions might be important?
Determining the minimum memory requirements for an application, Determine the required I/O operations

3) You own an image manipulation application. Your users take a picture, upload it to your app, and request filters to be added to the image. You need to decouple the application so your users are not waiting for the image processing to take place. How would you go about doing this?
Use Amazon SQS to store the requests using metadata and JSON in the message, use S3 to store the image, and Auto Scaling to determine when to fire off more worker instances based on queue size

4) You are using IOT sensors to monitor the movement of a group of hikers on a three day trek and send the information into an Kinesis Stream. They each have a sensor in their shoe and you know for certain that there is no problem with mobile coverage so all the data is getting back to the stream. You have used default settings for the stream. At the end of the third day the data is sent to an S3 bucket. When you go to interpret the data in S3 there is only data for the last day and nothing for the first 2 days. Which of the following is the most probable cause of this?
Data records are only accessible for a default of 24 hours from the time they are added to a stream.

5) Your web application front end consists of multiple EC2 instances behind an Elastic Load Balancer. You configured the ELB to perform health checks on these EC2 instances. If an instance fails to pass health checks, which statement is true?
The ELB stops sending traffic to the instance that failed its health check.

6) Amazon SQS (Simple Queue Service) guarantees delivery of AT LEAST 1 message but cannot guarantee it will not create duplicates.
True

7) An AWS VPC (Virtual Private Cloud) allows you to _______.
Connect your cloud resources to your own encrypted IPSec VPN connections

8) Company B provides an online image recognition service and utilizes SQS to decouple system components for scaleability. The SQS consumer’s readers poll the image queue as often as possible to keep end-to-end throughput as high as possible. However, Company B is realizing that polling in tight loops is burning CPU cycles and increasing costs with empty responses. How can company B reduce the number of empty responses?
Enable long polling by setting the ReceiveMessageWaitTimeSeconds to a number > 0

9) Amazon Auto Scaling is not meant to handle instant load spikes but is built to grow with a gradual increase in usage over a short time period.
True

10) Elasticity is a fundamental property of the cloud. What best describes elasticity?
Power to scale computing resources up and down easily with minimal friction

11) You are consulting for a finance company that has specific backup and archiving policies. This company’s RTO for all financial documents created in the past 6 months is 1 hour. The second requirement is to configure a setup that allows for all documents that are 6 months or older to be sent automatically for archiving in a lower-cost but highly durable archive environment. Given that the company is using the storage gateway, gateway-stored configuration, which of the following would be the best setup to reach the objectives?
Enable S3 versioning with a lifecycle policy that sends objects older than 6 months to Amazon Glacier

12) Which of the following services allow the administrator access to the underlying operating system?
Amazon EC2, Amazon EMR

13) What is the minimum size of an S3 object?
0 Bytes

14) In AWS, when a request is made, the AWS service decides whether a given request should be allowed or denied. The distinction between a request being denied or allowed by default and an explicit deny in a policy is important. Which of the following statements best describes this distinction?
By default, a request is denied, but this can be overridden by an allow. In contrast, if a policy explicitly denies a request, that deny can’t be overridden.

15) While running an EC2 instance, you’ve been storing data on one of the instance’s volumes. However, to save money, you shut down the instance for the weekend. The following week, after starting the instance, you notice that all your work has been lost and is no longer available on the EC2 instance. What might be the cause of this?
The EC2 instance was using instance store volumes, which are ephemeral and only live for the life of the instance

16) One of your more important clients is a Telecom business who needs to process some real-time data in a distributed manner. They suggest to you that they think they should use either Amazon SQS or Amazon Kinesis to achieve this and they want you to tell them what would be the difference between the two. After some research you decide that they should use Kinesis and are trying to put together some reasons for this. One of the below statements is INCORRECT, regarding this. Which one?
Kinesis cannot route related data records to the same record processor (as in streaming MapReduce).

17) You create an SQS queue and decide to test it out by creating a simple application which looks for messages in the queue. When a message is retrieved, the application is supposed to delete the message. You create three test messages in your SQS queue and discover that messages 1 and 3 are quickly deleted but message 2 remains in the queue. What is a possible cause for this behavior?
The order that messages are received in is not guaranteed in SQS, Your application is using short polling

Explanation
Short polling does not query all the servers that the SQS messages can reside on, so multiple queries of the queue may be needed to retrieve all messages in the queue.

18) You have been told that you need to set up a bastion host by your manager in the cheapest, most secure way, and that you should be the only person that can access it via SSH. Which of the following setups would satisfy your manager’s request?
A small EC2 instance and a security group which only allows access on port 22 via your IP address

19) Your AWS environment contains several on-demand EC2 instances dedicated to a project that has just been cancelled. Your supervisor does not want to incur charges for these on-demand instances, but also does not want to lose the data just yet because there is a chance the project may be revived in the next few days. What should you do to minimize charges for these instances in the meantime?
Stop the instances as soon as possible

Explanation
You should not terminate an instance that you may need to place back into production in a few days. The best way to minimize charges is to stop the instances to avoid any data transfer charges that the instance might incur if left running.

20) Which statement is true about Amazon SQS?
Amazon SQS (Simple Queue Service) guarantees delivery of AT LEAST 1 message but cannot guarantee it will not create duplicates, Amazon SQS guarantees delivery of AT LEAST 1 message but cannot guarantee message order, although does attempt to

21) You have 8 instances running on your VPC and all 10 of your users (5 production and 5 development) currently have access to all the instances. However, you have been told that because 4 of the instances are used for production and 4 are used for development you will need to set up access so that the 5 production people can only access the production server and the 5 development people can only access the development server. Using policies, which of the following would be the best way to accomplish this?
Define the tags on the test and production servers and add a condition to the IAM policy which allows access to specific tags

22) You manage a web application on EC2 instances. Your website occasionally experiences brief but large spikes in traffic that cause your EC2 instances’ resources to become overwhelmed and the application to freeze up and lose recently-submitted requests from end users. You use Auto Scaling to deploy additional resources to handle the load during spikes, but the new instances do not deploy fast enough to prevent the existing application servers from freezing. Assuming you cannot find a pattern to when these spikes occur, which of the following is likely to provide the most cost-effective solution to avoid losing recently submitted requests?
Use an SQS queue to decouple the application components

Explanation
Because of the infrequency of the spikes in traffic, keeping extra EC2 resources always deployed is not cost-effective. Pre-warming is a process used when you are anticipating a spike in demand, but in this case, the spikes are unpredictable. The use of an SQS queue allows submitted requests to be retained as messages in the SQS queue until the application resumes normal operation and can process the requests.

23) Amazon Auto Scaling is not meant to handle instant load spikes but is built to grow with a gradual increase in usage over a short time period.
True

24) If your organization is concerned about storing sensitive data in the cloud, you should _______.
Encrypt the file system on an EBS volume using Linux tools, Enable EBS Encryption, Enable S3 Encryption

25) Your company has an application that requires access to a NoSQL database. Your IT department has no desire to manage the NoSQL servers. Which Amazon service provides a fully-managed and highly available NoSQL service?
DynamoDB

26) You are asked to evaluate a company’s AWS environment to find ways to reduce cost. You discover they are running three production web server reserved EC2 instances with EBS-backed root volumes. These instances have a consistent CPU load of 80%. Traffic is being distributed to these instances by an Elastic Load Balancer. They also have production and development Multi-AZ RDS MySQL databases. What recommendation would you make to reduce cost in this environment without affecting availability of mission-critical systems?
Consider not using a Multi-AZ RDS deployment for the development database

Explanation
Multi-AZ RDS databases minimize downtime, provide high availability, and reduce performance impact during backups, so they are highly recommended for production systems. Development systems may be able to get by with a standard RDS deployment, since uptime and performance requirements may be lower in a development environment.

27) Which region ID is the US Standard region?
us-east-1

28) To prevent in-flight tampering, all requests sent with API keys over REST or Query API should be sent over HTTPS connection.
True

29) Your web application front end consists of multiple EC2 instances behind an Elastic Load Balancer. You configured the ELB to perform health checks on these EC2 instances. If an instance fails to pass health checks, which statement is true?
The ELB stops sending traffic to the instance that failed its health check.

30) In order to establish a successful site-to-site VPN connection from your on-premise network to the VPC (Virtual Private Cloud), which of the following needs to be configured inside of the VPC?
A public IP address on the customer gateway for the on-premise network

Explanation
When you configure a VPN, you’re configuring it from the VPC and from the on-premises network. You are taking information (the public IP) from the on-premises network and configuring it inside of the VPC.

31) You own an image manipulation application. Your users take a picture, upload it to your app, and request filters to be added to the image. You need to decouple the application so your users are not waiting for the image processing to take place. How would you go about doing this?
Use Amazon SQS to store the requests using metadata and JSON in the message, use S3 to store the image, and Auto Scaling to determine when to fire off more worker instances based on queue size

32) What is the difference between an availability zone and an edge location?
An availability zone is an Amazon resource within an AWS region, whereas an edge location will deliver cached content to the closest location to reduce latency

33) If your organization is concerned about storing sensitive data in the cloud, you should _______.
Encrypt the file system on an EBS volume using Linux tools, Enable EBS Encyption, Enable S3 Encryption

34) Currently you’re helping design and architect a highly available application. After building the initial environment, you’ve found that part of your application does not work correctly until port 443 is added to the security group. After adding port 443 to the appropriate security group, how much time will it take before the changes are applied and the application begins working correctly?
Changes apply instantly to the security group, and the application should be able to respond to 443 requests

35) In the basic monitoring package for EC2, Amazon CloudWatch provides the following metrics:
Hypervisor visible metrics, such as CPU utilization

36) You’re building out an application on AWS that is running within a single region. However, you’re designing with disaster recovery in mind. Your intention is to build the application so that if the current region becomes unavailable, you can failover to another region. Part of your application relies heavily on pre-built AMIs. In order to share those AMIs with the region you’re using as a backup, what process would you take?
Copy the AMI from the current region to another region, modify the Auto Scaling groups in the backup region to use the new AMI ID in the backup region

37) Your company is posting a big article on the front page of your website tomorrow. It is expected that the demand could potentially overwhelm your infrastructure. In the event of a load failure, how can you set up DNS failover to a static website?
Use Route 53 and the failover option to failover to a static S3 website bucket or CloudFront distribution in the event of an issue

38) You’ve been contacted by a client who is having connectivity issues on their Amazon Virtual Private Cloud and EC2 instances. After logging into the environment, you notice that the customer is using four instances that all belong to a subnet with an attached internet gateway. The instances also belong to the same security group. However, one of the instances is not able to send or receive traffic like the other three. After logging into the internal network and investigating, you find that the instance is working as expected and determine it is not an operating system issue. Which of the following is missing from the environment and is preventing that single instance from connecting?
The EC2 instance does not have a public IP address associated with it

39) Your supervisor asks you to create a highly available website which serves static content from EC2 instances. Which of the following is not a requirement to accomplish this goal?
While an SQS queue can be an important part of a multi-step decoupled web application, it is not necessary to host a highly available static website on EC2. An auto scaling group configured to deploy EC2 instances in multiple subnets located in multiple availability zones allows an application to remain online despite an instance or AZ failure.

40) By default, is data in S3 encrypted?
No, but it can be when the right APIs are called for SSE

41) When designing a cloud service based on AWS and you choose to use RRS on S3 instead of S3 standard storage type, what type of trade offs do you have to build your application around?
RRS only has 99.99% durability and you have to design automation around replacing lost objects

42) As part of your application architecture requirements, the company you are working for has requested the ability to run analytics against all combined log files from the Elastic Load Balancer. Which services are used together to collect logs and process log file analysis in an AWS environment?
Amazon S3 for storing ELB log files and Amazon EMR for processing the log files in analysis

43) You design an application that checks for new items in an S3 bucket once per hour. If new items exist, a message is added to an SQS queue. You have several EC2 instances which retrieve messages from the SQS queue, parse the file, and send you an email containing the relevant information from the file. You upload one test file to the bucket, wait a couple hours and find that you have hundreds of emails from the application. What is the most likely cause for this volume of email?
Your application does not issue a delete command to the SQS queue after processing the message

Explanation
Many instances can poll a single queue, but to keep multiple instances from processing the same SQS message, your application must delete the SQS message after processing it. While SQS does not guarantee a message will be processed only once, the same message being processed many times is probably an indication that the message is not being deleted following processing.

44) Your EC2 instances are configured to run behind an Amazon VPC. You have assigned two web serves instances to an Elastic Load Balancer. However, the instances and the ELB are not reachable via URL to the elastic load balancer serving the web app data from the EC2 instances. How might you resolve the issue so that your instances are serving the web app data to the public Internet?
Attach an Internet gateway to the VPC and route it to the subnet

45) Your supervisor is upset that a client’s purchase from your website was processed twice. You find out that the order process involves EC2 instances processing messages from an SQS queue. What action would you recommend to ensure this does not happen again?
Modify the order process to use SWF

Explanation
The only way to ensure that a duplicate will not occur in a process is to use Amazon SWF instead of SQS. The other options can decrease the chances of duplicates in SQS, but will not eliminate them entirely.

46) You are asked to perform a security audit on a company’s AWS environment. You log in to their AWS account with the root user credentials and discover that they are using a VPN to connect to and manage their private EC2 instances. Upon further inspection, you find that they are not regularly patching their RDS instances. Finally, you notice that they are using IAM policies rather than bucket policies to manage access to their S3 buckets. What do you cite as the most critical security risk in your report?
The company allows people to log in with their AWS account’s root user

Explanation
A bastion host is not more secure than a VPN as a means of connecting to private instances. IAM policies and S3 bucket policies are both acceptable means of controlling S3 bucket access. It is AWS’s responsibility to patch RDS instances. After initial account setup, AWS account administration should be performed by IAM users rather than the root user account.

47) Your company wants to backup the onsite file server to AWS but does not want to serve the files from S3 to your office network when files need accessed. Which service and setup would you use to accomplish this task?
Use Amazon Storage Gateway and gateway-stored volumes to store the data locally and asynchronously backup point-in-time snapshots to S3

48) A colleague would like a new subnet configured in AWS for a database cluster she is building. She expects that the subnet will never need more than six IP addresses. Which of the following will likely be the most appropriate choice for this subnet?
A /28 private subnet

Explanation
Databases generally do not require public access from the Internet, so a private subnet is likely the better choice from a security perspective. /28 is the smallest possible subnet in an AWS VPC.

49) Your supervisor calls you wanting to know why an SWF workflow you created has not made any progress in the last three weeks. What is the most likely explanation for the workflow’s behavior?
SWF is awaiting human input from an activity task you assigned to your supervisor

Explanation
SWF task and workflow execution can last up to one year, and can include tasks to be performed by on-premises servers and humans.

50) An EC2 instance retrieves a message from an SQS queue, begins processing the message, then crashes. What happens to the message?
When the message visibility timeout expires, the message becomes available for processing by other EC2 instances

51) You are setting up a VPC peering connection with another VPC. This is the first time that you have done this, and you are not that familiar with the limitations and rules. When reading up on this, you discover that there seems to be a lot of limitations and rules when it comes to VPC peering. Which of the following is NOT one of those limitations or rules?
A placement group cannot span peered VPCs

52) You’ve been tasked with building out a duplicate environment in another region for disaster recovery purposes. Part of your environment relies on EC2 instances with preconfigured software. What steps would you take to configure the instances in another region?
Create an AMI of the EC2 instance and copy the AMI to the desired region

53) Your application’s usage peaks at 90% during the hours of 9 AM and 10 AM everyday. All other hours require only 10% of the peak resources. What is the best way to scale your application so you’re only paying for max resources during peak hours?
Proactive Cycle Scaling

54) After deciding that, due to to strict contractual requirements, the latest AWS VPC that you deploy will need to incorporate AWS CloudHSM as an encryption solution, where within your AWS infrastructure would be the best place to physically locate the HSM appliances and why?
Locating HSM appliances near your EC2 instances decreases network latency, which can improve application performance

55) What is the difference between an availability zone and an edge location?
An availability zone is an Amazon resource within an AWS region; an edge location will deliver cached content to the closest location to reduce latency

56) Your supervisor asks you to create a decoupled application using EC2 instances polling an SQS queue. Which of the following is not necessary to accomplish this goal?
An Elastic Load Balancer to distribute traffic from EC2 instances to the SQS queue

Explanation
While an Elastic Load Balancer is often used to handle incoming web traffic requests in a highly available web application solution, it is not required for a decoupled application’s EC2 instances to poll SQS. A decoupled application requires that one component of the application can fail without the entire environment failing. Using multiple EC2 instances that have been launched with a role granting SQS queue permissions and using code to poll an SQS queue allows an EC2 instance to fail, even if it has already begun processing a job because another instance is able to process the job when the message is returned to the queue.

57) Which of the following statements is FALSE regarding the role of a bastion host?
A Bastion host should be on a private subnet and never a public subnet due to security concerns

58) An AWS VPC (Virtual Private Cloud) allows you to _______.
Connect your cloud resources to your own encrypted IPSec VPN connections

59) When reviewing the Auto Scaling events, it is noticed that an application is scaling up and down multiple times within the hour. What design change could you make to optimize cost while preserving elasticity?
Change the scale down CloudWatch metric to a higher threshold

60) One of your instances is reporting an unhealthy system status check. However, this is not something you should have to monitor and repair on your own. How might you automate the repair of the system status check failure in an AWS environment?
Create CloudWatch metrics that stop and start the instance based off of status check alarms

#########################################################################

1) Which of the following statements is FALSE regarding the role of a bastion host?
A Bastion host should be on a private subnet and never a public subnet due to security concerns

2) What is the difference between an availability zone and an edge location?
An availability zone is an Amazon resource within an AWS region, whereas an edge location will deliver cached content to the closest location to reduce latency

3) Amazon Auto Scaling is not meant to handle instant load spikes but is built to grow with a gradual increase in usage over a short time period.
True

4) After deciding that, due to to strict contractual requirements, the latest AWS VPC that you deploy will need to incorporate AWS CloudHSM as an encryption solution, where within your AWS infrastructure would be the best place to physically locate the HSM appliances and why?
Locating HSM appliances near your EC2 instances decreases network latency, which can improve application performance

5) For basic monitoring on AWS, which metrics are not included as part of the basic monitoring package?
Free memory, Free swap

6) Amazon Auto Scaling is not meant to handle instant load spikes but is built to grow with a gradual increase in usage over a short time period.
True

7) As part of your application architecture requirements, the company you are working for has requested the ability to run analytics against all combined log files from the Elastic Load Balancer. Which services are used together to collect logs and process log file analysis in an AWS environment?
Amazon S3 for storing ELB log files and Amazon EMR for processing the log files in analysis

8) Which of the following relational database servers are available on Amazon RDS?
Aurora , MariaDB, MySQL

9) You are setting up a VPC peering connection with another VPC. This is the first time that you have done this, and you are not that familiar with the limitations and rules. When reading up on this, you discover that there seems to be a lot of limitations and rules when it comes to VPC peering. Which of the following is NOT one of those limitations or rules?
A placement group cannot span peered VPCs

10) If an instance that belongs to an Elastic Load Balancer’s health check fails, what occurs to the instance that fails?
The ELB will de-register the instance and stop sending traffic to the unhealthy instance

11) Your supervisor asks you to create a decoupled application using EC2 instances polling an SQS queue. Which of the following is not necessary to accomplish this goal?
An Elastic Load Balancer to distribute traffic from EC2 instances to the SQS queue

Explanation
While an Elastic Load Balancer is often used to handle incoming web traffic requests in a highly available web application solution, it is not required for a decoupled application’s EC2 instances to poll SQS. A decoupled application requires that one component of the application can fail without the entire environment failing. Using multiple EC2 instances that have been launched with a role granting SQS queue permissions and using code to poll an SQS queue allows an EC2 instance to fail, even if it has already begun processing a job because another instance is able to process the job when the message is returned to the queue.

12) Your AWS environment contains several on-demand EC2 instances dedicated to a project that has just been cancelled. Your supervisor does not want to incur charges for these on-demand instances, but also does not want to lose the data just yet because there is a chance the project may be revived in the next few days. What should you do to minimize charges for these instances in the meantime?
Stop the instances as soon as possible

Explanation
You should not terminate an instance that you may need to place back into production in a few days. The best way to minimize charges is to stop the instances to avoid any data transfer charges that the instance might incur if left running.

13) An AWS VPC (Virtual Private Cloud) allows you to _______.
Connect your cloud resources to your own encrypted IPSec VPN connections

14) What is the minimum size of an S3 object?
0 Bytes

15) Which of the following best describes what “bastion hosts” are?
Bastion hosts are instances that sit within your public subnet and are typically accessed using SSH or RDP. Once remote connectivity has been established with a bastion host, it then acts as a ‘jump’ server, allowing you to use SSH or RDP to log into other instances (within private subnets) deeper within your network.

16) In the basic monitoring package for EC2, Amazon CloudWatch provides the following metrics:
Hypervisor visible metrics, such as CPU utilization

17) Your company has an application that requires access to a NoSQL database. Your IT department has no desire to manage the NoSQL servers. Which Amazon service provides a fully-managed and highly available NoSQL service?
DynamoDB

18) Which of the following services allow the administrator access to the underlying operating system?
Amazon EC2, Amazon EMR

19) Your supervisor asks you to create a decoupled application whose process includes dependencies on EC2 instances and servers located in your company’s on-premises datacenter. Which of these are you least likely to recommend as part of that process?
SQS polling from an EC2 instance using IAM user credentials

Explanation
An EC2 IAM role should be used when deploying EC2 instances to grant permissions rather than storing IAM user credentials in EC2 instances

20) Your organization has been using a HSM (Hardware Security Module) for secure key storage. It is only used for generating keys for your EC2 instances. Unfortunately, the HSM has been zeroized after someone attempted to log in as the administrator three times using an invalid password. This means that the encryption keys on it have been wiped. You did not have a copy of the keys stored anywhere else. How can you obtain a new copy of the keys that you had stored on HSM?
You cannot; the keys are lost if you did not have a copy.

21) If your organization is concerned about storing sensitive data in the cloud, you should _______.
Encrypt the file system on an EBS volume using Linux tools, Enable EBS Encryption, Enable S3 Encryption

22) You own an image manipulation application. Your users take a picture, upload it to your app, and request filters to be added to the image. You need to decouple the application so your users are not waiting for the image processing to take place. How would you go about doing this?
Use Amazon SQS to store the requests using metadata and JSON in the message, use S3 to store the image, and Auto Scaling to determine when to fire off more worker instances based on queue size

23) Your company is concerned with EBS volume backup on Amazon EC2 and wants to ensure they have proper backups and that the data is durable. What solution would you implement and why?
Write a cronjob that uses the AWS CLI to take a snapshot of production EBS volumes. The data is durable because EBS snapshots are stored on the Amazon S3 standard storage class

24) What is the maximum size of a general SSD EBS volume?
16TiB

25) You can deny the AWS root account to EC2 instances via IAM policy.
False

26) Which statement is true about Amazon SQS?
Amazon SQS (Simple Queue Service) guarantees delivery of AT LEAST 1 message but cannot guarantee it will not create duplicates, Amazon SQS guarantees delivery of AT LEAST 1 message but cannot guarantee message order, although does attempt to

27) One of your more important clients is a Telecom business who needs to process some real-time data in a distributed manner. They suggest to you that they think they should use either Amazon SQS or Amazon Kinesis to achieve this and they want you to tell them what would be the difference between the two. After some research you decide that they should use Kinesis and are trying to put together some reasons for this. One of the below statements is INCORRECT, regarding this. Which one?
Kinesis cannot route related data records to the same record processor (as in streaming MapReduce).

28) You are designing a global application that takes advantage of multiple regions. As part of your application, the need to synchronize from one region to another is required to ensure your application is serving the same data when employing latency-based Route 53 DNS records. To ensure this happens, you have determined that using the AWS CLI to sync files from the primary storage servers to S3 is the best method. How might you implement AWS CLI authentication against the S3 service?
Create an EC2 IAM role and assign it to each EC2 instance that utilizes the AWS CLI to sync the data

29) When designing a cloud service based on AWS and you choose to use RRS on S3 instead of S3 standard storage type, what type of trade offs do you have to build your application around?
RRS only has 99.99% durability and you have to design automation around replacing lost objects

30) What URL might you query on an EC2 instance to find the public AND private IP address of an instance?
http://169.254.169.254/latest/meta-data/

31) You are using IOT sensors to monitor the movement of a group of hikers on a three day trek and send the information into an Kinesis Stream. They each have a sensor in their shoe and you know for certain that there is no problem with mobile coverage so all the data is getting back to the stream. You have used default settings for the stream. At the end of the third day the data is sent to an S3 bucket. When you go to interpret the data in S3 there is only data for the last day and nothing for the first 2 days. Which of the following is the most probable cause of this?
Data records are only accessible for a default of 24 hours from the time they are added to a stream.

32) If your organization is concerned about storing sensitive data in the cloud, you should _______.
Encrypt the file system on an EBS volume using Linux tools, Enable EBS Encyption, Enable S3 Encryption

33) A user needs access to Elastic Load Balancing. This is the first and possibly only time that they will require this access. Which of the following choices would be the best way to allow this access?
Delegate access to the ELB using an IAM role

34) Company B provides an online image recognition service and utilizes SQS to decouple system components for scaleability. The SQS consumer’s readers poll the image queue as often as possible to keep end-to-end throughput as high as possible. However, Company B is realizing that polling in tight loops is burning CPU cycles and increasing costs with empty responses. How can company B reduce the number of empty responses?
Enable long polling by setting the ReceiveMessageWaitTimeSeconds to a number > 0

35) Your company is building it’s first deployment on AWS and is concerned about security in the cloud. There will be a lot of online payment transactions happening once the infrastructure is deployed. Your security officer has come to you and wants to know whether they should be using the Hardware Security Module (HSM) or AWS Key Management Service (KMS) for encryption. Which of the following would be the most correct response to give him?
KMS is probably adequate unless additional protection is necessary for some applications and data that are subject to strict contractual or regulatory requirements for managing cryptographic keys, then HSM should be used

36) You have 8 instances running on your VPC and all 10 of your users (5 production and 5 development) currently have access to all the instances. However, you have been told that because 4 of the instances are used for production and 4 are used for development you will need to set up access so that the 5 production people can only access the production server and the 5 development people can only access the development server. Using policies, which of the following would be the best way to accomplish this?
Define the tags on the test and production servers and add a condition to the IAM policy which allows access to specific tags

37) After migrating an application architecture from on-premise to AWS you will not be responsible for the ongoing maintenance of packages for the following AWS services that your application uses:
RDS, DynamoDB

38) You’ve been tasked with building out a duplicate environment in another region for disaster recovery purposes. Part of your environment relies on EC2 instances with preconfigured software. What steps would you take to configure the instances in another region?
Create an AMI of the EC2 instance and copy the AMI to the desired region

39) You are asked to evaluate a company’s AWS environment to find ways to reduce cost. You discover they are running three production web server reserved EC2 instances with EBS-backed root volumes. These instances have a consistent CPU load of 80%. Traffic is being distributed to these instances by an Elastic Load Balancer. They also have production and development Multi-AZ RDS MySQL databases. What recommendation would you make to reduce cost in this environment without affecting availability of mission-critical systems?
Consider not using a Multi-AZ RDS deployment for the development database

Explanation
Multi-AZ RDS databases minimize downtime, provide high availability, and reduce performance impact during backups, so they are highly recommended for production systems. Development systems may be able to get by with a standard RDS deployment, since uptime and performance requirements may be lower in a development environment.

40) The KPL is an easy-to-use, highly configurable library that helps you write to an Amazon Kinesis stream. It acts as an intermediary between your producer application code and the stream’s API actions. One of its key concepts is aggregation. Which of the following best describes aggregation as it relates to the KPL?
It refers to the storage of multiple records in a stream’s record and allows customers to increase the number of records sent per API call, which effectively increases producer throughput

41) You are building a system to distribute confidential training videos to employees. Using CloudFront, what method would be used to serve content that is stored in S3, but not publicly accessible from S3 directly?
Create an Origin Access Identify (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAI

42) Which region ID is the US Standard region?
us-east-1

43) While implementing a disaster recovery strategy in another region, you are attempting to move the data from one EBS volume to another in a separate region. What is the best way to do this? Keep in mind this is not a live production replication copy.
Take a snapshot of the EBS volume and copy it to the desired region

44) You are consulting for a healthcare company that has strict compliance and auditing requirements. When architecting the application environment on AWS, which services or service features might you enable to take advantage of monitoring to ensure auditing the environment for compliance is easy and follows the strict healthcare compliance requirements?
CloudTrail for security logs

45) Amazon Glacier is designed for:
Infrequently accessed data, Data archives

46) You recently purchased and deployed four reserved EC2 instances in the US-East-1 region’s Availability Zone 1 for a new project. Your supervisor just informed you that this project only requires two EC2 instances. Rather than selling the reserved instances, she asked you to terminate the extra instances and convert two of the on-demand instances already running in Availability Zone 1 to reserved instances. Can this be done?
Yes, you can terminate the reserved instances and AWS will automatically begin billing the two on-demand instances as reserved instances

Explanation
If you own three Reserved Instances with the same instance type and Availability Zone, the billing system checks each hour to see how many total instances you have running that match those parameters. If it is three or less, you will be charged the Reserved Instance rate for each instance running that hour.

47) When a snapshot is being taken against an EBS volume, the volume becomes unavailable and the instance no longer has the ability to communicate with the EBS volume until the snapshot is complete.
False

48) Which of the following AWS services allow you access to the underlying operating system?
Amazon EMR, Amazon Elastic Beanstalk

49) Your company is moving their entire 20 TB data warehouse to the cloud. With your current bandwidth it would take 2 months to transfer the data. Which service would allow you to quickly get your data into AWS?
Amazon Import/Export

50) You are asked to review a plan that your company has made to create a new application that makes use of SQS, EC2, Auto Scaling and CloudWatch. Which of the following action items should you advise your company not to implement?
Utilize short polling with a wait time of 20 seconds to reduce the number of empty responses from the SQS queue

Explanation
Polling executed with a wait time of greater than 0 seconds is called long polling.

51) You are testing an application that uses EC2 instances to poll an SQS queue. At this stage of testing, you have verified that the EC2 instances can retrieve messages from the queue, but your coworkers are complaining about not being able to manually retrieve any messages from the queue from their on-premises workstations. What is the most likely source of this problem?
Your coworkers may not have permission to the SQS queue

Explanation
Short polling may fail to retrieve messages sometimes, but if no messages can be retrieved after multiple attempts, permissions are the more likely cause.

52) You own an image manipulation application. Your users take a picture, upload it to your app, and request filters to be added to the image. You need to decouple the application so your users are not waiting for the image processing to take place. How would you go about doing this?
Use Amazon SQS to store the requests using metadata and JSON in the message, use S3 to store the image, and Auto Scaling to determine when to fire off more worker instances based on queue size

53) You are consulting for a company with a limited budget for on-premise hardware. However, they need to store large amounts of data that is easily accessible through a network share with on-premise employees. Which AWS solution would you implement for this company?
Configure storage gateway with Gateway-Cached Volumes

Explanation
Gateway-Stored volumes use S3 to backup the data but store locally, which means we’re limited to the amount of space we allocate to the VM. With the Gateway-Cache volumes, you aren’t limited in that way since you’re storing all of the data on S3 and simply caching frequently-used data locally.

54) Company B provides an online image recognition service and utilizes SQS to decouple system components for scaleability. The SQS consumer’s readers poll the image queue as often as possible to keep end-to-end throughput as high as possible. However, Company B is realizing that polling in tight loops is burning CPU cycles and increasing costs with empty responses. How can company B reduce the number of empty responses?
Enable long polling by setting the ReceiveMessageWaitTimeSeconds to a number > 0

55) Data stored on EBS volumes are automatically and redundantly stored in multiple physical volumes in the same availability zone as part of the normal operations of the EBS service at no additional charge.
True

56) After building out a new VPC from scratch, you have attached an Internet gateway to the only route table within your VPC. This means all instances currently belong to a public subnet. While trying to connect to one of the instances over the Internet gateway, you are experiencing connectivity issues preventing any communication from your machine to the instance over the Internet. After investigating, you notice that the security group has proper permissions and the route table is currently as follows:
Change the route table Destination for the IGW to be 0.0.0.0/0

57) You and a colleague create an SQS queue and create several messages in it. You both test your ability to manually poll the queue by using the command-line API calls. After testing, you find that your colleague’s polling attempt retrieved messages 1, 3, and 5. Your polling attempt retrieved messages 4, 6, and 8. Nether of your attempts retrieved messages 2 or 7. What is a possible cause for this behavior?
You and your colleague did not see the same messages because of the visibility timeout, You and your colleague used short polling

Explanation
When a message is retrieved, that message is hidden from other polling attempts until the message is deleted or the visibility timeout expires. Short polling does not query all the servers that the SQS messages can reside on, so multiple queries of the queue may be needed to retrieve all messages in the queue.

58) To maintain compliance with HIPPA laws, all data being backed up or stored on Amazon S3 needs to be encrypted at rest. What is the best method for encryption for your data, assuming S3 is being used for storing the healthcare-related data?
Enable SSE on an S3 bucket to make use of AES-256 encryption , Encrypt the data locally using your own encryption keys, then copy the data to Amazon S3 over HTTPS endpoints

59) When reviewing the Auto Scaling events, it is noticed that an application is scaling up and down multiple times within the hour. What design change could you make to optimize cost while preserving elasticity?
Change the scale down CloudWatch metric to a higher threshold

60) You are the system administrator for your company’s AWS account of approximately 200 IAM users. A new company policy has just been introduced that will change the access of 50 of the IAM users to have unlimited access to S3 buckets. How can you implement this effectively so that there is no need to apply the policy at the individual user level?
Use the IAM groups and add users, based upon their role, to different groups and apply the policy to group

######################################################

1) Your supervisor calls you wanting to know why an SWF workflow you created has not made any progress in the last three weeks. What is the most likely explanation for the workflow’s behavior?
SWF is awaiting human input from an activity task you assigned to your supervisor

Explanation
SWF task and workflow execution can last up to one year, and can include tasks to be performed by on-premises servers and humans.

2) After building an application that makes use of an Elastic Load Balancer over port 80, you notice that your instances, even though they are healthy as part of the health check, are not serving traffic when you go to the ELB DNS cname. What might be the cause of this issue?
The ELB security group does not have port 80 open, The EC2 instances security group does not have port 80 open

Explanation
Remember that health checks do not have to be performed on port 80. This is the default, yes, but it can be changed. So in this case we could have a health check configured on a different port which is why it would be marked as healthy even though the ELB security group and/or the EC2 instance security group on port 80 could be closed. Even if this scenario does not sound very likely, it is possible. AWS likes to try and trick test takers by throwing in scenarios like these, which is why we included this tricky question.

3) Your company is moving their entire 20 TB data warehouse to the cloud. With your current bandwidth it would take 2 months to transfer the data. Which service would allow you to quickly get your data into AWS?
Amazon Import/Export

4) In AWS, when a request is made, the AWS service decides whether a given request should be allowed or denied. The distinction between a request being denied or allowed by default and an explicit deny in a policy is important. Which of the following statements best describes this distinction?
By default, a request is denied, but this can be overridden by an allow. In contrast, if a policy explicitly denies a request, that deny can’t be overridden.

5) For basic monitoring on AWS, which metrics are not included as part of the basic monitoring package?
Free memory, Free swap

6) Your company requires that all the data on your EBS-backed EC2 volumes be encrypted. How would you go about doing this?
AWS allows you to encrypt the file system on an EBS volume on EBS volume setup

7) Which of the following is true of an SQS message?
SQS messages are guaranteed to be delivered at least once

8) The KPL is an easy-to-use, highly configurable library that helps you write to an Amazon Kinesis stream. It acts as an intermediary between your producer application code and the stream’s API actions. One of its key concepts is aggregation. Which of the following best describes aggregation as it relates to the KPL?
It refers to the storage of multiple records in a stream’s record and allows customers to increase the number of records sent per API call, which effectively increases producer throughput

9) Your AWS environment contains several reserved EC2 instances dedicated to a project that has just been cancelled. Your supervisor wants to stop incurring charges for these reserved instances immediately and recuperate as much of the reserved instance cost as possible. What can you do to avoid being charged for them?
Terminate the instances as soon as possible, Sell the reserved instances on the AWS Reserved Instance Marketplace

Explanation
You should terminate the instance to avoid any data transfer charges that the instance might incur if left running and sell the reserved instance in the AWS Reserved Instance Marketplace to recuperate cost.

10) While implementing a disaster recovery strategy in another region, you are attempting to move the data from one EBS volume to another in a separate region. What is the best way to do this? Keep in mind this is not a live production replication copy.
Take a snapshot of the EBS volume and copy it to the desired region

11) The AMI ID used in an Auto Scaling policy is configured in the _______.
Launch configuration

12) When a snapshot is being taken against an EBS volume, the volume becomes unavailable and the instance no longer has the ability to communicate with the EBS volume until the snapshot is complete.
False

13) As part of your application architecture requirements, the company you are working for has requested the ability to run analytics against all combined log files from the Elastic Load Balancer. Which services are used together to collect logs and process log file analysis in an AWS environment?
Amazon S3 for storing ELB log files and Amazon EMR for processing the log files in analysis

14) What is the maximum size of a general SSD EBS volume?
16TiB

15) Your company is building it’s first deployment on AWS and is concerned about security in the cloud. There will be a lot of online payment transactions happening once the infrastructure is deployed. Your security officer has come to you and wants to know whether they should be using the Hardware Security Module (HSM) or AWS Key Management Service (KMS) for encryption. Which of the following would be the most correct response to give him?
KMS is probably adequate unless additional protection is necessary for some applications and data that are subject to strict contractual or regulatory requirements for managing cryptographic keys, then HSM should be used

16) If an instance that belongs to an Elastic Load Balancer’s health check fails, what occurs to the instance that fails?
The ELB will de-register the instance and stop sending traffic to the unhealthy instance

17) Elasticity is a fundamental property of the cloud. What best describes elasticity?
Power to scale computing resources up and down easily with minimal friction

18) Your EC2 instances are configured to run behind an Amazon VPC. You have assigned two web serves instances to an Elastic Load Balancer. However, the instances and the ELB are not reachable via URL to the elastic load balancer serving the web app data from the EC2 instances. How might you resolve the issue so that your instances are serving the web app data to the public Internet?
Attach an Internet gateway to the VPC and route it to the subnet

19) Which of the following statements is FALSE regarding the role of a bastion host?
A Bastion host should be on a private subnet and never a public subnet due to security concerns

20) For basic monitoring on AWS, which metrics are not included as part of the basic monitoring package?
Free memory, Free swap

21) You own an image manipulation application. Your users take a picture, upload it to your app, and request filters to be added to the image. You need to decouple the application so your users are not waiting for the image processing to take place. How would you go about doing this?
Use Amazon SQS to store the requests using metadata and JSON in the message, use S3 to store the image, and Auto Scaling to determine when to fire off more worker instances based on queue size

22) You’ve been tasked with building out a duplicate environment in another region for disaster recovery purposes. Part of your environment relies on EC2 instances with preconfigured software. What steps would you take to configure the instances in another region?
Create an AMI of the EC2 instance and copy the AMI to the desired region

23) The AMI ID used in an Auto Scaling policy is configured in the _______.
Launch configuration

24) Your company has an application that requires access to a NoSQL database. Your IT department has no desire to manage the NoSQL servers. Which Amazon service provides a fully-managed and highly available NoSQL service?
DynamoDB

25) Which of the following AWS services allow you access to the underlying operating system?
Amazon EMR, Amazon Elastic Beanstalk

26) In order to establish a successful site-to-site VPN connection from your on-premise network to the VPC (Virtual Private Cloud), which of the following needs to be configured inside of the VPC?
A public IP address on the customer gateway for the on-premise network

Explanation
When you configure a VPN, you’re configuring it from the VPC and from the on-premises network. You are taking information (the public IP) from the on-premises network and configuring it inside of the VPC.

27) You are working for a startup company that is building an application that receives large amounts of data. Unfortunately, current funding has left the start-up short on cash, cannot afford to purchase thousands of dollars of storage hardware, and has opted to use AWS. Which services would you implement in order to store a virtually unlimited amount of data without any effort to scale when demand unexpectedly increases?
Amazon S3, because it provides unlimited amounts of storage data, scales automatically, is highly available, and durable

28) To prevent in-flight tampering, all requests sent with API keys over REST or Query API should be sent over HTTPS connection.
True

29) The AMI ID used in an Auto Scaling policy is configured in the _______.
Launch configuration

30) You’re building out an application on AWS that is running within a single region. However, you’re designing with disaster recovery in mind. Your intention is to build the application so that if the current region becomes unavailable, you can failover to another region. Part of your application relies heavily on pre-built AMIs. In order to share those AMIs with the region you’re using as a backup, what process would you take?
Copy the AMI from the current region to another region, modify the Auto Scaling groups in the backup region to use the new AMI ID in the backup region

31) Your company is posting a big article on the front page of your website tomorrow. It is expected that the demand could potentially overwhelm your infrastructure. In the event of a load failure, how can you set up DNS failover to a static website?
Use Route 53 and the failover option to failover to a static S3 website bucket or CloudFront distribution in the event of an issue

32) After migrating an application architecture from on-premise to AWS you will not be responsible for the ongoing maintenance of packages for the following AWS services that your application uses:
RDS, DynamoDB

33) Your supervisor asks you to create a decoupled application whose process includes dependencies on EC2 instances and servers located in your company’s on-premises datacenter. Which of these are you least likely to recommend as part of that process?
SQS polling from an EC2 instance using IAM user credentials

Explanation
An EC2 IAM role should be used when deploying EC2 instances to grant permissions rather than storing IAM user credentials in EC2 instances

34) You have been told that you need to set up a bastion host by your manager in the cheapest, most secure way, and that you should be the only person that can access it via SSH. Which of the following setups would satisfy your manager’s request?
A small EC2 instance and a security group which only allows access on port 22 via your IP address

35) Which of the following relational database servers are available on Amazon RDS?
Aurora , MariaDB, MySQL

36) If your organization is concerned about storing sensitive data in the cloud, you should _______.
Encrypt the file system on an EBS volume using Linux tools, Enable EBS Encryption, Enable S3 Encryption

37) Your supervisor asks you to create a highly available website which serves static content from EC2 instances. Which of the following is not a requirement to accomplish this goal?
An SQS queue

Explanation
While an SQS queue can be an important part of a multi-step decoupled web application, it is not necessary to host a highly available static website on EC2. An auto scaling group configured to deploy EC2 instances in multiple subnets located in multiple availability zones allows an application to remain online despite an instance or AZ failure.

38) Your company wants to backup the onsite file server to AWS but does not want to serve the files from S3 to your office network when files need accessed. Which service and setup would you use to accomplish this task?
Use Amazon Storage Gateway and gateway-stored volumes to store the data locally and asynchronously backup point-in-time snapshots to S3

39) Which of the following services allow the administrator access to the underlying operating system?
Amazon EC2, Amazon EMR

40) Amazon SQS (Simple Queue Service) guarantees delivery of AT LEAST 1 message but cannot guarantee it will not create duplicates.
True

41) You are the system administrator for your company’s AWS account of approximately 200 IAM users. A new company policy has just been introduced that will change the access of 50 of the IAM users to have unlimited access to S3 buckets. How can you implement this effectively so that there is no need to apply the policy at the individual user level?
Use the IAM groups and add users, based upon their role, to different groups and apply the policy to group

42) Your AWS environment contains several reserved EC2 instances dedicated to a project that has just been cancelled. Your supervisor would like to recuperate cost for these reserved instances, but also does not want to lose the data just yet in case the project is revived next fiscal year. What can you do to minimize charges for these instances?
Take snapshots of the EBS volumes and terminate the instances, Sell the instances on the AWS Reserved Instance Marketplace

Explanation
For a reserved instance that will not be needed for a long time (or maybe ever,) the best way to recuperate cost is to preserve the instance’s data via snapshot, then sell the reserved instance. If the instance is required in the future, you can deploy a new instance using an EBS volume built from the snapshot you took of the original volume.

43) You recently purchased four reserved EC2 instances in the US-East-1 region’s Availability Zone 1. Your supervisor just informed you that she would like the instances distributed equally across US-East-1 region Availability Zones 1 and 2. Can you use the reserved instances you just purchased to deploy EC2 instances in Availability Zone 2?
Yes, you can migrate the reserved instances to Availability Zone 2

Explanation
After recent AWS updates you can now migrate reserved instances without having to sell and repurchase.

44) Your organization has been using a HSM (Hardware Security Module) for secure key storage. It is only used for generating keys for your EC2 instances. Unfortunately, the HSM has been zeroized after someone attempted to log in as the administrator three times using an invalid password. This means that the encryption keys on it have been wiped. You did not have a copy of the keys stored anywhere else. How can you obtain a new copy of the keys that you had stored on HSM?
You cannot; the keys are lost if you did not have a copy.

45) Amazon Auto Scaling is not meant to handle instant load spikes but is built to grow with a gradual increase in usage over a short time period.
True

46) You manage a web application on EC2 instances. Your website occasionally experiences brief but large spikes in traffic that cause your EC2 instances’ resources to become overwhelmed and the application to freeze up and lose recently-submitted requests from end users. You use Auto Scaling to deploy additional resources to handle the load during spikes, but the new instances do not deploy fast enough to prevent the existing application servers from freezing. Assuming you cannot find a pattern to when these spikes occur, which of the following is likely to provide the most cost-effective solution to avoid losing recently submitted requests?
Use an SQS queue to decouple the application components

Explanation
Because of the infrequency of the spikes in traffic, keeping extra EC2 resources always deployed is not cost-effective. Pre-warming is a process used when you are anticipating a spike in demand, but in this case, the spikes are unpredictable. The use of an SQS queue allows submitted requests to be retained as messages in the SQS queue until the application resumes normal operation and can process the requests.

47) When reviewing the Auto Scaling events, it is noticed that an application is scaling up and down multiple times within the hour. What design change could you make to optimize cost while preserving elasticity?
Change the scale down CloudWatch metric to a higher threshold

48) While implementing a disaster recovery strategy in another region, you are attempting to move the data from one EBS volume to another in a separate region. What is the best way to do this? Keep in mind this is not a live production replication copy.
Take a snapshot of the EBS volume and copy it to the desired region

49) Your application’s usage peaks at 90% during the hours of 9 AM and 10 AM everyday. All other hours require only 10% of the peak resources. What is the best way to scale your application so you’re only paying for max resources during peak hours?
Proactive Cycle Scaling

50) You can deny the AWS root account to EC2 instances via IAM policy.
False

51) You are designing a global application that takes advantage of multiple regions. As part of your application, the need to synchronize from one region to another is required to ensure your application is serving the same data when employing latency-based Route 53 DNS records. To ensure this happens, you have determined that using the AWS CLI to sync files from the primary storage servers to S3 is the best method. How might you implement AWS CLI authentication against the S3 service?
Create an EC2 IAM role and assign it to each EC2 instance that utilizes the AWS CLI to sync the data

52) You create an SQS queue and decide to test it out by creating a simple application which looks for messages in the queue. When a message is retrieved, the application is supposed to delete the message. You create three test messages in your SQS queue and discover that messages 1 and 3 are quickly deleted but message 2 remains in the queue. What is a possible cause for this behavior?
The order that messages are received in is not guaranteed in SQS, Your application is using short polling

Explanation
Short polling does not query all the servers that the SQS messages can reside on, so multiple queries of the queue may be needed to retrieve all messages in the queue.

53) While running an EC2 instance, you’ve been storing data on one of the instance’s volumes. However, to save money, you shut down the instance for the weekend. The following week, after starting the instance, you notice that all your work has been lost and is no longer available on the EC2 instance. What might be the cause of this?
The EC2 instance was using instance store volumes, which are ephemeral and only live for the life of the instance

54) Amazon Auto Scaling is not meant to handle instant load spikes but is built to grow with a gradual increase in usage over a short time period.
True

55) Which region ID is the US Standard region?
us-east-1

56) To maintain compliance with HIPPA laws, all data being backed up or stored on Amazon S3 needs to be encrypted at rest. What is the best method for encryption for your data, assuming S3 is being used for storing the healthcare-related data?
Enable SSE on an S3 bucket to make use of AES-256 encryption , Encrypt the data locally using your own encryption keys, then copy the data to Amazon S3 over HTTPS endpoints

57) A colleague would like a new subnet configured in AWS for a database cluster she is building. She expects that the subnet will never need more than six IP addresses. Which of the following will likely be the most appropriate choice for this subnet?
A /28 private subnet

Explanation
Databases generally do not require public access from the Internet, so a private subnet is likely the better choice from a security perspective. /28 is the smallest possible subnet in an AWS VPC.

58) You manage an application that uses EC2 instances and SQS to process requests from end users. Your application is working great, but your supervisor is concerned about the cost of the AWS resources it uses. Which of the following would not help address that concern?
Increase the visibility timeout for messages in the SQS queue

59) An AWS VPC (Virtual Private Cloud) allows you to _______.
Connect your cloud resources to your own encrypted IPSec VPN connections

60) Which of the following will occur when an EC2 instance in a VPC with an associated Elastic IP is stopped and started?
All data on instance-store devices will be lost, The underlying host for the instance can be changed

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s