A web application is hosted on AWS using an Elastic Load Balancer, multiple Amazon EC2 instances, and Amazon RDS.
Which security measures fall under the responsibility of AWS? (Select TWO.)
- A . Running a virus scan on EC2 instances
- B . Protecting against IP spoofing and packet sniffing
- C . Installing the latest security patches on the RDS instance
- D . Encrypting communication between the EC2 instances and the Elastic Load Balancer
- E . Configuring a security group and a network access control list (NACL) for EC2 instances
A company discovered unauthorized access to resources in its on-premises data center. Upon investigation, the company found that the requests originated from a resource hosted on AWS.
Which AWS team should the company contact to report this issue?
- A . AWS Customer Service team
- B . AWS Sales team
- C . AWS Abuse team
- D . AWS Technical Support team
Which AWS service enables the decoupling and scaling of applications?
- A . Amazon Simple Queue Service (Amazon SQS)
- B . AWS Outposts
- C . Amazon S3
- D . Amazon Simple Email Service (Amazon SES)
A
Explanation:
Amazon Simple Queue Service (SQS) is a fully managed message queuing service that enables you to decouple and scale microservices, distributed systems, and serverless applications.
A company is using an Amazon RDS database to run reports that are input/output (I/O) intensive.
Which AWS service can be used to improve the database performance?
- A . Amazon DynamoDB Accelerator (DAX)
- B . Amazon EMR
- C . Amazon ElastiCache
- D . Amazon Redshift
A company needs an AWS Support plan that provides programmatic case management through the AWS Support API.
Which support plan will meet this requirement MOST cost-effectively?
- A . AWS Business Support
- B . AWS Basic Support
- C . AWS Developer Support
- D . AWS Enterprise Support
Which AWS benefit enables users to deploy cloud infrastructure that consists of multiple geographic regions connected by a network with low latency, high throughput, and redundancy?
- A . Economies of scale
- B . Security
- C . Elasticity
- D . Global reach
D
Explanation:
The AWS Global Cloud Infrastructure is the most secure, extensive, and reliable cloud platform, offering over 200 fully featured services from data centers globally. Whether you need to deploy your application workloads across the globe in a single click, or you want to build and deploy specific applications closer to your end-users with single-digit millisecond latency, AWS provides you the cloud infrastructure where and when you need it.
A company needs to process data from satellite communications without managing any infrastructure.
Which AWS service should the company use to meet these requirements?
- A . Amazon CloudWatch
- B . Amazon Aurora
- C . Amazon Athena
- D . AWS Ground Station
D
Explanation:
AWS Ground Station is a fully managed service that lets you control satellite communications, process data, and scale your operations without having to worry about building or managing your own ground station infrastructure. Satellites are used for a wide variety of use cases, including weather forecasting, surface imaging, communications, and video broadcasts. Ground stations form the core of global satellite networks. With AWS Ground Station, you have direct access to AWS services and the AWS Global Infrastructure including a low-latency global fiber network. For example, you can use Amazon S3 to store the downloaded data, Amazon Kinesis Data Streams for managing data ingestion from satellites, and Amazon SageMaker for building custom machine learning applications that apply to your data sets. You can save up to 80% on the cost of your ground station operations by paying only for the actual antenna time used, and relying on the global footprint of ground stations to download data when and where you need it. There are no long-term commitments, and you gain the ability to rapidly scale your satellite communications on-demand when your business needs it.
Which of the following are characteristics of a serverless application that runs in the AWS Cloud? (Select TWO.)
- A . Users must manually configure Amazon EC2 instances.
- B . Users have a choice of operating systems.
- C . The application has built-in fault tolerance.
- D . Users can run Amazon EC2 Spot Instances.
- E . The application can scale based on demand.
Which AWS service or feature enables users to block the incoming or outgoing traffic associated with specific IP addresses flowing through a VPC?
- A . Network ACLs
- B . Security groups
- C . AWS Identity and Access Management (1AM)
- D . AWS WAF
A
Explanation:
To allow or block specific IP addresses for your EC2 instances, use a network Access Control List (ACL) or security group rules in your VPC. Network ACLs and security group rules act as firewalls allowing or blocking IP addresses from accessing your resources
Which AWS service allows for file sharing between multiple Amazon EC2 instances?
- A . AWS Direct Connect
- B . AWS Snowball Edge
- C . AWS Backup
- D . Amazon Elastic File System (Amazon EFS)
D
Explanation:
Amazon EFS provides shared file storage for use with compute instances in the AWS Cloud and on-premises servers. Applications that require shared file access can use Amazon EFS for reliable file storage delivering high aggregate throughput to thousands of clients simultaneously.
Which AWS service offers threat detection and continuously monitors for malicious activity and unauthorized behavior in AWS accounts?
- A . Amazon Made
- B . AWS Config
- C . Amazon GuardDuty
- D . Amazon Inspector
A company wants to improve the overall availability and performance of its applications that are hosted on AWS.
Which AWS service should the company use?
- A . Amazon Connect
- B . Amazon Lightsail
- C . AWS Global Accelerator
- D . AWS Storage Gateway
A company’s on-premises application deployment cycle was 3-4 weeks. After migrating to the AWS Cloud, the company can deploy the application in 2-3 days.
Which benefit has this company experienced by moving to the AWS Cloud?
- A . Elasticity
- B . Flexibility
- C . Agility
- D . Resilience
C
Explanation:
https://docs.aws.amazon.com/whitepapers/latest/aws-overview/six-advantages-of-cloud-computing.html
Which AWS service provides alerts when an AWS event may impact a company’s AWS resources?
- A . AWS Personal Health Dashboard
- B . AWS Service Health Dashboard
- C . AWS Trusted Advisor
- D . AWS Infrastructure Event Management
A company needs to audit its AWS resources. The company must document any changes that have been made to the resources.
Which AWS service will meet these requirements?
- A . AWS Artifact
- B . AWS Config
- C . Amazon Inspector
- D . Amazon CloudWatch
A company needs to run an application on Amazon EC2 instances. The instances cannot be interrupted at any time. The company needs an instance purch asing option that requires no long-term commitment or upfront payment.
Which instance purchasing option will meet these requirements MOST cost-effectively?
- A . On-Demand Instances
- B . Spot Instances
- C . Dedicated Hosts
- D . Reserved Instances
Which of the following are AWS compute services? (Select TWO.)
- A . Amazon Lightsail
- B . AWS Systems Manager
- C . AWS CloudFormation
- D . AWS Batch
- E . Amazon Inspector
A,D
Explanation:
Amazon Lightsail is designed to be the easiest way to launch and manage a virtual private server with AWS. Lightsail plans include everything you need to jumpstart your project C a virtual machine, SSD-based storage, data transfer, DNS management, and a static IP address C for a low, predictable price.
AWS Batch enables developers, scientists, and engineers to easily and efficiently run hundreds of thousands of batch computing jobs on AWS. AWS Batch dynamically provisions the optimal quantity and type of compute resources (e.g., CPU or memory-optimized instances) based on the volume and specific resource requirements of the batch jobs submitted. With AWS Batch, there is no need to install and manage batch computing software or server clusters that you use to run your jobs, allowing you to focus on analyzing results and solving problems. AWS Batch plans, schedules, and runs your batch computing workloads across the full range of AWS compute services and features, such as Amazon EC2 and Spot Instances.
Which AWS service can be used to provide an on-demand, cloud-based contact center?
- A . AWS Direct Connect
- B . Amazon Connect
- C . AWS Support Center
- D . AWS Managed Services
B
Explanation:
https://aws.amazon.com/connect/
A company wants a cost-effective option when running its applications in an Amazon EC2 instance for short time periods. The applications can be interrupted.
Which EC2 instance type will meet these requirements?
- A . Spot Instances
- B . On-Demand Instances
- C . Reserved Instances
- D . Dedicated Instances
A
Explanation:
Spot Instances – Spot Instances are the most cost-effective choice if you are flexible about when your applications run and if your applications can be interrupted.
Which AWS service or tool lists all the users in an account and reports on the status of account details, including passwords, access keys, and multi-factor authentication (MFA) devices?
- A . WS Shield
- B . AWS Trusted Advisor
- C . Amazon Inspector
- D . IAM credential report
D
Explanation:
You can generate and download a credential report that lists all users in your account and the status of their various credentials, including passwords, access keys, and MFA devices. You can get a credential report from the AWS Management Console, the AWS SDKs and Command Line Tools , or the IAM API.
A company plans to launch an application that will run in multiple locations within the United States. The company needs to identify the two AWS Regions where the application can operate at the lowest price.
Which AWS service or feature should the company use to determine the Regions that offer the lowest price?
- A . Cost Explorer
- B . AWS Budgets
- C . AWS Trusted Advisor
- D . AWS Pricing Calculator
D
Explanation:
https://aws.amazon.com/premiumsupport/technology/trusted-advisor/
A company stores configuration files in an Amazon S3 bucket. These configuration files must be accessed by applications that are running on Amazon EC2 instances.
According to AWS security best practices, how should the company grant permissions to allow the applications to access the S3 bucket?
- A . Use the AWS account root user access keys.
- B . Use the AWS access key ID and the EC2 secret access key.
- C . Use an IAM role with the necessary permissions.
- D . Activate multi-factor authentication (MFA) and versioning on the S3 bucket.
Which of the following is an AWS Well-Architected Framework design principle for operational excellence in the AWS Cloud?
- A . Go global in minutes.
- B . Make frequent, small, reversible changes.
- C . Implement a strong foundation of identity and access management.
- D . Stop spending money on hardware infrastructure for data center operations.
B
Explanation:
Table
Description automatically generated
A company needs steady and predictable performance from its Amazon EC2 instances at the lowest possible cost. The company also needs the ability to scale resources to ensure that it has the right resources available at the right time.
Which AWS service or resource will meet these requirements?
- A . Amazon CloudWatch
- B . Application Load Balancer
- C . AWS Batch
- D . Amazon EC2 Auto Scaling
D
Explanation:
AWS Auto Scaling monitors your applications and automatically adjusts capacity to maintain steady, predictable performance at the lowest possible cost.
A company needs a centralized, secure way to create and manage cryptographic keys. The company will use the keys across a wide range of AWS services and applications. The company needs to track and document when the keys are created, used, and deleted.
Which AWS service or feature will meet these requirements?
- A . AWS Secrets Manager
- B . AWS License Manager
- C . AWS Systems Manager Parameter Store
- D . AWS Key Management Service (AWS KMS)
D
Explanation:
AWS Key Management Service (AWS KMS) makes it easy for you to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications. AWS KMS is a secure and resilient service that uses hardware security modules that have been validated under FIPS 140-2, or are in the process of being validated, to protect your keys. AWS KMS is integrated with AWS CloudTrail to provide you with logs of all key usage to help meet your regulatory and compliance needs.
A company runs applications that process credit card information. Auditors have asked if the AWS environment has changed since the previous audit. If the AWS environment has changed, the auditors want to know how it has changed.
Which AWS services can provide this information? (Select TWO.)
- A . AWS Artifact
- B . AWS Trusted Advisor
- C . AWS Config
- D . AWS Cloud Trail
- E . AWS Identity and Access Management (IAM)
C,D
Explanation:
AWS Artifact is your go-to, central resource for compliance-related information that matters to you. It provides on-demand access to AWS’ security and compliance reports and select online agreements.
AWS Trusted Advisor provides recommendations that help you follow AWS best practices. Trusted Advisor evaluates your account by using checks. These checks identify ways to optimize your AWS infrastructure, improve security and performance, reduce costs, and monitor service quotas.
AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations.
AWS CloudTrail enables auditing, security monitoring, and operational troubleshooting by tracking user activity and API usage. CloudTrail logs, continuously monitors, and retains account activity related to actions across your AWS infrastructure, giving you control over storage, analysis, and remediation actions.
AWS Identity and Access Management (IAM) provides fine-grained access control across all of AWS. With IAM, you can specify who can access which services and resources, and under which conditions. With IAM policies, you manage permissions to your workforce and systems to ensure least-privilege permissions.
Which of the following is a way to use Amazon EC2 Auto Scaling groups to scale capacity in the AWS Cloud?
- A . Scale the number of EC2 instances in or out automatically, based on demand.
- B . Use serverless EC2 instances.
- C . Scale the size of EC2 instances up or down automatically, based on demand.
- D . Transfer unused CPU resources between EC2 instances.
A company manages global applications that require static IP addresses.
Which AWS service would enable the company to improve the availability and performance of its applications?
- A . Amazon CloudFront
- B . AWS Global Accelerator
- C . Amazon S3 Transfer Acceleration
- D . Amazon API Gateway
B
Explanation:
AWS Global Accelerator provides you with a set of static IP addresses that can map to multiple application endpoints across AWS Regions, to improve redundancy.
Which action will provide documentation to help a company evaluate whether its use of the AWS Cloud is compliant with local regulatory standards?
- A . Running Amazon GuardDuty
- B . Using AWS Artifact
- C . Creating an AWS Support ticket
- D . AWS Cloud Trail logs
Which Amazon S3 feature or storage class uses the AWS backbone network and edge locations to reduce latencies from the end user to Amazon S3?
- A . S3 Cross-Region Replication
- B . S3 Transfer Acceleration
- C . S3 Event Notifications
- D . S3 Standard-Infrequent Access (S3 Standard-IA)
B
Explanation:
S3TA improves transfer performance by routing traffic through Amazon CloudFront’s globally distributed Edge Locations and over AWS backbone networks, and by using network protocol optimizations.
A company needs to design an AWS disaster recovery plan to cover multiple geographic areas.
Which action will meet this requirement?
- A . Configure multiple AWS accounts.
- B . Configure the architecture across multiple Availability Zones in an AWS Region.
- C . Configure the architecture across multiple AWS Regions.
- D . Configure the architecture among many edge locations.
Which AWS service or feature enables users to get one bill and easily track charges for multiple AWS accounts?
- A . AWS Organizations
- B . Cost Explorer
- C . AWS Trusted Advisor
- D . AWS Management Console
A
Explanation:
You can use the consolidated billing feature in AWS Organizations to consolidate billing and payment for multiple AWS accounts or multiple Amazon Internet Services Pvt. Ltd (AISPL) accounts. Every organization in AWS Organizations has a management account that pays the charges of all the member accounts.
Which controls are shared under the AWS shared responsibility model? (Select TWO.)
- A . Awareness and training
- B . Patching of Amazon RDS
- C . Configuration management
- D . Physical and environmental controls
- E . Service and communications protection or security
A,C
Explanation:
In the AWS shared security model, a shared control, AWS provides the requirements for the infrastructure and the customer must provide their own control implementation within their use of AWS services.
Examples of shared controls include:
* Patch Management C AWS is responsible for patching and fixing flaws within the infrastructure, but customers are responsible for patching their guest OS and applications.
* Configuration Management C AWS maintains the configuration of its infrastructure devices, but a customer is responsible for configuring their own guest operating systems, databases, and applications.
* Awareness & Training C AWS trains AWS employees, but a customer must train their own employees.
Customer Specific C Controls which are solely the responsibility of the customer based on the application they are deploying within AWS services. Examples of customer specific controls include:
* Service and Communications Protection or Zone Security which may require a customer to route or zone data within specific security environments.
Which Reserved Instance (Rl) provides the HIGHEST average cost savings compared to an On-Demand Instance?
- A . 1-year. No Upfront. Standard Rl
- B . 1-year. All Upfront. Convertible Rl
- C . 3-year. All Upfront, Standard Rl
- D . 3-year. No Upfront. Convertible Rl
C
Explanation:
https://aws.amazon.com/ec2/pricing/reserved-instances/pricing/
A company is running an Amazon EC2 instance in a VPC.
Which of the following can the company use to route and filter incoming network requests for the EC2 instance?
- A . Route tables and web application firewalls
- B . Security groups and route tables
- C . Security groups and a network intrusion system
- D . Route tables and AWS Shield
Which tasks are responsibilities of AWS, according to the AWS shared responsibility model? (Select TWO.)
- A . Encrypt client-side data and authenticate data integrity.
- B . Manage customer data.
- C . Perform identity and access management.
- D . Provide physical security for Availability Zones.
- E . Patch the operating system of Amazon S3
A company is considering a migration from on premises to the AWS Cloud. The company’s IT team needs to offload support of the workload.
What should the IT team do to accomplish this goal?
- A . Use AWS Managed Services to provision, run, and support the company infrastructure.
- B . Build hardware refreshes into the operational calendar to ensure availability.
- C . Use Amazon Elastic Container Service (Amazon ECS) on Amazon EC2 instances.
- D . Overprovision compute capacity for seasonal events and traffic spikes to prevent downtime.
A user is a new AWS account owner who has no special access requirements.
What should this user do with the AWS account root user access keys?
- A . Share the keys with all relevant internal users so that those users can programmatically access AWS services.
- B . Post the keys on GitHub to provide development teams with access to AWS services.
- C . Use the keys for access, but do not share the keys with anyone.
- D . Delete the keys and create IAM users.
Which of the following are advantages of the AWS Cloud? (Select TWO.)
- A . AWS management of user-owned infrastructure
- B . Ability to quickly change required capacity
- C . High economies of scale
- D . Increased deployment time to market
- E . Increased fixed expenses
A company wants to secure its consumer web application by using SSL/TLS to encrypt traffic.
Which AWS service can the company use to meet this goal?
- A . AWS WAF
- B . AWS Shield
- C . Amazon VPC
- D . AWS Certificate Manager (ACM)
D
Explanation:
To enable HTTPS connections to your website or application in AWS, you need an SSL/TLS server certificate. For certificates in a Region supported by AWS Certificate Manager (ACM), we recommend that you use ACM to provision, manage, and deploy your server certificates.
Which AWS services provide high availability across multiple Availability Zones by default? (Select TWO.)
- A . Amazon EC2
- B . Amazon Elastic Block Store (Amazon EBS)
- C . Amazon Elastic File System (Amazon EFS)
- D . Amazon Redshift
- E . Amazon S3
A company needs to deploy an Amazon EC2 instance and attach a storage mount for the operating system and application files.
Which AWS service will meet these requirements?
- A . AWS Backup
- B . Amazon Elastic File System (Amazon EFS)
- C . Amazon S3
- D . Amazon Elastic Block Store (Amazon EBS)
Which of the following describes AWS Local Zones?
- A . A cluster of data centers in one geographic location
- B . A site used by Amazon CloudFront to cache frequently accessed content
- C . An extension of an A WS Region to more granular locations
- D . One or more data centers with redundant power and networking
C
Explanation:
AWS Local Zones are a type of AWS infrastructure deployment that place compute, storage, database, and other select services closer to large population, industry, and IT centers, enabling you to deliver applications that require single-digit millisecond latency to end-users.
A company is reviewing the current costs of running its own infrastructure on premises. The
company wants to compare these on-premises costs to the costs of running infrastructure in the AWS Cloud.
How should the company make this comparison?
- A . Review the AWS shared responsibility model.
- B . Audit existing software and hardware licensing costs.
- C . Analyze the AWS Well-Architected Framework.
- D . Use Migration Evaluator.
A company is moving its virtual machines (VMs) from an on-premises environment to the AWS Cloud. The company plans to deploy Amazon EC2 instances.
Which cloud computing model will the company use in this scenario?
- A . Platform as a service (PaaS)
- B . Infrastructure as a service (laaS)
- C . Function as a service (FaaS)
- D . Software as a service (SaaS)
What is a benefit of using AWS serverless computing?
- A . Application deployment and management are not required.
- B . Application security will be fully managed by AWS.
- C . Monitoring and logging are not needed.
- D . Management of infrastructure is offloaded to AWS.
D
Explanation:
Serverless computing allows you to build and run applications and services without thinking about servers. With serverless computing, your application still runs on servers, but all the server management is done by AWS.
According to the AWS shared responsibility model, which activities are the customer’s responsibility for security in the AWS Cloud? (Select TWO.)
- A . Hardware maintenance
- B . Amazon EC2 operating system patching
- C . API access control for AWS resources
- D . Configuration management of infrastructure devices
- E . Maintenance of an Availability Zone
Which of the following is an AWS key-value database offering consistent single-digit millisecond performance at any scale?
- A . Amazon RDS
- B . Amazon Aurora
- C . Amazon DynamoDB
- D . Amazon Redshift
C
Explanation:
Amazon DynamoDB is designed to provide consistent single-digit millisecond latency for any scale of workloads. This consistent performance is a big part of why the Snapchat Stories feature, which includes Snapchat’s largest storage write workload, moved to DynamoDB.
What is a benefit of moving to the AWS Cloud in terms of improving time to market?
- A . Decreased deployment speed
- B . Increased application security
- C . Increased business agility
- D . Increased backup capabilities
A company wants to use a template to reliably provision, manage, and update its infrastructure in the AWS Cloud.
Which AWS service will meet these requirements?
- A . AWS Lambda
- B . AWS CloudFormation
- C . AWS Fargate
- D . AWS CodeDeploy
A company needs to report on events that involve the specific AWS services that the company uses.
Which AWS service or resource can the company use with Amazon CloudWatch to meet this requirement?
- A . Amazon Inspector
- B . AWS Personal Health Dashboard
- C . AWS Trusted Advisor
- D . AWS Cloud Trail logs
Which characteristic of the AWS Cloud helps users eliminate underutilized CPU capacity?
- A . Agility
- B . Elasticity
- C . Reliability
- D . Durability
A company has a global website with static content.
Which AWS service will deliver the static content with low latency?
- A . AWS Lambda
- B . Amazon CloudFront
- C . Amazon EC2 Auto Scaling
- D . AWS Compute Optimizer
Which AWS service decouples application components so that the components run independently?
- A . Amazon Simple Notification Service (Amazon SNS)
- B . Amazon Simple Workflow Service (Amazon SWF)
- C . AWS Glue
- D . Amazon Simple Queue Service (Amazon SQS)
D
Explanation:
Amazon SQS is a fully managed message queuing service that makes it easy to decouple and scale microservices, distributed systems, and serverless applications. Amazon SQS lets you decouple application components so that they run and fail independently, increasing the overall fault tolerance of the system.
Which databases are available on Amazon RDS? (Select TWO.)
- A . Sybase
- B . Microsoft SQL Server
- C . IBM Db2
- D . MongoDB
- E . PostgreSQL
Which pillar of the AWS Well-Architected Framework includes the continual improvement of processes and procedures as a priority?
- A . Cost optimization
- B . Reliability
- C . Performance efficiency
- D . Operational excellence
A company is running and managing its own Docker environment on Amazon EC2 instances. The company wants an alternative to help manage cluster size, scheduling, and environment maintenance.
Which AWS service meets these requirements?
- A . AWS Lambda
- B . Amazon RDS
- C . AWS Fargate
- D . Amazon Athena
Which tasks require use of the AWS account root user? (Select TWO.)
- A . Changing an AWS Support plan
- B . Modifying an Amazon EC2 instance type
- C . Grouping resources in AWS Systems Manager
- D . Running applications in Amazon Elastic Kubernetes Service (Amazon EKS)
- E . Closing an AWS account
Which AWS service should a company use to create a NoSQL database?
- A . Amazon Aurora
- B . Amazon DynamoDB
- C . Amazon Redshift
- D . Amazon Neptune
Which task can a company complete by using AWS Organizations?
- A . Track application deployment statuses globally.
- B . Remove unused and underutilized AWS resources across all accounts.
- C . Activate DDoS protection across all accounts.
- D . Share pre-purchased Amazon EC2 resources across accounts.
D
Explanation:
Using AWS Organizations, you can programmatically create new AWS accounts and allocate resources, group accounts to organize your workflows, apply policies to accounts or groups for governance, and simplify billing by using a single payment method for all of your accounts.
Elasticity in the AWS Cloud refers to which of the following? (Select TWO.)
- A . How quickly an Amazon EC2 instance can be restarted
- B . The ability to right size resources as demand shifts
- C . The maximum amount of RAM an Amazon EC2 instance can use
- D . The pay-as-you-go billing model
- E . How easily resources can be procured when they are needed
B,E
Explanation:
The AWS Well-Architected Framework defines elasticity as: The ability to acquire resources as you need them and release resources when you no longer need them. In the cloud, you want to do this automatically https://dev.to/aws-builders/what-does-elastic-mean-cloud-concepts-explained-4anb#:~:text=The%20AWS%20Well%2DArchitected%20Framework%20defines%20elasticity%20as%3A,want%20to%20do%20this%20automatically.
Which of the following are AWS best practice recommendations for the use of AWS Identity and Access Management (IAM)? (Select TWO.)
- A . Use the AWS account root user for daily access.
- B . Use access keys and secret access keys on Amazon EC2.
- C . Rotate credentials on a regular basis.
- D . Create a shared set of access keys for system administrators.
- E . Configure multi-factor authentication (MFA).
C,E
Explanation:
If you do have an access key for your AWS account root user, delete it. If you must keep it, rotate (change) the access key regularly. To delete or rotate your root user access keys, go to the My Security Credentials page in the AWS Management Console and sign in with your account’s email address and password. You can manage your access keys in the Access keys section. For more information about rotating access keys, see Rotating access keys.
A company runs a web application on Amazon EC2 instances. The application must run constantly and is expected to run indefinitely without interruption.
Which EC2 instance purchasing options will meet these requirements MOST cost-effectively? (Select TWO.)
- A . On-Demand Instances
- B . Spot Instances.
- C . Reserved Instances
- D . Savings Plans
- E . Dedicated Hosts
C,D
Explanation:
Amazon EC2 provides the following purchasing options to enable you to optimize your costs based on your needs:
*On-Demand Instances C Pay, by the second, for the instances that you launch.
*Savings Plans C Reduce your Amazon EC2 costs by making a commitment to a consistent amount of usage, in USD per hour, for a term of 1 or 3 years.
*Reserved Instances C Reduce your Amazon EC2 costs by making a commitment to a consistent instance configuration, including instance type and Region, for a term of 1 or 3 years.
*Spot Instances C Request unused EC2 instances, which can reduce your Amazon EC2 costs significantly.
*Dedicated Hosts C Pay for a physical host that is fully dedicated to running your instances, and bring your existing per-socket, per-core, or per-VM software licenses to reduce costs. *Dedicated Instances C Pay, by the hour, for instances that run on single-tenant hardware. *Capacity Reservations C Reserve capacity for your EC2 instances in a specific Availability Zone for any duration.
If you require a capacity reservation, purchase Reserved Instances or Capacity Reservations for a specific Availability Zone. Spot Instances are a cost-effective choice if you can be flexible about when your applications run and if they can be interrupted. Dedicated Hosts or Dedicated Instances can help you address compliance requirements and reduce costs by using your existing server-bound software licenses.
A company is moving its office and must establish an encrypted connection to AWS.
Which AWS service will help meet this requirement?
- A . AWS VPN
- B . Amazon Route 53
- C . Amazon API Gateway
- D . Amazon Connect
Which AWS service provides an isolated virtual network to connect AWS services and resources?
- A . Amazon EC2
- B . Amazon DynamoDB
- C . Amazon Lightsail
- D . Amazon VPC
D
Explanation:
Amazon Virtual Private Cloud (Amazon VPC) enables you to launch AWS resources into a virtual network that you’ve defined. This virtual network closely resembles a traditional network that you’d operate in your own data center, with the benefits of using the scalable infrastructure of AWS.
Who can create and manage access keys for an AWS account root user?
- A . The AWS account owner
- B . An IAM user that has administrator permissions
- C . IAM users within a designated group
- D . An IAM user that has the required role
A
Explanation:
Anyone who has root user credentials for your AWS account has unrestricted access to all the resources in your account, including billing information. When you create access keys, you create the access key ID and secret access key as a set.
Which approach will enhance a user’s security on AWS?
- A . Use Multi-AZ deployments with Amazon RDS.
- B . Create a hybrid architecture by using AWS Direct Connect.
- C . Monitor application-specific information with AWS X-Ray.
- D . Encrypt data by using AWS Key Management Service (AWS KMS).
Which service is an AWS in-memory data store service?
- A . Amazon Aurora
- B . Amazon RDS
- C . Amazon DynamoDB
- D . Amazon ElastiCache
A company wants to expand from one AWS Region into a second AWS Region.
What does the company need to do to expand into the second Region?
- A . Contact an AWS account manager to sign a new contract.
- B . Move an Availability Zone to the second Region.
- C . Begin to deploy resources in the second Region.
- D . Download the AWS Management Console for the second Region.
Which of the following are aspects of the AWS shared responsibility model? (Select TWO.)
- A . Configuration management of infrastructure devices is the customer’s responsibility.
- B . For Amazon S3, AWS operates the infrastructure layer, the operating systems, and the platforms.
- C . AWS is responsible for protecting the physical cloud infrastructure.
- D . AWS is responsible for training the customer’s employees on AWS products and services.
- E . For Amazon EC2, AWS is responsible for maintaining the guest operating system.
B,C
Explanation:
AWS responsibility “Security of the Cloud” – AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services.
Customer responsibility “Security in the Cloud” C Customer responsibility will be determined by the AWS Cloud services that a customer selects. This determines the amount of configuration work the customer must perform as part of their security responsibilities. For
example, a service such as Amazon Elastic Compute Cloud (Amazon EC2) is categorized as Infrastructure as a Service (IaaS) and, as such, requires the customer to perform all of the necessary security configuration and management tasks. Customers that deploy an Amazon EC2 instance are responsible for management of the guest operating system (including updates and security patches), any application software or utilities installed by the customer on the instances, and the configuration of the AWS-provided firewall (called a security group) on each instance. For abstracted services, such as Amazon S3 and Amazon DynamoDB, AWS operates the infrastructure layer, the operating system, and platforms, and customers access the endpoints to store and retrieve data. Customers are responsible for managing their data (including encryption options), classifying their assets, and using IAM tools to apply the appropriate permissions.
Shared_Responsibility_Model_V2
What is the customer ALWAYS responsible for managing, according to the AWS shared responsibility model?
- A . Software licenses
- B . Networking
- C . Customer data
- D . Encryption keys
How does consolidated billing help reduce costs for a company that has multiple AWS accounts?
- A . It aggregates usage across accounts so that the company can reach volume discount thresholds sooner.
- B . It offers an additional 5% discount on purchases of All Upfront Reserved Instances.
- C . It provides a simplified billing invoice that the company can process more quickly than a standard invoice.
- D . It gives AWS resellers the ability to bill their customers for usage.
A
Explanation:
Consolidated billing for AWS Organizations
You can use the consolidated billing feature in AWS Organizations to consolidate billing and payment for multiple AWS accounts or multiple Amazon Internet Services Pvt. Ltd (AISPL) accounts. Every organization in AWS Organizations has a management account that pays the charges of all the member accounts. For more information about organizations, see the AWS Organizations User Guide. Consolidated billing has the following benefits:
*One bill C You get one bill for multiple accounts.
*Easy tracking C You can track the charges across multiple accounts and download the combined cost and usage data.
*Combined usage C You can combine the usage across all accounts in the organization to share the volume pricing discounts, Reserved Instance discounts, and Savings Plans. This can result in a lower charge for your project, department, or company than with individual standalone accounts. For more information, see Volume discounts. *No extra fee C Consolidated billing is offered at no additional cost.
Note:
The member account bills are for informational purpose only. The management account might reallocate the additional volume discounts, Reserved Instance, or Savings Plans discounts that your account receives.
If you have access to the management account, you can see a combined view of the AWS charges that the member accounts incur. You also can get a cost report for each member account.
AWS and AISPL accounts can’t be consolidated together. If your contact address is in
India, you can use AWS Organizations to consolidate AISPL accounts within your
organization.
Important
When a member account leaves an organization, the member account can no longer access Cost Explorer data that was generated when the account was in the organization. The data isn’t deleted, and the management account in the organization can still access
the data. If the member account rejoins the organization, the member account can access the data again.
A company wants to set up an entire development and continuous delivery toolchain for coding, building, testing, and deploying application code.
Which AWS service will meet these requirements?
- A . Amazon CodeGuru
- B . AWS CodeStar
- C . AWS CodeCommit
- D . AWS CodeDeploy
Which of the following describes some of the core functionality of Amazon S3?
- A . Amazon S3 is a high-performance block storage service that is designed for use with Amazon EC2
- B . Amazon S3 is an object storage service that provides high-level performance, security, scalability, and data availability.
- C . Amazon S3 is a fully managed, highly reliable, and scalable file storage system that is accessible over the industry-standard SMB protocol.
- D . Amazon S3 is a scalable, fully managed elastic NFS for use with AWS Cloud services and on-premises resources.
B
Explanation:
Amazon S3 is object storage built to store and retrieve any amount of data from anywhere. It’s a simple storage service that offers industry leading durability, availability, performance, security, and virtually unlimited scalability at very low costs.
A company plans to create a data lake that uses Amazon S3.
Which factor will have the MOST effect on cost?
- A . The selection of S3 storage tiers
- B . Charges to transfer existing data into Amazon S3
- C . The addition of S3 bucket policies
- D . S3 ingest fees for each request
What is an AWS Region?
- A . A broad set of global, cloud-based products that include compute, storage, and databases
- B . A physical location around the world where data centers are clustered
- C . One or more discrete data centers with redundant power, networking, and connectivity
- D . A service that developers use to build applications that deliver latencies of single-digit milliseconds to users
B
Explanation:
AWS has the concept of a Region, which is a physical location around the world where we cluster data centers. We call each group of logical data centers an Availability Zone. Each AWS Region consists of multiple, isolated, and physically separate AZs within a geographic area.
Which combination of steps will enable multi-factor authentication (MFA) on an AWS account? (Select TWO.)
- A . Contact AWS Support to initiate MFA activation.
- B . Activate AWS Shield on an MFA-compatible device.
- C . Acquire an MFA-compatible device.
- D . Activate the MFA device by using Amazon GuardDuty.
- E . Activate the MFA device in the IAM console or by using the AWS CLI.
CE
Explanation:
AWS Multi-Factor Authentication (MFA) is a simple best practice that adds
an extra layer of protection on top of your user name and password. With MFA enabled, when a user signs in to an AWS website, they will be prompted for their user name and password (the first factor―what they know), as well as for an authentication response from their AWS MFA device (the second factor―what they have). Taken together, these multiple factors provide increased security for your AWS account settings and resources.
A company has existing software licenses that it wants to bring to AWS, but the licensing model requires licensing physical cores.
How can the company meet this requirement in the AWS Cloud?
- A . Launch an Amazon EC2 instance with default tenancy.
- B . Launch an Amazon EC2 instance on a Dedicated Host.
- C . Create an On-Demand Capacity Reservation.
- D . Purchase Dedicated Reserved Instances.
A user has been granted permission to change their own IAM user password.
Which AWS services can the user use to change the password? (Select TWO.)
- A . AWS Command Line Interface (AWS CLI)
- B . AWS Key Management Service (AWS KMS)
- C . AWS Management Console
- D . AWS Resource Access Manager (AWS RAM)
- E . AWS Secrets Manager
Which task can a user complete by using AWS Identity and Access Management (IAM)?
- A . Validate JSON syntax from an application configuration file.
- B . Analyze logs from an Amazon API Gateway call.
- C . Filter traffic to or from an Amazon EC2 instance.
- D . Grant permissions to applications that run on Amazon EC2 instances.
D
Explanation:
AWS Identity and Access Management (IAM) is a web service for securely controlling access to AWS resources. It enables you to create and control services for user authentication or limit access to a certain set of people who use your AWS resources.
Which AWS service is a relational database compatible with MySQL and PostgreSQL?
- A . Amazon Redshift
- B . Amazon DynamoDB
- C . Amazon Aurora
- D . Amazon Neptune
Which of the following is the customer responsible for updating and patching, according to the AWS shared responsibility model?
- A . Amazon FSx for Windows File Server
- B . Amazon Workspaces virtual Windows desktop
- C . AWS Directory Service for Microsoft Active Directory
- D . Amazon RDS for Microsoft SQL Server
Which AWS service should a company use to decouple large monolithic applications into smaller microservices components?
- A . AWS Direct Connect
- B . Amazon Lightsail
- C . Amazon Simple Queue Service (Amazon SQS)
- D . Amazon CloudWatch
C
Explanation:
Amazon SQS is a fully managed message queuing service that makes it easy to decouple and scale microservices, distributed systems, and serverless applications
A company needs real-time guidance to follow AWS best practices to save money, improve system performance, and close security gaps.
Which AWS service should the company use?
- A . Amazon GuardDuty
- B . AWS Trusted Advisor
- C . AWS Management Console
- D . AWS Systems Manager
B
Explanation:
AWS Trusted Advisor provides recommendations that help you follow AWS best practices. Trusted Advisor evaluates your account by using checks.
A company is planning to build a workload in the AWS Cloud. The company needs to estimate the costs of the network, compute, storage, and database for the workload.
Which AWS service or tool should the company use to generate this estimate?
- A . AWS Budgets
- B . AWS Organizations
- C . Cost Explorer
- D . AWS Pricing Calculator
D
Explanation:
To estimate a bill, use the AWS Pricing Calculator. Choose Create estimate, and then choose your planned resources by service.
Which service enables customers to audit API calls in their AWS accounts?
- A . AWS CloudTrail
- B . AWS Trusted Advisor
- C . Amazon Inspector
- D . AWS X-Ray
A
Explanation:
AWS Audit Manager is integrated with AWS CloudTrail, a service that provides a record of actions taken by a user, role, or an AWS service in Audit Manager. CloudTrail captures all API calls for Audit Manager as events.
Which of the following consists of one or more isolated data centers in the same regional area that are interconnected through low-latency networks?
- A . Availability Zone
- B . Edge location
- C . AWS Region
- D . Private networking
A developer is working on enhancing applications at AWS. The developer needs a service that can securely host GitHub-based code, repositories, and version controls.
Which AWS service should the developer use?
- A . AWS CodeStar
- B . Amazon CodeGuru
- C . AWS CodeCommit
- D . AWS CodePipeline
Which of the following are characteristics of AWS WAF? (Select TWO.)
- A . Acts as a firewall that controls inbound and outbound traffic between Amazon EC2 instances
- B . Acts as a firewall that controls inbound and outbound traffic between subnets
- C . Gives users the ability to block traffic that has specific HTTP headers
- D . Protects websites that are not hosted on AWS
- E . Scans Amazon EC2 instances for common vulnerabilities
B,C
Explanation:
AWS WAF lets you create rules to filter web traffic based on conditions that include IP addresses, HTTP headers and body, or custom URIs. This gives you an additional layer of protection from web attacks that attempt to exploit vulnerabilities in custom or third party web applications. In addition, AWS WAF makes it easy to create rules that block common web exploits like SQL injection and cross site scripting.
AWS WAF allows you to create a centralized set of rules that you can deploy across multiple websites. This means that in an environment with many websites and web applications you can create a single set of rules that you can reuse across applications rather than recreating that rule on every application you want to protect.
A company’s system administrator discovers that someone logged in to the company’s AWS account during the weekend and terminated an Amazon EC2 instance.
Which AWS service should the system administrator use to identify who made this change?
- A . Amazon Inspector
- B . Amazon Pinpoint
- C . AWS CloudTrail
- D . AWS Trusted Advisor
A company with AWS Enterprise Support needs help understanding its monthly AWS bill and wants to implement billing best practices.
Which AWS tool or resource is available to accomplish these goals?
- A . Resource tagging
- B . AWS Concierge Support team
- C . AWS Abuse team
- D . AWS Support
A company requires an isolated environment within AWS for security purposes.
Which action can be taken to accomplish this?
- A . Create a separate Availability Zone to host the resources.
- B . Create a separate VPC to host the resources.
- C . Create a placement group to host the resources.
- D . Create an AWS Direct Connect connection between the company and AWS.
B
Explanation:
Network isolation A virtual private cloud (VPC) is a virtual network in your own logically isolated area in the AWS Cloud. Use separate VPCs to isolate infrastructure by workload or organizational entity. A subnet is a range of IP addresses in a VPC. When you launch an instance, you launch it into a subnet in your VPC. Use subnets to isolate the tiers of your application (for example, web, application, and database) within a single VPC.
Use private subnets for your instances if they should not be accessed directly from the internet. To call the Amazon EC2 API from your VPC without sending traffic over the public internet, use AWS Private Link.
https://docs.aws.amazon.com/AWSEC2/latest/WindowsGuide/infrastructure-security.html
A company wants to migrate its on-premises Microsoft SQL Server database server to the AWS Cloud. The company has decided to use Amazon EC2 instances to run this database.
Which of the following is the company responsible for managing, according to the AWS shared responsibility model?
- A . EC2 hypervisor
- B . Security patching of the guest operating system
- C . Network connectivity of the host server
- D . Uptime service level agreement (SLA) for the EC2 instances
A company is undergoing a security audit. The audit includes security validation and compliance validation of the AWS infrastructure and services that the company uses. The auditor needs to locate compliance-related information and must download AWS security and compliance documents. These documents include the System and Organization Control (SOC) reports.
Which AWS service or group can provide these documents?
- A . AWS Abuse team
- B . AWS Artifact
- C . AWS Support
- D . AWS Config
B
Explanation:
• Portal that provides customers with on-demand access to AWS compliance documentation and AWS agreements • Artifact Reports – Allows you to download AWS security and compliance documents from third-party auditors, like AWS ISO certifications, Payment Card Industry (PCI), and System and Organization Control (SOC) reports
• Artifact Agreements – Allows you to review, accept, and track the status of AWS agreements such as the Business Associate Addendum (BAA) or the Health Insurance Portability and Accountability Act (HIPAA) for an individual account or in your organization • Can be used to support internal audit or compliance
A company is using AWS Lambda.
Which task is the company’s responsibility, according to the AWS shared responsibility model?
- A . Update the Lambda runtime language.
- B . Maintain the runtime environment.
- C . Maintain the networking infrastructure.
- D . Configure the resource.
D
Explanation:
https://aws.amazon.com/lambda/security-overview-of-aws-lambda/ When customers use AWS Lambda, AWS manages the underlying infrastructure and foundation services, the operating system, and the application platform. Customers themselves are responsible for the security of their code, the storage and accessibility of sensitive data, and identity and access management (IAM) to the Lambda service and within their function.
A system automatically recovers from failure when a company launches its workload on the AWS Cloud services platform.
Which pillar of the AWS Well-Architected Framework does this situation demonstrate?
- A . Reliability
- B . Cost optimization
- C . Performance efficiency
- D . Operational excellence.
A
Explanation:
https://aws.amazon.com/blogs/apn/the-6-pillars-of-the-aws-well-architected-framework/
Built around six pillars―operational excellence, security, reliability, performance efficiency, cost optimization, and sustainability―AWS Well-Architected provides a consistent approach for customers and partners to evaluate architectures and implement scalable designs.
Reliability
The Reliability pillar encompasses the ability of a workload to perform its intended function correctly and consistently when it’s expected to. This includes the ability to operate and test the workload through its total lifecycle. You can find prescriptive guidance on implementation in the Reliability Pillar whitepaper.
A company wants to analyze streaming user data and respond to customer queries in real time.
Which AWS service can meet these requirements?
- A . Amazon QuickSight
- B . Amazon Redshift
- C . Amazon Kinesis Data Analytics
- D . AWS Data Pipeline
C
Explanation:
Amazon Kinesis is the AWS service that makes it easy to collect, process, and analyze such real-time, streaming data with four different capabilities: Kinesis Data Streams: Enables ingesting, buffering, and custom processing of your streaming data.
Which AWS service keeps track of SSL/TLS certificates, creates new certificates, and processes renewals?
- A . AWS Identity and Access Management (1AM)
- B . AWS Certificate Manager (ACM)
- C . AWS Config
- D . AWS Trusted Advisor
B
Explanation:
AWS Certificate Manager helps manage the challenges of maintaining SSL/TLS certificates, including certificate renewals so you don’t have to worry about expiring certificates. Learn more about provisioning, managing, and deploying public and private SSL/TLS certificates.
A company needs to use machine learning and pattern matching to identify and protect sensitive data that the company stores in the AWS Cloud.
Which AWS service will meet these requirements?
- A . Amazon Inspector
- B . Amazon Macie
- C . Amazon GuardDuty
- D . AWS Audit Manager
B
Explanation:
Amazon Macie is a fully managed data security and data privacy service that uses machine learning and pattern matching to discover and protect your sensitive data in AWS.
A company needs to perform data processing once a week that typically takes about 5 hours to complete.
Which AWS service should the company use for this workload?
- A . AWS Lambda
- B . Amazon EC2
- C . AWS CodeDeploy
- D . AWS Wavelength