This blog post takes the questions from the AWS Practice test, and from the Linux Academy (LA) AWS CSAA course, and puts them in one post to help you with your exam cram preparation. Q = Question. A = Answer. T = True statement. E = Explanation.
Image: Amazon Web Service Certified Solutions Architect - Associate
Q: Amazon Glacier is designed for:
A1: Infrequently accessed data
A2: Data archive
Q: You configured ELB to perform health checks on these EC2 instances. If an instance fails to pass health checks, which statement will be true?
A: The ELB stops sending traffic to the instance that failed its health check.
Q: You are building a system to distribute confidential training videos to employees. Using CloudFront, what method could be used to serve content that is stored in S3, but not publicly accessible from S3 directly?
A: Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAI.
Q: Which of the following will occur when an EC2 instance in a VPC (Virtual Private Cloud) with an associated Elastic IP is stopped and started?
A1: All data on instance-store devices will be lost
A2: The underlying host for the instance is changed.
Q: In the basic monitoring package for EC2, Amazon CloudWatch provides the following metrics:
A: Hypervisor visible metrics such as CPU utilization.
Q: Which is an operational process performed by AWS for data security?
A: Decommissioning of storage devices using industry-standard practices
Q: To protect S3 data from both accidental deletion and accidental overwriting, you should:
A: Enable S3 versioning on the bucket.
LA Quiz 1: Account & Physical Organization
T: Each Availability Zone has at least one AWS data center and sometimes up to 5 or 6 data centers.
T: Availability Zones do NOT span across regions. Availability zones DO provide for highly available and fault tolerant architecture, but an AZ is contained within a region.
Q: What are the main benefits of AWS regions?
A1: Regions allow you to place AWS resources in the area of the world closest to your customers who access those resources.
A2: Regions allow you to design applications to conform to specific laws and regulations for specific parts of the world.
Q: What are the benefits of an Availability Zone?
A1: Each Availability Zone is isolated from each other to ensure fault tolerance.
A2: Availability Zones have direct, low latency connections to each other.
Q: Besides regions and their included Availability Zones, which of the following is another “regional” datacenter location used for content distribution?
A: Edge Location
E: An Edge Location is an AWS datacenter which does not contain AWS services, it is used to deliver content to parts of the world (e.g. CloudFront)
Q: What best describes the concept of elasticity?
A: The ability of a system to increase and decrease in size.
T: Fault Tolerance is a system ability allowing the system to continue to operate even when one of its components fail.
Q: What best describes the concept of High Availability?
A: A durable system that can operate for long periods of time without failure.
Q: What are the two primary ways that AWS users interface with AWS?
A1: AWS CLI
A2: AWS Console
LA Quiz 2: IAM
T: If an IAM access policy has both an allow rule and a deny rule for the same service, the DENY rule will supersede the allow rule.
Q: You create a new IAM user for AUSER in you company’s AWS account. On AUSER’s first day, you ask AUSER to make a change to a Cloudwatch alarm in an Auto Scaling group. AUSER reports no access to Cloudwatch or Auto Scaling in the AWS console. What is a possible explanation for this?
A: You have not added the appropriate IAM permissions and access policies to AUSER; there is a non-explicit deny to all new users.
T: An IAM user can have many IAM permission policies attached to them at the same time, either directly attached or through groups.
Q: What best describes an IAM role?
A: A role is something that another entity can “assume”
Q: AUSER will be overseeing the company’s DynamoDB database, so you attached the “AmazonDynamoDBFullAccess” IAM policy to AUSER’s IAM user. 6 months later, AUSER was promoted to manager and added to the “Managers” IAM group. The “Managers” group does not have the “AmazonDynamoDBFullAccess” policy attached to it. What will happen to AUSER’s DynamoDB access?
A: Nothing, as an IAM user can have multiple IAM permission policies attached to them at the same time, either directly to the user or through an associated IAM group.
T: By default, when an IAM user is created, it has a non-explicit “deny” for all AWS services.
Q: What are the main benefits of IAM groups?
A1: Assigning IAM permission policies to more than one user at a time.
A2: Easier user/policy management.
T: Best practice is to NEVER store or pass IAM credentials to an EC2 instance.
Q: What best describes the “Principal of Least Privilege”?
A: Users should be granted permission to access only the resources they need to do their assigned job.
Q: The common use for IAM is to manage what?
A: Users, Groups, Roles, Access Policies, API Keys, Password Policies, Multi-Factor Authentication
Q: EC2 instance must have the ability to access other AWS resources. What is the best way to manage this access?
A: Use an IAM role to manage temporary credentials for applications that run on an EC2 instance. The role will supply temporary permissions that applications can use when they make calls to other AWS resources.
Q: API Access Keys are required to make programmatic calls to AWS from which of the following?
A: AWS CLI, Tools for PowerShell, AWS SDKs, Direct HTTP API calls
Q: You notice that one of the groups has two conflicting permissions attached: one that allows S3 access, and one that denies S3 access. If your goal is to allow members of the group to have S3 access, what needs to be done?
A: You must remove the deny policy, as a deny policy will override an allow policy.
LA Quiz 3: VPC Basics
T: For a subnet to be considered public, it must have a route to the Internet. Having a route to the Internet means that it must be associated with a route table that points to the IGW.
Q: You have been tasked with auditing the security of your VPC. As part of this process, you need to start by analysing what traffic is allowed to and from various EC2 instances. What two parts of the VPC do you need to check to accomplish this task?
A: Security Groups and NACLs
E: Security Groups and NACLs are the two parts of the VPC Security Layers. Security Groups are a firewall on the instance level, and NACLs are a firewall on the subnet level.
Q: What best describes how NACLs rules work?
A: Rules are evaluated by rule number from lowest to highest, and executed immediately when a matching allow/deny rule is found.
T: A VPC can only have one IGW attached at a time.
Q: If data is travelling from a customer, over the open Internet, to a web site you are hosting on an EC2 instance in an AWS VPC, what is the order of components that data will travel through?
A: IGW -> Route Table -> NACL -> Subnet -> Security Group -> EC2 Instance
Q: You work for a financial institution that is preparing to (possibly) migrate their on-premise infrastructure to AWS. As part of this process, you have been tasked with preparing the cloud strategy that will be presented to your CTO. As part of this presentation, you need to highlight several of the top benefits of using an AWS VPC. Which of the following benefits do you highlight in this section of the presentation?
A1: The ability to have both public and private subnets
A2: The ability to extend your on-premise network to the cloud via VPN
A3: The ability to provide a DNS server for your VPC
Q: Your company’s management team has been considering moving their on-premise network to AWS. You have been called into a meeting to brief the management team on some specifics of AWS. One of the first questions you are asked is what exactly a VPC is. How should you respond?
A: An AWS VPC closely resembles a traditional on-premise network, with the added benefit of AWS infrastructure.
T: NACLs are stateless and security groups are stateful.
E: NACLs are stateless, which means that return request traffic must have an allow rule set up for that return traffic to enter or leave the subnet. Security groups are stateful, which means that return request traffic does not need an allow rule set up for that return traffic to enter or leave the security group.
Q: You are the lead Solutions Architect for a healthcare company and are managing an application running on multiple EC2 instances. Those EC2 instances must have the ability to access other AWS resources. What is the best way to manage this access?
A: Use an IAM role to manage temporary credentials for applications that run on an EC2 instance. The role will supply temporary permissions that applications can use when they make calls to other AWS resources.
T: All subnets, regardless of being public or private, can communicate with each other inside of a VPC.
E: Since each route table has a local target with the destination of the VPCs CIDR block range, all subnets within a VPC can communicate with each other.
T: In the default VPC, all subnets have a route to the Internet.
LA Quiz 4: EC2
Q: IOPS are measured in what size “chunks?”
A: IOPS are measured in chunks of 256KB or smaller
Q: What best describes how EBS snapshots work?
A: Snapshots are incremental in nature and are stored in S3
Q: You are a Solutions Architect and your company is interested in moving some workload to AWS. You are concerned that it will be very challenging to manage and control all of the EC2 servers that will need to be deployed – specifically, how to insure that fellow employees are installing the company approved operating system version, with the right libraries and runtimes and with the proper configuration settings. What EC2 feature will best allow you to control this?
A: You can have a company policy stipulating that any new instance must be launched using a custom Amazon Machine Image (AMI) which specifies exactly which software and associated settings you want to have installed on every new EC2 instance.
T: AMIs are what dictate the instances operating system and other software settings. It is the "instance type" which determines the instances virtual hardware.
Q: What best describes the characteristics of EBS volumes?
A: They are persistent and can live past the lifetime of the instance.
Q: If you are running a legacy application that has hard-coded static IP addresses and is running on an EC2 instance, what is the best failover solution that allows you to keep the same IP address on a new instance?
A: Elastic IP addresses (EIPs) are designed to be attached/detached and moved from one EC2 instance to another. They are a great solution for keeping a static IP address and moving it to a new instance if the current instance fails. This will reduce or eliminate any downtime users may experience.
Q: If you are running an application in a production environment and must add a new EBS volume with data from a snapshot, what should you do to avoid degraded performance during the volume's first use?
A: Initialize the data by readying each storage block on the volume
E: Volumes created from an EBS snapshot must be initialized. Initializing occurs the first time a storage block on the volume is read, and the performance impact can be impacted by up to 50%. You can avoid this impact in production environments by manually reading all the blocks.
Q: What command should you run if you want to view an instance's user-data?
A: curl http://169.254.169.254/latest/user-data
Q: Your company has been thinking about moving its networking resources over to AWS. Your boss is particularly interested in the AWS shared responsibility model, as it will allow him to offload some traditional responsibilities to AWS. He says that he is happy that AWS will now handle the following responsibilities listed below. However, you know that he is wrong and that AWS does not handle all of them as part of the shared responsibility model. Which ... are not handled by AWS?
A1: Security Groups
A2: Applying an SSL Certificate to an ELB
A3: Installation of custom firewall software
E: In the shared responsibility model, AWS is responsible for DDOS protection, port scanning protection, and ingress network filtering. You are responsible for managing Security Groups, Applying an SSL Certificate to an ELB, and Installation of custom firewall software.
T: A key pair is a combination of a public and private key that is used for authenticating users when logging into an EC2 instance.
E: The public key pair is stored on the instance, and the private key is given to you when the instance is created.
Q: If you are designing an application that requires fast (10Gbps), low-latency connections between EC2 instances, what EC2 feature should you use?
A: Placement groups
E: Placement groups are a clustering of EC2 instances in one Availability Zone with fast (10Gbps) connections between them. This service is used for applications that need extremely low-latency connections between instances.
Q: You work in the IT department of a Fortune 500 financial services company. Your company has hundreds of servers and also uses VMware for certain applications. You happened to run into one of the senior directors in the hallway today, and she told you that she had just read an article on cloud computing that mentioned EC2 instances and was wondering what that was. What would be the best analogy to use in explaining to her what EC2 is?
A: EC2 is analogous to our internal VMware environment and provides companies with virtual servers that run in the cloud.
Q: What happens to data stored on an instance store volume when an EC2 instance is stopped or shutdown?
A: The data will be deleted
E: Since instance store volumes are ephemeral, data will NOT be persistent and WILL be deleted if the instance is stopped or shut down.
LA Quiz 7: Advanced Networking: Highly Available & Fault Tolerant VPC Networking
Q: What best describes the purpose of an Elastic Load Balancer?
A: To evenly distribute traffic among multiple EC2 instances in separate Availability Zones.
E: An ELB is used BEST when it is distributing traffic to EC2 instances located in separate Availability Zones. This provides for higher availability and is more fault tolerant than distributing traffic to EC2 instances in the same AZ.
Q: If you want to create architecture that meets the minimum requirement for high availability and fault tolerance, which option would you choose?
A: An ELB distributing traffic to an Auto Scaling group that has a minimum of two instances that are located in separate Availability Zones.
E: Having a minimum of two instances is required in case one of them fails and is no longer "available." Two AZs are required in case of one of them fails and is no longer "available." Auto Scaling is required so that failed instances will be automatically terminated and replaced with healthy instance OR to increase the amount of instances if demand increases (improving availability and fault tolerance).
Q: What happens when an EC2 instance that is being served traffic from an ELB becomes unhealthy?
A: The ELB will stop serving traffic to it and divert its traffic to a healthy instance.
E: The ELB will stop serving traffic to it and divert its traffic to a healthy instance, as this is all it can do. It is Auto Scaling which can take an unhealthy instance, terminate it, and replace it with a new instance.
Q: What best describes a scaling policy?
A: A set of CloudWatch metric thresholds that dictate when to add or remove instances from the Auto Scaling group.
E: Scaling policies belong to the Auto Scaling group. The policies themselves dictate (via chosen CloudWatch metrics thresholds) when instances should be added or removed.
T: An SSL certificate can be applied to an ELB.
E: You can apply an SSL certificate to an ELB and have that as the central point for your secure connection before passing the traffics onto subsequent EC2 instances.
T: Elasticity is a primary benefit of using Auto Scaling.
E: Auto Scaling provides elasticity to your architecture by automating the process of easily scaling up OR down the number of instances being used by your application.
Q: What is the proper solution you should enact to prevent your application from crashing due to a sudden increase in demand?
A: Auto Scaling
E: Auto Scaling is what provides your architecture with the ability to automate the process of adding more instances to avoid crashes (due to sudden increase in demand). Scaling policies are PART of Auto Scaling but are not the overall solution.
T: An ELB can serve traffic to instances located inside a private subnet.
E: Placing instances in a private subnet creates a higher level of security for the data stored on them. By using an ELB, the ELB can take public traffic from the open Internet and route into private subnets (and back out).
T: Target Groups allow us to assign different sets of EC2 instances different traffic using content-based rules in an Application Elastic Load Balancer
E: Target Groups are where we assign different sets of EC2 instances to receive traffic in an Application Load Balancer. Launch Configurations and AutoScaling Groups can be used with either Load Balancing type.
Q: What are the two main components of AWS Auto Scaling?
A: Launch configuration and Auto Scaling groups
E: A launch configuration is an EC2 template that will be used by the Auto Scaling group. The Auto Scaling group holds the rules that govern when instances will be provisioned or terminated.
T: It is Auto Scaling that contains scaling policies (which dictate the Cloudwatch thresholds for adding/removing instances), not Elastic Load Balancer.
Q: You are designing an environment that requires a complex balancing of traffic to EC2 instances using content-based rules, such as host-based or path-based. Which of the following AWS services would you choose?
A: Application Elastic Load Balancer
E: Application Elastic Load Balancers allow us to configure content-based rules to balance traffic based on different content-based rules.
LA Quiz 8: Advanced Networking: Advanced VPC Networking for Increased Security
Q: You work for a company that has been experiencing attacks on its network. Management has asked that you design a solution that will provide increased security for EC2 instances containing sensitive data, while still allowing employees to access the data when needed. Which of the following suggestions is best?
A: Place the EC2 instances into private subnets, and set up a bastion host so employees can access them.
E: Placing EC2 instances into private subnets is a great way to increase their security, since they will no longer be directly accessible from any host outside of the VPC. Adding a bastion host to the architecture will allow authorized users to gain access to the internal resources (instances in private subnets) while providing an additional "hardened" layer of security.
Q: You have provisioned several EC2 instances into private subnets; however, you now have the problem of not being able to download any new software packages or updates. Which if of the following provides the best solution?
A: Create a NAT Gateway in a public subnet and create a route to it in the route table associated with the private subnets.
E: A NAT gateway provides the most secure solution for granting EC2 instances in private subnet the ability to download software packages. However, the NAT gateway MUST be placed in a public subnet, and a route to it must be created in the route table associated with the private subnets.
Q: What are two primary requirements of a NAT Gateway (or NAT instance)?
A: A NAT gateway must be provisioned into a public subnet, and it must be part of the private subnet's route table.
E: A NAT gateway must be provisioned into a public subnet (so that it has a route to the internet), and it must part of the private subnet's route table (so that the private instances have a route to the NAT gateway). A NAT gateway does not require a bastion host to work (but can be used in combination).
T: A NAT Gateway will only allow return traffic if that traffic has been specifically asked for by an internal resource.
E: A NAT Gateway will not allow any unsolicited traffic through. All traffic that passes through it MUST have been asked for by a resource inside the VPC.
Q: What best describes the difference between a bastion host and a NAT gateway?
A: A bastion host is used is used as a "gateway" for traffic that is destined for instances located in a private subnet, whereas a NAT gateway provides instances in a private subnet with a route to the Internet.
E: A bastion host is used is used as a "gateway" for traffic that is destined for instances located in a private subnet, whereas a NAT gateway provides instances in a private subnet with a route to the Internet. A NAT does provide protection for instances in a private subnet, but its primary goal is to allow instances in the private subnet a route to the Internet (to download software packages).
LA Quiz 9: Advanced Networking: Network Connectivity Troubleshooting
T: You cannot peer two VPCs that are located in different AWS regions.
T: NACLs are the security layer for a subnet (not security groups.)
Q: You have just provisioned a fleet of EC2 instances and realized that none of them have a public IP address. What settings would need to be changed for the next fleet of instances to be created with public IP addresses?
A: Modify the auto-assign public IP setting on the subnet.
E: The auto assigning of IP addresses resides in the settings of the SUBNET you are provisioning the instances in. By default, new subnets have auto-assign IP addresses disabled.
Q: You have an application currently running on five EC2 instances as part of an Auto Scaling group. For the past 30 minutes all five instances have been running at 100% CPU Utilization; however, the Auto Scaling group has not added any more instances to the group. What is a likely cause?
A1: The Auto Scaling group's MAX size is set at five
A2: You already have 20 on-demand instances running
E: The number of instances in an Auto Scaling group cannot exceed its set MAX limit, regardless of scale-up policies. Also, unless you request an increase from AWS, you cannot have more than 20 on-demand instances running at one time.
T: There can be many reasons why you cannot download software packages besides the instance being provisioned in a private subnet. For example, creating an instance without a public IP address or not having the proper ports open on the security group can cause issues downloading software.
Q: You are using a T2 instance type and are starting to notice that most of the time your application is running very slow. What would be an appropriate course of action?
A: Move the application to a larger instance type.
E: T2 instance types rely on "burstable" CPU credits for processing power. If your application is constantly using all the CPU credits, then you may experience slow downs when you run out of credits. The solution to this would be to move the application to an instance running a large instance type.
Q: You are running an analysis on traffic that is accessing your web application. However, you notice that the IP address for every visitor is the IP address of the Elastic Load Balancer. How should you fix this problem so that the logs reflect the IP address of the originating hosts?
A: Enable access logs on the ELB and store them in an S3 bucket.
Q: You have an ELB distributing traffic to a fleet of EC2 instances inside your VPC, evenly spread across two Availability Zones. However, you realize that only half of the instances are actually receiving traffic. What is the most likely cause of this problem?
A: Cross-zone load balancing has not been enabled.
E: Cross-zone load balancing must be enabled for it to serve traffic evenly to all instances in all associated Availability Zones.
Q: If you have an EBS volume in Availability Zone us-east-1d and you want to attach it to an EC2 instance in Availability Zone us-east-1a, what procedure should you follow?
A: Create a snapshot of the volume in us-east-1d, then create a new volume from the snapshot, choosing to place it in us-east-1a. Attach the new volume to the instance.
E: EBS volumes cannot be used across Availability Zones; however, since snapshots are stored in S3, new volumes can be created from a snapshot and placed into any Availability Zone.
T: A VPC can only have one IGW attached to it at a time.
LA Quiz 10: S3
T: S3 can be used as an option for low-cost, reliable web hosting for STATIC (not dynamic) web sites.
Q: Through what process are objects moved from the standard storage class to Glacier?
A: Lifecycle policies
E: Objects uploaded and stored using the standard storage class must use lifecycles to move them to Glacier.
T: All S3 buckets are private by default.
Q: You have a static web page hosted in an S3 bucket, and your requests for a file from a website in another S3 bucket keep failing. What is the most likely solution?
A: Enable CORS configuration on the S3 buckets
E: S3 buckets are in different domains. CORS (cross-origin resource sharing) will allow for domains to share resources. So, enabling CORS on the S3 buckets is the best solution.
T: The S3 infrequent access (S3-IA) storage class has object durability of 99.999999999% and availability of 99.90%
E: S3-IA has the same durability as S3-standard but has a slightly slower availability since these objects are expected to be accessed much less frequently.
Q: You are currently running an application on AWS that hosts customers' photo albums. For each main photo uploaded, your application generates a thumbnail for use in the mobile version of the application. What is the most cost effective storage solution, while also providing the highest level of availability and durability?
A: Use the standard storage class for the main photos and the reduced redundancy storage class for the thumbnails.
E: Since the customers' main photos cannot be reproduced, storing them in the standard storage class will provide the highest level of availability and durability. The thumbnails can be easily reproduced from the main photos, so you can store them in reduced redundancy storage, which has lower durability, but is cheaper than standard.
Q: If you need to upload a file to S3 that is 500MB in size, what data transit option should you use?
A: Multi-part upload
E: Multi-part upload should be used for uploading any file over 100MB in size (and required for an object over 5GB in size - up to 5TB in size). Single operation upload may be used but is not recommended. Import/export and Snowball are used for datasets that are larger than 5TB.
Q: Your company has petabytes of data that it wants to move from their on-premise network to AWS. What AWS solution should you use?
A: AWS Snowball
E: Snowball is a service provided by AWS for moving extremely large (petabytes) of data into AWS.
Q: You work for a hospital that is required to store patient's medical records for a minimum of 10 years. Most of these records will never be accessed but must be made available upon request (within a few hours). What is the most cost-effective storage option?
E: Glacier is an AWS solution for archival storage, which is designed for long-term storage of data that is very rarely accessed.
Q: What best describes what occurs when you suspend object versioning?
A: All existing objects retain their current and past versions, and no new versions are created when objects are updated.
E: When you suspend versioning, S3 retains all current and existing past versions. However, all new objects will overwrite the existing current version. No new versions will be created.
Q: What is the object durability and availability advertised by AWS for their S3 standard storage service?
A: Durability of 99.999999999% and availability of 99.99%
E: S3 standard storage class is advertised as having object durability of 99.999999999% (known as 11 nines) and availability of 99.99%
LA Quiz 11: Advanced DNS, CSN and Failover Networking
Q: You are migrating your existing web application from your on-premise data center to the AWS cloud. As part of testing your AWS infrastructure, you only want to have 20% of traffic to hit AWS resources and the other 80% to hit your on-premise resources. What record set routing policy should you choose to accomplish this?
E: A weighted routing policy allows for "manual" load balancing between different endpoints.
T: An alias record set contains a pointer to an AWS-specific resource.
E: An alias record set contains a pointer to an AWS-specific resource and is used to direct traffic to ELBs, CF distributions, and S3 buckets.
T: CloudFront caching is based on the object's file name (not its type).
Q: If you want to point a domain name to an AWS elastic load balancer in Route 53, how would you need to configure the record set?
A: Alias with a type "A" record set
E: You will need to configure the record set as a type "A" alias. An alias allows you to point the domain to an AWS-specific endpoint, such as an ELB, Cloudfront distribution, or S3 bucket (as opposed to just an IPv4 IP address).
T: A public hosted zone should be used for routing Internet traffic for a domain, and a private hosted zone should be used for routing traffic within a VPC.
Q: What is a main benefit of using a CloudFront distribution?
A: Reduces load on your applications resources
E: Once an object is cached at an edge location, all other requests for that object will be handled by the edge location, not your application. This can significantly reduce the amount of times your resources are hit.
Q: You have set up a CloudFront distribution but find that instead of each edge location serving up objects that should be cached, your application's origins are being hit for each request. What could be a possible cause of this behavior?
A: The cache expiration time is set to zero
E: If the cache expiration time is not set (or set to zero), then CF will not cache objects at the edge location. This will prompt the behavior where the edge location will have to request the same object from the origin for reach request.
Q: Your CloudFront distribution is performing well, but you are still getting too many request at the origin locations. What could be one way to increase CloudFront performance?
A: Increase the cache expiration time
E: If your cache expiration times are too short, you may have request from the edge location to the origin occurring when they are not required. If you increase the cache expiration date, you should experience less hits to the origin.
Q: What is an absolute rule when using an S3 bucket for Route 53 DNS failover?
A: The S3 bucket must be the same as the domain name
E: To use an S3 bucket for Route 53 DNS failover, the bucket name must match the domain name.
T: A CloudFront origin is the source of the object, and an edge location is where the object is cached.
LA Quiz 12: Hybrid Environments and VPC Peering
Q: If AWS asks you to configure the connection between your on-premise data center and a Direct Connect Authorized Provider, what would you be configuring?
A: The cross-network connection
E: The cross-network connection is the connection between your on-premise data center and the Direct Connect Authorized Provider.
Q: You are trying to establish a VPC peering connection but are having difficulties locating the other VPC. What is most likely the cause?
A: The other VPC is in a different region
E: For a VPC peering connection to be established, both VPCs must be in the same region.
T: You can peer VPCs that are in two different AWS accounts, but they must be in the same region.
Q: What two components are required to establish a VPN connection?
A: Virtual Private Gateway and Customer Gateway
E: The VPG and Customer Gateway are the two "connectors" on both sides of the VPN connection (and both are required).
T: An AWS VPC connection automatically has two parallel IPsec tunnels for redundancy
T: A VPC can have both an IGW and a VPG attached at the same time (but only one of each)
Q: You have set up an AWS Direct Connect connection for your company but still want to create a backup solution in case the Direct Connect connections fails. What solution should use as the backup?
A: AWS virtual private network
E: A virtual private network is a great backup solution for AWS direct connect. A virtual private network provides the same access, just with fewer benefits.
T: VPC peering does not allow transitive connections.
Q: If you need a dedicated, low latency connection to AWS from your on-premises data center, what solution should you choose?
A: AWS Direct Connect
E: AWS Direct Connect is a service that provides a dedicated network connection between your data center and one of AWS's Direct Connect locations. One of the main benefits of Direct Connect is a low-latency connection.
Q: You have been asked to set up architecture that extends the AWS VPC to your company's on-premise data center. What do you need to set up to accomplish this?
A: Virtual Private Network
E: You will need to set up and configure a virtual private network. A VPN is what allows you to extend subnets inside your VPC to your on-premise data center.
Q: What best describes a Customer Gateway?
A: An on-premises, physical device that acts as the "connector" for the VPN connection.
E: The Customer Gateway is a physical or software application that is located at your on-premise data center. It is the VPN connector on the data center side (of the connection) and must be configured with a static public IP address.
T: A Public Virtual Interface allows you to interface with AWS resources that have a public endpoint (like S3 or DynamoDB).
LA Quiz 14: Databases
T: AWS provides automated backups of RDS databases which are point-in-time snapshots.
Q: What are two benefits of using read replicas?
A1: Creates elasticity in RDS
A2: Improves performance of the primary database by taking workload from it
E: You can add/remove read replicas based on demand, so it creates elasticity for RDS. Read replicas can take read only workloads off of the primary database, thus improving performance.
Q: The Availability Zone that your RDS database instance is located in is suffering from outages, and you have lost access to the database. What could you have done to prevent losing access to your database (in the event of this type of failure) without any downtime?
A: Enabled multi-AZ failover
E: If multi-AZ failover is enabled, a duplicate copy of the database is kept in a separate AZ. If there is failure in the primary database's AZ, AWS will automatically switch the CNAME DNS record from the primary to the failover backup instance.
Q: What database service should you choose if you need petabyte-scale data warehousing?
E: Redshift is for petabyte-scale data warehousing.
T: When setting up a DynamoDB database, you only need to specify the required throughput capacity. There is no instance size or storage type to choose from. AWS scales compute power with your needs.
T: A read replica can be promoted to the primary instance.
Q: How does using Elasticache help to improve database performance?
A: It can store high-taxing queries
E: Elasticache is designed for large, high-performance or taxing queries. it can store the queries to alleviate hits to the database.
Q: What database service offers petabyte-scale data warehousing?
E: Redshift offers petabyte-scale data warehousing that is generally used for big data analytics.
Q: What are the "engine" options for ElastiCache?
A: Redis & Memcached
Q: What are three attributes of DynamoDB?
A2: A NoSQL database platform
A3: Uses key-value store
LA Quiz 15: Application & Messaging Services
Q: An SQS Message is?
A: A set of instructions stored in an SQS queue that can be up to 256KB in size
E: An SQS message can be up to 256KB in size of text (in any format) and is used to relay instructions from one instance to another (via an SQS queue).
Q: How can you create different versions of an API using API Gateway and also create a full development lifecycle? (2 answers)
A1: Create a new API version by cloning an existing one
A2: Deploy APIs to stages: dev, beta, production
E: You can create lifecycle stages (dev, beta, production) for which to deploy APIs. Each stage can have its own throttling, caching metering, and logging. You can also create a new API version by cloning an existing one. In addition, you can roll back to previous versions of an API.
Q: If your application's architecture is currently tightly coupled, what AWS service should you use to decouple the application?
A: SQS (Simple Queue Service) and, to a lesser extent, SWF (Simple Workflow) can be used to decouple application components.
Q: What are some of the essential elements of API Gateway?
A1: API Gateway is a fully managed service that allows you to create and manage your own APIs for your application
A2: API Gateway acts as a "front door" for your application.
E: API Gateway is a fully managed service that allows you to create and manage your own APIs for your application. API Gateway acts as a "front door" for your application, allowing access to data/logic/functionality from your back-end services.
Q: What best describes decoupled architecture?
A: A system architecture of multiple components that can process information without being connected.
E: A loosely coupled (or decoupled) system is one that has multiple components but can work independently of each other. So if one fails, the other components can continue to work.
Q: How long can an SWF workflow execution last?
A: 1 year
Q: What service should you choose if you want to send notifications via text message to a system administrator?
E: SNS (Simple Notification Service) is the AWS service that provides the ability to send notifications to various endpoints, with SMS (test messages) being one of them.
Q: What are some of the benefits of using API Gateway? (2 answers)
A1: Ability to cache API responses
A2: DDoS protection via CloudFront
E: Benefits of API Gateway include:
- Ability to cache API responses
- DDoS protection via CloudFront
- Supports Swagger (a framework of API dev tools)
- Request/response data transformation
T: SNS can be used to send push notifications to Android and iOS mobile devices.
Q: What is the purpose of an SWF decision task?
A: It tells the decider the state of the work flow execution.
E: A decision task is used to communicate (back to the decider) that a given task has been completed.
LA Quiz 16: Monitoring
T: CloudWatch is a service that allows you to view resource level metrics and create alarms based on metric thresholds.
Q: Why does stopping and starting an instance (usually) fix a System Status Check error?
A: Stopping and starting an instance causes the instance to be provisioned on different AWS hardware.
E: Unless you have dedicated tenancy enabled, stopping and starting an instance will generally cause it to be launched onto different AWS host hardware.
Q: CloudTrail can log API calls from?
A: AWS is basically one big API call, so it does not matter if the API calls come from the command line, SDK, or console, they are all logged by CloudTrail.
Q: Which of the following CloudWatch EC2 metrics will require a custom script to enable?
A: Memory Utilization
E: Custom scripts are needed to enable OS-level monitoring of EC2 instances. Memory Utilization falls into that category, while CPU Credit Usage and Utilization does not (those are host-level metrics).
T: System Status Checks are AWS hardware/software issues that we have no control over.
T: CloudTrail is an API Logging service.
LA Quiz 17: Deployment Services
Q: What platforms are supported in Elastic BeanStalk?
A: Docker, Java, Windows .NET, Node.js, PHP, Python, Ruby
T: Elastic BeanStalk is primarily used to deploy simple, single-tier applications.
Q: What are two benefits of Cloudformation?
A1: A great disaster recovery option
A2: Version control your infrastructure
E: Since CloudFormation allows for you to turn your infrastructure into code, you can use it to quickly spin up the infrastructure in a new region (in the case of a disaster), and since it's code, you can version control it.
T: By using Cloudformation, you can easily rollback your applications’ infrastructure to previous versions.
Q: What AWS service allows you to treat your infrastructure as code?
E: Cloudformation allows you to turn your infrastructure into JSON-formatted templates.
LA Quiz 18: Analytics
Q: If you want to process data in real-time, what AWS service should you use?
E: Kinesis is AWS's service for processing data in real-time and outputting it to a dashboard or other AWS services.
T: In EMR, data is mapped to a cluster of master/slave nodes for processing.
Q: If your Kinesis stream needs additional processing power, what component will you need to add more of?
E: You can scale out a Kinesis stream by adding more "shards".
Q: In what two scenarios would you want to use AWS Kinesis?
A1: Mobile data capture
A2: Capturing gaming data.
E: Kinesis is great for collecting gaming data, such as player actions, and capturing data from IoT sensors and mobile devices.
T: EMR is a service which deploys EC2 instances based on the Hadoop framework, and also supports Apache Spark, HBase, Presto, and Flink.
T: A Kinesis consumer can include AWS services such as Redshift and S3.
E: Consumers can include Redshift and S3, but also other services like DynamoDB or a real-time dashboard/Kinesis enabled app.
Q: What is the purpose of a Kinesis producer?
A: To collect and send data into a Kinesis stream.
E: Kinesis producers include things like IoT sensors and mobile devices that collect data and send it into the Kinesis stream.
T: EMR allows you to access the underlining operating system.
LA Quiz 19: EC2 Container Service
Q: Which of the following is NOT a use case for using ECS?
A: Cache big data queries
E: Cache big data queries is best done with service like Elasticache, not ECS.
Q: What is responsible for starting and stopping tasks on an ECS Container instance.
A: ECS Agent
E: The ECS Agent is responsible for starting/stopping tasks. It also monitors tasks and resource utilization.
Q: What two components does a Task Definition define?
A1: Which ports should be open on the container instance
A2: Which container image to use
E: The Task Definition is the blueprint for your application and defines items such as:
1) Which ports should be open on the container instance
2) Which container image to use
3) Where to get the container image
4) What data volumes to use.
Q: What is the purpose of AWS ECR?
A: To act as a container registry service
E: ECR is short for EC2 Container Registry. It is a repository service for storing container images.
Q: What component ECS/Containers contains all the actual software, code, and system tools that your container will use?
A: Container/Docker Image
E: The Container/Docker Image, which is built from the Dockerfile, contains all the actual software, code, runtime, system tools, and libraries that will be used in the container.
LA Quiz 20: Certified Solution Architect Concepts
T: When designing for elasticity and scalability, you want to strive for scaling out (adding more instances) instead of scaling up (increasing instance sizes). However, you must make sure you start with the proper instance size.
Q: What best describes Recovery Time Objective (RTO)?
A: The time it takes after a disruption to restore operations back to its regular service level.
E: The Recovery Time Objective (RTO) is the time it takes after a disruption to restore operations back to its regular service level (as defined by a company's operational level agreement).
Q: What service is best for logging all actions taken against the AWS API?
E: Cloudtrail is AWS's logging service that can be used to log all actions taken inside your AWS account.
Q: In the shared security responsibility model, what are items that you are responsible for managing? (choose all that apply)
A1: Guest operating systems
E: AWS is responsible for everything physical. That includes the security of the physical hardware at their data centers and their network infrastructure. You are responsible for selecting and managing the security for AMI and the OS you install on instances.
T: S3 offers 256-bit encryption for data-at-rest.
E: S3 offers 256-bit encryption for data-at-rest, which is an option you can turn on/off. AWS manages the keys and will decrypt the data when you request to download it.
Q: When designing cloud services, what design elements should you always consider? (select all that apply)
A1: Design for failure
A2: Create self-healing application environments
A3: Decouple applications
E: When designing cloud architecture, you always want to start by designing for failure, and create self-healing whenever possible. Decoupling your application is also best practice. However, you should always use a minimum of TWO Availability Zones. Only using one Availability Zone does not allow for high availability.
Q: What AWS service, if used as part of your application's architecture, has an added benefit of helping to mitigate DDoS attacks from hitting your back-end instances?
E: When CloudFront is used as part of your application's architecture, traffic from a DDoS attack will most likely be redirected to the cached data at an edge location (instead of being routed to your applications EC2 instances).
Q: Perfect Forward Secrecy is used to offer SSL/TLS cipher suites for which two AWS services?
A2: Elastic Load Balancing
Q: What feature should you utilize for redundancy if auto scaling and load balancing are not available?
A: Elastic IP address set up for failover to "stand-by" instances
E: Setting up an Elastic IP address and having it ready for failover is a great solution when other services that provide high availability and fault tolerance are not available.
Q: What best describes CloudHSM?
A: A dedicated appliance that is used to store security keys
E: CloudHSM (which is not a feature specific to AWS) is a dedicated appliance that is used to store security keys.
Q: What it is called when you have a minimal version of your production environment running (which can be easily increased in size) as a disaster recovery solution?
A: Pilot light
E: A pilot light is the practice of having a minimally active version of your environment set up and running in a separate region. If there is catastrophic failure on your primary environment, you can quickly spin up the pilot light environment to become your primary environment.
LA Quiz 21: Final Exam
Q: A colleague would like a new subnet configured in AWS for a database cluster she is building. She expects that the subnet will never need more than six IP addresses. Which of the following will likely be the most appropriate choice for this subnet?
A: A /28 private subnet
E: Databases generally do not require public access from the Internet, so a private subnet is likely the better choice from a security perspective. /28 is the smallest possible subnet in an AWS VPC.
Q: Company B provides an online image recognition service and utilizes SQS to decouple system components for scalability. The SQS consumer's readers poll the image queue as often as possible to keep end-to-end throughput as high as possible. However, Company B is realizing that polling in tight loops is burning CPU cycles and increasing costs with empty responses. How can company B reduce the number of empty responses?
A: Enable long polling by setting the ReceiveMessageWaitTimeSeconds to a number > 0
Q: The KPL is an easy-to-use, highly-configurable library that helps you write to an Amazon Kinesis stream. It acts as an intermediary between your producer application code and the stream's API actions. One of its key concepts is aggregation. Which of the following best describes aggregation as it relates to the KPL?
A: It refers to the storage of multiple records in a stream's record and allows customers to increase the number of records sent per API call, which effectively increases producer throughput.
Q: While implementing a disaster recovery strategy in another region, you are attempting to move the data from one EBS volume to another in a separate region. What is the best way to do this? Keep in mind this is not a live production replication copy.
A: Take a snapshot of the EBS volume and copy it to the desired region
Q: Elasticity is a fundamental property of the cloud. What best describes elasticity?
A: Power to scale computing resources up and down easily with minimal friction
Q: If an instance that belongs to an Elastic Load Balancer's health check fails, what occurs to the instance that fails?
A: The ELB will de-register the instance and stop sending traffic to the unhealthy instance
Q: Your company is posting a big article on the front page of your website tomorrow. It is expected that the demand could potentially overwhelm your infrastructure. In the event of a load failure, how can you set up DNS failover to a static website?
A: Use Route 53 and the failover option to failover to a static S3 website bucket or CloudFront distribution in the event of an issue
Q: As part of your application architecture requirements, the company you are working for has requested the ability to run analytics against all combined log files from the Elastic Load Balancer. Which services are used together to collect logs and process log file analysis in an AWS environment?
A: Amazon S3 for storing ELB log files and Amazon EMR for processing the log files in analysis
Q: You recently purchased and deployed four reserved EC2 instances in the US-East-1 region’s Availability Zone 1 for a new project. Your supervisor just informed you that this project only requires two EC2 instances. Rather than selling the reserved instances, she asked you to terminate the extra instances and convert two of the on-demand instances already running in Availability Zone 1 to reserved instances. Can this be done?
A: Yes, you can terminate the reserved instances and AWS will automatically begin billing the two on-demand instances as reserved instances
E: If you own three Reserved Instances with the same instance type and Availability Zone, the billing system checks each hour to see how many total instances you have running that match those parameters. If it is three or less, you will be charged the Reserved Instance rate for each instance running that hour.
Q: Your supervisor asks you to create a highly available, decoupled web application. Which of the following does not help you accomplish this goal?
A: IAM user credentials on EC2 instances to grant permissions to modify an SQS queue
E: Elastic Load Balancers, Auto Scaling, and SQS can all play a part in a highly available, decoupled web application. IAM user credentials should not be stored on a EC2 instance.
Q: Your AWS environment contains several on-demand EC2 instances dedicated to a project that has just been cancelled. Your supervisor does not want to incur charges for these on-demand instances but also does not want to lose the data just yet because there is a chance the project may be revived in the next few days. What should you do to minimize charges for these instances in the meantime?
A: Stop the instances as soon as possible
E: You should not terminate an instance that you may need to place back into production in a few days. The best way to minimize charges is to stop the instances to avoid any data transfer charges that the instance might incur if left running.
Q: When designing a cloud service based on AWS and you choose to use RRS on S3 instead of S3 standard storage type, what type of trade offs do you have to build your application around?
A: RRS only has 99.99% durability and you have to design automation around replacing lost objects
Q: One of your more important clients is a Telecom business who needs to process some real-time data in a distributed manner. They suggest to you that they think they should use either Amazon SQS or Amazon Kinesis to achieve this and they want you to tell them what would be the difference between the two. After some research, you decide that they should use Kinesis and are trying to put together some reasons for this. One of the below statements is INCORRECT, regarding this. Which one?
A: Kinesis cannot route related data records to the same record processor (as in streaming MapReduce).
E: Kinesis can route related data records to the same record processor
Q: Which of the following best describes what "bastion hosts" are?
A: Bastion hosts are instances that sit within your public subnet and are typically accessed using SSH or RDP. Once remote connectivity has been established with a bastion host, it then acts as a ‘jump’ server, allowing you to use SSH or RDP to log in to other instances (within private subnets) deeper within your network.
Q: You and a colleague create an SQS queue and create several messages in it. You both test your ability to manually poll the queue by using the command-line API calls. After testing, you find that your colleague’s polling attempt retrieved messages 1, 3, and 5. Your polling attempt retrieved messages 4, 6, and 8. Nether of your attempts retrieved messages 2 or 7. What is a possible cause for this behavior?
A1: You and your colleague did not see the same messages because of the visibility timeout
A2: You and your colleague used short polling
E: When a message is retrieved, that message is hidden from other polling attempts until the message is deleted or the visibility timeout expires. Short polling does not query all the servers that the SQS messages can reside on, so multiple queries of the queue may be needed to retrieve all messages in the queue.
T: The AMI ID used in an Auto Scaling policy is configured in the Launch configuration
Q: When reviewing the Auto Scaling events, it is noticed that an application is scaling up and down multiple times within the hour. What design change could you make to optimize cost while preserving elasticity?
A: Change the scale down CloudWatch metric to a higher threshold
T: You cannot deny the AWS root account to EC2 instances via IAM policy.
Q: By default, is data in S3 encrypted?
A: No, but it can be when the right APIs are called for SSE
Q: You are working for a startup company that is building an application that receives large amounts of data. Unfortunately, current funding has left the startup short on cash, unable to afford thousands of dollars of storage hardware. The company has opted to use AWS. Which services would you implement to store a virtually unlimited amount of data without any effort to scale when demand unexpectedly increases?
A: Amazon S3, because it provides unlimited amounts of storage data, scales automatically, is highly available, and durable
T: Amazon SQS (Simple Queue Service) guarantees delivery of AT LEAST 1 message but cannot guarantee it will not create duplicates.
Q: You are consulting for a healthcare company that has strict compliance and auditing requirements. When architecting the application environment on AWS, which services or service features might you enable to take advantage of monitoring to ensure auditing the environment for compliance is easy and follows the strict healthcare compliance requirements?
A: CloudTrail for security logs
Q: If your organization is concerned about storing sensitive data in the cloud, you should:
A1: Encrypt the file system on an EBS volume using Linux tools
A2: Enable EBS Encyption
A3: Enable S3 Encryption
Q: You are designing a global application that takes advantage of multiple regions. As part of your application, the need to synchronize from one region to another is required to ensure your application is serving the same data when employing latency-based Route 53 DNS records. To ensure this happens, you have determined that using the AWS CLI to sync files from the primary storage servers to S3 is the best method. How might you implement AWS CLI authentication against the S3 service?
A: Create an EC2 IAM role and assign it to each EC2 instance that utilizes the AWS CLI to sync the data
Q: What is the difference between an Availability Zone and an edge location?
A: An Availability Zone is an Amazon resource within an AWS region, whereas an edge location will deliver cached content to the closest location to reduce latency
Q: Currently, you're helping design and architect a highly-available application. After building the initial environment, you've found that part of your application does not work correctly until port 443 is added to the security group. After adding port 443 to the appropriate security group, how much time will it take before the changes are applied and the application begins working correctly?
A: Changes apply instantly to the security group, and the application should be able to immediately respond to 443 requests
Q: Your supervisor asks you to create a highly available website which serves static content from EC2 instances. Which of the following is not a requirement to accomplish this goal?
A: An SQS queue
E: While an SQS queue can be an important part of a multi-step decoupled web application, it is not necessary to host a highly-available static website on EC2. An Auto Scaling group configured to deploy EC2 instances in multiple subnets located in multiple Availability Zones allows an application to remain online despite an instance or AZ failure.
Q: Your company wants to back up the onsite file server to AWS but does not want to serve the files from S3 to your office network when files need to be accessed. Which service and setup would you use to accomplish this task?
A: Use Amazon Storage Gateway and gateway-stored volumes to store the data locally and asynchronously backup point-in-time snapshots to S3
Q: A user needs access to Elastic Load Balancing. This is the first and possibly only time that they will require this access. Which of the following choices would be the best way to allow this access?
A: Delegate access to the ELB using an IAM role
Q: You own an image manipulation application. Your users take a picture, upload it to your app, and request filters to be added to the image. You need to decouple the application so your users are not waiting for the image processing to take place. How would you go about doing this?
A: Use Amazon SQS to store the requests using metadata and JSON in the message, use S3 to store the image, and Auto Scaling to determine when to fire off more worker instances based on queue size
Q: You have 5 Cloudformation templates. Each template is for a different application architecture. These architectures vary between your blog apps and your gaming apps. What determines the cost of using the Cloudformation templates?
A: CloudFormation does not have a cost but you are charged for the underlying resources it builds
Q: Your application's usage peaks at 90% during the hours of 9 AM and 10 AM everyday. All other hours require only 10% of the peak resources. What is the best way to scale your application so you're only paying for max resources during peak hours?
A: Proactive Cycle Scaling
Q: You are asked to review a plan that your company has made to create a new application that makes use of SQS, EC2, Auto Scaling, and CloudWatch. Which of the following action items should you advise your company not to implement?
A: Utilize short polling with a wait time of 20 seconds to reduce the number of empty responses from the SQS queue
E: Polling executed with a wait time of greater than 0 seconds is called long polling.
FALSE: When a snapshot is being taken against an EBS volume, the volume becomes unavailable and the instance no longer has the ability to communicate with the EBS volume until the snapshot is complete.
Q: Your EC2 instances are configured to run behind an Amazon VPC. You have assigned two web server instances to an Elastic Load Balancer. However, the instances and the ELB are not reachable via URL to the elastic load balancer serving the web app data from the EC2 instances. How might you resolve the issue so that your instances are serving the web app data to the public Internet?
A: Attach an internet gateway to the VPC and route it to the subnet
Q: You create an SQS queue with the default settings for a new application your company is deploying. While new messages are added to the queue throughout the week, management has indicated that the application which retrieves the messages should only be run during your company’s weekly Sunday evening maintenance window. It is quickly noticed on Monday morning that several messages were not processed the previous evening and the messages are no longer in the queue. What is a likely cause for this issue?
A: The messages surpassed the retention period for the queue
E: The default message retention period for an SQS queue is four days, so messages older than four days would have been deleted.
Q: Your company has an application that requires access to a NoSQL database. Your IT department has no desire to manage the NoSQL servers. Which Amazon service provides a fully-managed and highly available NoSQL service?
Q: An AWS VPC (Virtual Private Cloud) allows you to…
A: …connect your cloud resources to your own encrypted IPSec VPN connections
Q: In order to establish a successful site-to-site VPN connection from your on-premises network to the VPC (Virtual Private Cloud), which of the following needs to be configured inside of the VPC?
A: A public IP address on the customer gateway for the on-premise network
E: When you configure a VPN, you're configuring it from the VPC and from the on-premises network. You are taking information (the public IP) from the on-premises network and configuring it inside of the VPC.
T: Auto Scaling is a tool used for creating elastic and self-healing applications.
Q: For basic monitoring on AWS, which metrics are not included as part of the basic monitoring package?
A1: Free memory
A2: Free swap
T: Amazon Auto Scaling is not meant to handle instant load spikes but is built to grow with a gradual increase in usage over a short time period.
Q: Your AWS environment contains several reserved EC2 instances dedicated to a project that has just been cancelled. Your supervisor wants to stop incurring charges for these reserved instances immediately and recuperate as much of the reserved instance cost as possible. What can you do to avoid being charged for them?
A: Terminate the instances as soon as possible, Sell the reserved instances on the AWS Reserved Instance Marketplace
E: You should terminate the instance to avoid any data transfer charges that the instance might incur if left running and sell the reserved instance in the AWS Reserved Instance Marketplace to recuperate cost.
Q: In AWS, when a request is made, the AWS service decides whether a given request should be allowed or denied. The distinction between a request being denied or allowed by default and an explicit deny in a policy is important. Which of the following statements best describes this distinction?
A: By default, a request is denied, but this can be overridden by an allow. In contrast, if a policy explicitly denies a request, that deny can't be overridden.
T: US-East-1 supports Multi-AZ RDS deployments.
Q: Your supervisor asks you to create a decoupled application whose process includes dependencies on EC2 instances and servers located in your company’s on-premises datacenter. Which of these are you least likely to recommend as part of that process?
A: SQS polling from an EC2 instance using IAM user credentials
E: An EC2 IAM role should be used when deploying EC2 instances to grant permissions rather than storing IAM user credentials in EC2 instances
Q: You manage an application that uses EC2 instances and SQS to process requests from end users. Your application is working great, but your supervisor is concerned about the cost of the AWS resources it uses. Which of the following would not help address that concern?
A: Increase the visibility timeout for messages in the SQS queue
Q: Your company has moved a legacy application from an on-premises data center to the cloud. The legacy application requires a static IP address hard-coded into the backend, which prevents you from deploying the application with high availability and fault tolerance using the ELB. Which steps would you take to apply high availability and fault tolerance to this application?
A1: Ensure that the instance it's using has an elastic IP address assigned to it
A2: Write a custom script that pings the health of the instance, and, if the instance stops responding, switches the elastic IP address to a standby instance
Q: Which statement is true about Amazon SQS?
A1: Amazon SQS (Simple Queue Service) guarantees delivery of AT LEAST 1 message but cannot guarantee it will not create duplicates.
A2: Amazon SQS guarantees delivery of AT LEAST 1 message but cannot guarantee message order, although does attempt to.
Q: Your company is moving their entire 20 TB data warehouse to the cloud. With your current bandwidth it would take 2 months to transfer the data. Which service would allow you to quickly get your data into AWS?
A: Amazon Import/Export