This blog post takes the questions from the AWS
Practice test, and from the Linux Academy (LA) AWS CSAA course, and puts them
in one post to help you with your exam cram preparation. Q = Question. A =
Answer. T = True statement. E = Explanation.
Image: Amazon Web Service Certified Solutions
Architect - Associate
Practice Exam
Q: Amazon Glacier is designed for:
A1:
Infrequently accessed data
A2: Data
archive
Q: You configured ELB to perform health checks
on these EC2 instances. If an instance fails to pass health checks, which
statement will be true?
A: The
ELB stops sending traffic to the instance that failed its health check.
Q: You are building a system to distribute
confidential training videos to employees. Using CloudFront, what method could
be used to serve content that is stored in S3, but not publicly accessible from
S3 directly?
A: Create
an Origin Access Identity (OAI) for CloudFront and grant access to the objects
in your S3 bucket to that OAI.
Q: Which of the following will occur when an
EC2 instance in a VPC (Virtual Private Cloud) with an associated Elastic IP is
stopped and started?
A1: All
data on instance-store devices will be lost
A2: The
underlying host for the instance is changed.
Q: In the basic monitoring package for EC2,
Amazon CloudWatch provides the following metrics:
A: Hypervisor
visible metrics such as CPU utilization.
Q: Which is an operational process performed by
AWS for data security?
A: Decommissioning
of storage devices using industry-standard practices
Q: To protect S3 data from both accidental
deletion and accidental overwriting, you should:
A: Enable
S3 versioning on the bucket.
LA Quiz 1: Account
& Physical Organization
T: Each Availability Zone has at least one AWS
data center and sometimes up to 5 or 6 data centers.
T: Availability Zones do NOT span across
regions. Availability zones DO provide for highly available and fault tolerant
architecture, but an AZ is contained within a region.
Q: What are the main benefits of AWS regions?
A1:
Regions allow you to place AWS resources in the area of the world closest to
your customers who access those resources.
A2:
Regions allow you to design applications to conform to specific laws and
regulations for specific parts of the world.
Q: What are the benefits of an Availability
Zone?
A1: Each
Availability Zone is isolated from each other to ensure fault tolerance.
A2:
Availability Zones have direct, low latency connections to each other.
Q: Besides regions and their included
Availability Zones, which of the following is another “regional” datacenter
location used for content distribution?
A: Edge
Location
E: An Edge Location is an AWS datacenter which
does not contain AWS services, it is used to deliver content to parts of the
world (e.g. CloudFront)
Q: What best describes the concept of
elasticity?
A: The
ability of a system to increase and decrease in size.
T: Fault Tolerance is a system ability allowing
the system to continue to operate even when one of its components fail.
Q: What best describes the concept of High
Availability?
A: A
durable system that can operate for long periods of time without failure.
Q: What are the two primary ways that AWS users
interface with AWS?
A1: AWS
CLI
A2: AWS
Console
LA Quiz 2: IAM
T: If an IAM access policy has both an allow
rule and a deny rule for the same service, the DENY rule will supersede the
allow rule.
Q: You create a new IAM user for AUSER in you
company’s AWS account. On AUSER’s first day, you ask AUSER to make a change to
a Cloudwatch alarm in an Auto Scaling group. AUSER reports no access to
Cloudwatch or Auto Scaling in the AWS console. What is a possible explanation
for this?
A: You
have not added the appropriate IAM permissions and access policies to AUSER;
there is a non-explicit deny to all new users.
T: An IAM user can have many IAM permission
policies attached to them at the same time, either directly attached or through
groups.
Q: What best describes an IAM role?
A: A
role is something that another entity can “assume”
Q: AUSER will be overseeing the company’s
DynamoDB database, so you attached the “AmazonDynamoDBFullAccess” IAM policy to
AUSER’s IAM user. 6 months later, AUSER was promoted to manager and added to
the “Managers” IAM group. The “Managers” group does not have the
“AmazonDynamoDBFullAccess” policy attached to it. What will happen to AUSER’s
DynamoDB access?
A:
Nothing, as an IAM user can have multiple IAM permission policies attached to
them at the same time, either directly to the user or through an associated IAM
group.
T: By default, when an IAM user is created, it
has a non-explicit “deny” for all AWS services.
Q: What are the main benefits of IAM groups?
A1:
Assigning IAM permission policies to more than one user at a time.
A2:
Easier user/policy management.
T: Best practice is to NEVER store or pass IAM
credentials to an EC2 instance.
Q: What best describes the “Principal of Least
Privilege”?
A: Users
should be granted permission to access only the resources they need to do their
assigned job.
Q: The common use for IAM is to manage what?
A:
Users, Groups, Roles, Access Policies, API Keys, Password Policies,
Multi-Factor Authentication
Q: EC2 instance must have the ability to access
other AWS resources. What is the best way to manage this access?
A: Use
an IAM role to manage temporary credentials for applications that run on an EC2
instance. The role will supply temporary permissions that applications can use
when they make calls to other AWS resources.
Q: API Access Keys are required to make
programmatic calls to AWS from which of the following?
A: AWS
CLI, Tools for PowerShell, AWS SDKs, Direct HTTP API calls
Q: You notice that one of the groups has two
conflicting permissions attached: one that allows S3 access, and one that
denies S3 access. If your goal is to allow members of the group to have S3
access, what needs to be done?
A: You
must remove the deny policy, as a deny policy will override an allow policy.
LA Quiz 3: VPC
Basics
T: For a subnet to be considered public, it
must have a route to the Internet. Having a route to the Internet means that it
must be associated with a route table that points to the IGW.
Q: You have been tasked with auditing the
security of your VPC. As part of this process, you need to start by analysing
what traffic is allowed to and from various EC2 instances. What two parts of
the VPC do you need to check to accomplish this task?
A: Security
Groups and NACLs
E: Security Groups and NACLs are the two parts
of the VPC Security Layers. Security Groups are a firewall on the instance
level, and NACLs are a firewall on the subnet level.
Q: What best describes how NACLs rules work?
A: Rules
are evaluated by rule number from lowest to highest, and executed immediately
when a matching allow/deny rule is found.
T: A VPC can only have one IGW attached at a
time.
Q: If data is travelling from a customer, over
the open Internet, to a web site you are hosting on an EC2 instance in an AWS
VPC, what is the order of components that data will travel through?
A: IGW
-> Route Table -> NACL -> Subnet -> Security Group -> EC2
Instance
Q: You work for a financial institution that is
preparing to (possibly) migrate their on-premise infrastructure to AWS. As part
of this process, you have been tasked with preparing the cloud strategy that
will be presented to your CTO. As part of this presentation, you need to
highlight several of the top benefits of using an AWS VPC. Which of the
following benefits do you highlight in this section of the presentation?
A1: The
ability to have both public and private subnets
A2: The
ability to extend your on-premise network to the cloud via VPN
A3: The
ability to provide a DNS server for your VPC
Q: Your company’s management team has been
considering moving their on-premise network to AWS. You have been called into a
meeting to brief the management team on some specifics of AWS. One of the first
questions you are asked is what exactly a VPC is. How should you respond?
A: An
AWS VPC closely resembles a traditional on-premise network, with the added
benefit of AWS infrastructure.
T: NACLs are stateless and security groups are
stateful.
E: NACLs are stateless, which means that return
request traffic must have an allow rule set up for that return traffic to enter
or leave the subnet. Security groups are stateful, which means that return
request traffic does not need an allow rule set up for that return traffic to
enter or leave the security group.
Q: You are the lead Solutions Architect for a
healthcare company and are managing an application running on multiple EC2
instances. Those EC2 instances must have the ability to access other AWS
resources. What is the best way to manage this access?
A: Use
an IAM role to manage temporary credentials for applications that run on an EC2
instance. The role will supply temporary permissions that applications can use
when they make calls to other AWS resources.
T: All subnets, regardless of being public or
private, can communicate with each other inside of a VPC.
E: Since each route table has a local target
with the destination of the VPCs CIDR block range, all subnets within a VPC can
communicate with each other.
T: In the default VPC, all subnets have a route
to the Internet.
LA Quiz 4: EC2
Q: IOPS are measured in what size “chunks?”
A: IOPS
are measured in chunks of 256KB or smaller
Q: What best describes how EBS snapshots work?
A:
Snapshots are incremental in nature and are stored in S3
Q: You are a Solutions Architect and your
company is interested in moving some workload to AWS. You are concerned that it will be very
challenging to manage and control all of the EC2 servers that will need to be
deployed – specifically, how to insure that fellow employees are installing the
company approved operating system version, with the right libraries and
runtimes and with the proper configuration settings. What EC2 feature will best allow you to
control this?
A: You
can have a company policy stipulating that any new instance must be launched
using a custom Amazon Machine Image (AMI) which specifies exactly which
software and associated settings you want to have installed on every new EC2 instance.
T: AMIs are what dictate the instances
operating system and other software settings. It is the "instance
type" which determines the instances virtual hardware.
Q: What best describes the characteristics of
EBS volumes?
A: They
are persistent and can live past the lifetime of the instance.
Q: If you are running a legacy application that
has hard-coded static IP addresses and is running on an EC2 instance, what is
the best failover solution that allows you to keep the same IP address on a new
instance?
A:
Elastic IP addresses (EIPs) are designed to be attached/detached and moved from
one EC2 instance to another. They are a great solution for keeping a static IP
address and moving it to a new instance if the current instance fails. This
will reduce or eliminate any downtime users may experience.
Q: If you are running an application in a
production environment and must add a new EBS volume with data from a snapshot,
what should you do to avoid degraded performance during the volume's first use?
A: Initialize
the data by readying each storage block on the volume
E: Volumes created from an EBS snapshot must be
initialized. Initializing occurs the first time a storage block on the volume
is read, and the performance impact can be impacted by up to 50%. You can avoid
this impact in production environments by manually reading all the blocks.
Q: What command should you run if you want to
view an instance's user-data?
A: curl
http://169.254.169.254/latest/user-data
Q: Your company has been thinking about moving
its networking resources over to AWS. Your boss is particularly interested in
the AWS shared responsibility model, as it will allow him to offload some
traditional responsibilities to AWS. He says that he is happy that AWS will now
handle the following responsibilities listed below. However, you know that he
is wrong and that AWS does not handle all of them as part of the shared
responsibility model. Which ... are not handled by AWS?
A1:
Security Groups
A2:
Applying an SSL Certificate to an ELB
A3: Installation
of custom firewall software
E: In the shared responsibility model, AWS is
responsible for DDOS protection, port scanning protection, and ingress network
filtering. You are responsible for managing Security Groups, Applying an SSL
Certificate to an ELB, and Installation of custom firewall software.
T: A key pair is a combination of a public and
private key that is used for authenticating users when logging into an EC2
instance.
E: The public key pair is stored on the
instance, and the private key is given to you when the instance is created.
Q: If you are designing an application that
requires fast (10Gbps), low-latency connections between EC2 instances, what EC2
feature should you use?
A:
Placement groups
E: Placement groups are a clustering of EC2
instances in one Availability Zone with fast (10Gbps) connections between them.
This service is used for applications that need extremely low-latency
connections between instances.
Q: You work in the IT department of a Fortune
500 financial services company. Your company has hundreds of servers and also
uses VMware for certain applications. You happened to run into one of the
senior directors in the hallway today, and she told you that she had just read
an article on cloud computing that mentioned EC2 instances and was wondering
what that was. What would be the best analogy to use in explaining to her what
EC2 is?
A: EC2
is analogous to our internal VMware environment and provides companies with
virtual servers that run in the cloud.
Q: What happens to data stored on an instance
store volume when an EC2 instance is stopped or shutdown?
A: The
data will be deleted
E: Since instance store volumes are ephemeral,
data will NOT be persistent and WILL be deleted if the instance is stopped or
shut down.
LA Quiz 7: Advanced
Networking: Highly Available & Fault Tolerant VPC Networking
Q: What best describes the purpose of an Elastic
Load Balancer?
A: To
evenly distribute traffic among multiple EC2 instances in separate Availability
Zones.
E: An ELB is used BEST when it is distributing
traffic to EC2 instances located in separate Availability Zones. This provides
for higher availability and is more fault tolerant than distributing traffic to
EC2 instances in the same AZ.
Q: If you want to create architecture that
meets the minimum requirement for high availability and fault tolerance, which
option would you choose?
A: An
ELB distributing traffic to an Auto Scaling group that has a minimum of two
instances that are located in separate Availability Zones.
E: Having a minimum of two instances is
required in case one of them fails and is no longer "available." Two
AZs are required in case of one of them fails and is no longer
"available." Auto Scaling is required so that failed instances will
be automatically terminated and replaced with healthy instance OR to increase
the amount of instances if demand increases (improving availability and fault
tolerance).
Q: What happens when an EC2 instance that is
being served traffic from an ELB becomes unhealthy?
A: The
ELB will stop serving traffic to it and divert its traffic to a healthy
instance.
E: The ELB will stop serving traffic to it and
divert its traffic to a healthy instance, as this is all it can do. It is Auto
Scaling which can take an unhealthy instance, terminate it, and replace it with
a new instance.
Q: What best describes a scaling policy?
A: A set
of CloudWatch metric thresholds that dictate when to add or remove instances
from the Auto Scaling group.
E: Scaling policies belong to the Auto Scaling
group. The policies themselves dictate (via chosen CloudWatch metrics
thresholds) when instances should be added or removed.
T: An SSL certificate can be applied to an ELB.
E: You can apply an SSL certificate to an ELB
and have that as the central point for your secure connection before passing
the traffics onto subsequent EC2 instances.
T: Elasticity is a primary benefit of using
Auto Scaling.
E: Auto Scaling provides elasticity to your
architecture by automating the process of easily scaling up OR down the number
of instances being used by your application.
Q: What is the proper solution you should enact
to prevent your application from crashing due to a sudden increase in demand?
A: Auto
Scaling
E: Auto Scaling is what provides your
architecture with the ability to automate the process of adding more instances
to avoid crashes (due to sudden increase in demand). Scaling policies are PART
of Auto Scaling but are not the overall solution.
T: An ELB can serve traffic to instances
located inside a private subnet.
E: Placing instances in a private subnet
creates a higher level of security for the data stored on them. By using an ELB,
the ELB can take public traffic from the open Internet and route into private
subnets (and back out).
T: Target Groups allow us to assign different
sets of EC2 instances different traffic using content-based rules in an
Application Elastic Load Balancer
E: Target Groups are where we assign different
sets of EC2 instances to receive traffic in an Application Load Balancer.
Launch Configurations and AutoScaling Groups can be used with either Load
Balancing type.
Q: What are the two main components of AWS Auto
Scaling?
A:
Launch configuration and Auto Scaling groups
E: A launch configuration is an EC2 template
that will be used by the Auto Scaling group. The Auto Scaling group holds the
rules that govern when instances will be provisioned or terminated.
T: It is Auto Scaling that contains scaling
policies (which dictate the Cloudwatch thresholds for adding/removing
instances), not Elastic Load Balancer.
Q: You are designing an environment that
requires a complex balancing of traffic to EC2 instances using content-based
rules, such as host-based or path-based. Which of the following AWS services
would you choose?
A:
Application Elastic Load Balancer
E: Application Elastic Load Balancers allow us
to configure content-based rules to balance traffic based on different
content-based rules.
LA Quiz 8: Advanced
Networking: Advanced VPC Networking for Increased Security
Q: You work for a company that has been
experiencing attacks on its network. Management has asked that you design a
solution that will provide increased security for EC2 instances containing
sensitive data, while still allowing employees to access the data when needed.
Which of the following suggestions is best?
A: Place
the EC2 instances into private subnets, and set up a bastion host so employees
can access them.
E: Placing EC2 instances into private subnets
is a great way to increase their security, since they will no longer be
directly accessible from any host outside of the VPC. Adding a bastion host to
the architecture will allow authorized users to gain access to the internal
resources (instances in private subnets) while providing an additional
"hardened" layer of security.
Q: You have provisioned several EC2 instances
into private subnets; however, you now have the problem of not being able to
download any new software packages or updates. Which if of the following
provides the best solution?
A:
Create a NAT Gateway in a public subnet and create a route to it in the route
table associated with the private subnets.
E: A NAT gateway provides the most secure
solution for granting EC2 instances in private subnet the ability to download
software packages. However, the NAT gateway MUST be placed in a public subnet,
and a route to it must be created in the route table associated with the
private subnets.
Q: What are two primary requirements of a NAT
Gateway (or NAT instance)?
A: A NAT
gateway must be provisioned into a public subnet, and it must be part of the
private subnet's route table.
E: A NAT gateway must be provisioned into a
public subnet (so that it has a route to the internet), and it must part of the
private subnet's route table (so that the private instances have a route to the
NAT gateway). A NAT gateway does not require a bastion host to work (but can be
used in combination).
T: A NAT Gateway will only allow return traffic
if that traffic has been specifically asked for by an internal resource.
E: A NAT Gateway will not allow any unsolicited
traffic through. All traffic that passes through it MUST have been asked for by
a resource inside the VPC.
Q: What best describes the difference between a
bastion host and a NAT gateway?
A: A
bastion host is used is used as a "gateway" for traffic that is
destined for instances located in a private subnet, whereas a NAT gateway
provides instances in a private subnet with a route to the Internet.
E: A bastion host is used is used as a
"gateway" for traffic that is destined for instances located in a
private subnet, whereas a NAT gateway provides instances in a private subnet
with a route to the Internet. A NAT does provide protection for instances in a
private subnet, but its primary goal is to allow instances in the private
subnet a route to the Internet (to download software packages).
LA Quiz 9: Advanced
Networking: Network Connectivity Troubleshooting
T: You cannot peer two VPCs that are located in
different AWS regions.
T: NACLs are the security layer for a subnet
(not security groups.)
Q: You have just provisioned a fleet of EC2
instances and realized that none of them have a public IP address. What
settings would need to be changed for the next fleet of instances to be created
with public IP addresses?
A:
Modify the auto-assign public IP setting on the subnet.
E: The auto assigning of IP addresses resides
in the settings of the SUBNET you are provisioning the instances in. By
default, new subnets have auto-assign IP addresses disabled.
Q: You have an application currently running on
five EC2 instances as part of an Auto Scaling group. For the past 30 minutes
all five instances have been running at 100% CPU Utilization; however, the Auto
Scaling group has not added any more instances to the group. What is a likely
cause?
A1: The
Auto Scaling group's MAX size is set at five
A2: You
already have 20 on-demand instances running
E: The number of instances in an Auto Scaling
group cannot exceed its set MAX limit, regardless of scale-up policies. Also,
unless you request an increase from AWS, you cannot have more than 20 on-demand
instances running at one time.
T: There can be many reasons why you cannot
download software packages besides the instance being provisioned in a private
subnet. For example, creating an instance without a public IP address or not
having the proper ports open on the security group can cause issues downloading
software.
Q: You are using a T2 instance type and are
starting to notice that most of the time your application is running very slow.
What would be an appropriate course of action?
A: Move
the application to a larger instance type.
E: T2 instance types rely on
"burstable" CPU credits for processing power. If your application is
constantly using all the CPU credits, then you may experience slow downs when
you run out of credits. The solution to this would be to move the application
to an instance running a large instance type.
Q: You are running an analysis on traffic that
is accessing your web application. However, you notice that the IP address for
every visitor is the IP address of the Elastic Load Balancer. How should you fix
this problem so that the logs reflect the IP address of the originating hosts?
A:
Enable access logs on the ELB and store them in an S3 bucket.
Q: You have an ELB distributing traffic to a
fleet of EC2 instances inside your VPC, evenly spread across two Availability
Zones. However, you realize that only half of the instances are actually
receiving traffic. What is the most likely cause of this problem?
A:
Cross-zone load balancing has not been enabled.
E: Cross-zone load balancing must be enabled
for it to serve traffic evenly to all instances in all associated Availability
Zones.
Q: If you have an EBS volume in Availability
Zone us-east-1d and you want to attach it to an EC2 instance in Availability
Zone us-east-1a, what procedure should you follow?
A:
Create a snapshot of the volume in us-east-1d, then create a new volume from
the snapshot, choosing to place it in us-east-1a. Attach the new volume to the
instance.
E: EBS volumes cannot be used across
Availability Zones; however, since snapshots are stored in S3, new volumes can
be created from a snapshot and placed into any Availability Zone.
T: A VPC can only have one IGW attached to it
at a time.
LA Quiz 10: S3
T: S3 can be used as an option for low-cost,
reliable web hosting for STATIC (not dynamic) web sites.
Q: Through what process are objects moved from
the standard storage class to Glacier?
A:
Lifecycle policies
E: Objects uploaded and stored using the
standard storage class must use lifecycles to move them to Glacier.
T: All S3 buckets are private by default.
Q: You have a static web page hosted in an S3
bucket, and your requests for a file from a website in another S3 bucket keep
failing. What is the most likely solution?
A:
Enable CORS configuration on the S3 buckets
E: S3 buckets are in different domains. CORS
(cross-origin resource sharing) will allow for domains to share resources. So,
enabling CORS on the S3 buckets is the best solution.
T: The S3 infrequent access (S3-IA) storage
class has object durability of 99.999999999% and availability of 99.90%
E: S3-IA has the same durability as S3-standard
but has a slightly slower availability since these objects are expected to be
accessed much less frequently.
Q: You are currently running an application on
AWS that hosts customers' photo albums. For each main photo uploaded, your
application generates a thumbnail for use in the mobile version of the
application. What is the most cost effective storage solution, while also
providing the highest level of availability and durability?
A: Use
the standard storage class for the main photos and the reduced redundancy
storage class for the thumbnails.
E: Since the customers' main photos cannot be
reproduced, storing them in the standard storage class will provide the highest
level of availability and durability. The thumbnails can be easily reproduced
from the main photos, so you can store them in reduced redundancy storage,
which has lower durability, but is cheaper than standard.
Q: If you need to upload a file to S3 that is
500MB in size, what data transit option should you use?
A:
Multi-part upload
E: Multi-part upload should be used for uploading
any file over 100MB in size (and required for an object over 5GB in size - up
to 5TB in size). Single operation upload may be used but is not recommended.
Import/export and Snowball are used for datasets that are larger than 5TB.
Q: Your company has petabytes of data that it
wants to move from their on-premise network to AWS. What AWS solution should
you use?
A: AWS
Snowball
E: Snowball is a service provided by AWS for
moving extremely large (petabytes) of data into AWS.
Q: You work for a hospital that is required to
store patient's medical records for a minimum of 10 years. Most of these
records will never be accessed but must be made available upon request (within
a few hours). What is the most cost-effective storage option?
A:
Glacier
E: Glacier is an AWS solution for archival
storage, which is designed for long-term storage of data that is very rarely
accessed.
Q: What best describes what occurs when you
suspend object versioning?
A: All
existing objects retain their current and past versions, and no new versions
are created when objects are updated.
E: When you suspend versioning, S3 retains all
current and existing past versions. However, all new objects will overwrite the
existing current version. No new versions will be created.
Q: What is the object durability and
availability advertised by AWS for their S3 standard storage service?
A:
Durability of 99.999999999% and availability of 99.99%
E: S3 standard storage class is advertised as
having object durability of 99.999999999% (known as 11 nines) and availability
of 99.99%
LA Quiz 11: Advanced
DNS, CSN and Failover Networking
Q: You are migrating your existing web
application from your on-premise data center to the AWS cloud. As part of
testing your AWS infrastructure, you only want to have 20% of traffic to hit
AWS resources and the other 80% to hit your on-premise resources. What record
set routing policy should you choose to accomplish this?
A:
Weighted
E: A weighted routing policy allows for
"manual" load balancing between different endpoints.
T: An alias record set contains a pointer to an
AWS-specific resource.
E: An alias record set contains a pointer to an
AWS-specific resource and is used to direct traffic to ELBs, CF distributions,
and S3 buckets.
T: CloudFront caching is based on the object's
file name (not its type).
Q: If you want to point a domain name to an AWS
elastic load balancer in Route 53, how would you need to configure the record
set?
A: Alias
with a type "A" record set
E: You will need to configure the record set as
a type "A" alias. An alias allows you to point the domain to an
AWS-specific endpoint, such as an ELB, Cloudfront distribution, or S3 bucket
(as opposed to just an IPv4 IP address).
T: A public hosted zone should be used for
routing Internet traffic for a domain, and a private hosted zone should be used
for routing traffic within a VPC.
Q: What is a main benefit of using a CloudFront
distribution?
A:
Reduces load on your applications resources
E: Once an object is cached at an edge location,
all other requests for that object will be handled by the edge location, not
your application. This can significantly reduce the amount of times your
resources are hit.
Q: You have set up a CloudFront distribution
but find that instead of each edge location serving up objects that should be
cached, your application's origins are being hit for each request. What could
be a possible cause of this behavior?
A: The
cache expiration time is set to zero
E: If the cache expiration time is not set (or
set to zero), then CF will not cache objects at the edge location. This will
prompt the behavior where the edge location will have to request the same
object from the origin for reach request.
Q: Your CloudFront distribution is performing
well, but you are still getting too many request at the origin locations. What
could be one way to increase CloudFront performance?
A:
Increase the cache expiration time
E: If your cache expiration times are too
short, you may have request from the edge location to the origin occurring when
they are not required. If you increase the cache expiration date, you should
experience less hits to the origin.
Q: What is an absolute rule when using an S3
bucket for Route 53 DNS failover?
A: The
S3 bucket must be the same as the domain name
E: To use an S3 bucket for Route 53 DNS
failover, the bucket name must match the domain name.
T: A CloudFront origin is the source of the
object, and an edge location is where the object is cached.
LA Quiz 12: Hybrid
Environments and VPC Peering
Q: If AWS asks you to configure the connection
between your on-premise data center and a Direct Connect Authorized Provider,
what would you be configuring?
A: The
cross-network connection
E: The cross-network connection is the
connection between your on-premise data center and the Direct Connect
Authorized Provider.
Q: You are trying to establish a VPC peering
connection but are having difficulties locating the other VPC. What is most
likely the cause?
A: The
other VPC is in a different region
E: For a VPC peering connection to be
established, both VPCs must be in the same region.
T: You can peer VPCs that are in two different
AWS accounts, but they must be in the same region.
Q: What two components are required to
establish a VPN connection?
A:
Virtual Private Gateway and Customer Gateway
E: The VPG and Customer Gateway are the two
"connectors" on both sides of the VPN connection (and both are
required).
T: An AWS VPC connection automatically has two
parallel IPsec tunnels for redundancy
T: A VPC can have both an IGW and a VPG
attached at the same time (but only one of each)
Q: You have set up an AWS Direct Connect
connection for your company but still want to create a backup solution in case
the Direct Connect connections fails. What solution should use as the backup?
A: AWS
virtual private network
E: A virtual private network is a great backup
solution for AWS direct connect. A virtual private network provides the same
access, just with fewer benefits.
T: VPC peering does not allow transitive
connections.
Q: If you need a dedicated, low latency
connection to AWS from your on-premises data center, what solution should you
choose?
A: AWS
Direct Connect
E: AWS Direct Connect is a service that
provides a dedicated network connection between your data center and one of
AWS's Direct Connect locations. One of the main benefits of Direct Connect is a
low-latency connection.
Q: You have been asked to set up architecture
that extends the AWS VPC to your company's on-premise data center. What do you
need to set up to accomplish this?
A:
Virtual Private Network
E: You will need to set up and configure a
virtual private network. A VPN is what allows you to extend subnets inside your
VPC to your on-premise data center.
Q: What best describes a Customer Gateway?
A: An
on-premises, physical device that acts as the "connector" for the VPN
connection.
E: The Customer Gateway is a physical or
software application that is located at your on-premise data center. It is the
VPN connector on the data center side (of the connection) and must be
configured with a static public IP address.
T: A Public Virtual Interface allows you to
interface with AWS resources that have a public endpoint (like S3 or DynamoDB).
LA Quiz 14:
Databases
T: AWS provides automated backups of RDS
databases which are point-in-time snapshots.
Q: What are two benefits of using read
replicas?
A1:
Creates elasticity in RDS
A2:
Improves performance of the primary database by taking workload from it
E: You can add/remove read replicas based on
demand, so it creates elasticity for RDS. Read replicas can take read only
workloads off of the primary database, thus improving performance.
Q: The Availability Zone that your RDS database
instance is located in is suffering from outages, and you have lost access to
the database. What could you have done to prevent losing access to your
database (in the event of this type of failure) without any downtime?
A:
Enabled multi-AZ failover
E: If multi-AZ failover is enabled, a duplicate
copy of the database is kept in a separate AZ. If there is failure in the
primary database's AZ, AWS will automatically switch the CNAME DNS record from
the primary to the failover backup instance.
Q: What database service should you choose if
you need petabyte-scale data warehousing?
A:
Redshift
E: Redshift is for petabyte-scale data
warehousing.
T: When setting up a DynamoDB database, you
only need to specify the required throughput capacity. There is no instance
size or storage type to choose from. AWS scales compute power with your needs.
T: A read replica can be promoted to the
primary instance.
Q: How does using Elasticache help to improve
database performance?
A: It
can store high-taxing queries
E: Elasticache is designed for large,
high-performance or taxing queries. it can store the queries to alleviate hits
to the database.
Q: What database service offers petabyte-scale
data warehousing?
A:
Redshift
E: Redshift offers petabyte-scale data
warehousing that is generally used for big data analytics.
Q: What are the "engine" options for
ElastiCache?
A: Redis
& Memcached
Q: What are three attributes of DynamoDB?
A1:
Fully-managed
A2: A
NoSQL database platform
A3: Uses
key-value store
LA Quiz 15: Application
& Messaging Services
Q: An SQS Message is?
A: A set
of instructions stored in an SQS queue that can be up to 256KB in size
E: An SQS message can be up to 256KB in size of
text (in any format) and is used to relay instructions from one instance to
another (via an SQS queue).
Q: How can you create different versions of an
API using API Gateway and also create a full development lifecycle? (2 answers)
A1:
Create a new API version by cloning an existing one
A2:
Deploy APIs to stages: dev, beta, production
E: You can create lifecycle stages (dev, beta,
production) for which to deploy APIs. Each stage can have its own throttling, caching
metering, and logging. You can also create a new API version by cloning an
existing one. In addition, you can roll back to previous versions of an API.
Q: If your application's architecture is
currently tightly coupled, what AWS service should you use to decouple the
application?
A: SQS
(Simple Queue Service) and, to a lesser extent, SWF (Simple Workflow) can be
used to decouple application components.
Q: What are some of the essential elements of
API Gateway?
A1: API
Gateway is a fully managed service that allows you to create and manage your
own APIs for your application
A2: API
Gateway acts as a "front door" for your application.
E: API Gateway is a fully managed service that
allows you to create and manage your own APIs for your application. API Gateway
acts as a "front door" for your application, allowing access to
data/logic/functionality from your back-end services.
Q: What best describes decoupled architecture?
A: A
system architecture of multiple components that can process information without
being connected.
E: A loosely coupled (or decoupled) system is
one that has multiple components but can work independently of each other. So
if one fails, the other components can continue to work.
Q: How long can an SWF workflow execution last?
A: 1
year
Q: What service should you choose if you want
to send notifications via text message to a system administrator?
A: SNS
E: SNS (Simple Notification Service) is the AWS
service that provides the ability to send notifications to various endpoints,
with SMS (test messages) being one of them.
Q: What are some of the benefits of using API
Gateway? (2 answers)
A1:
Ability to cache API responses
A2: DDoS
protection via CloudFront
E: Benefits of API Gateway include:
- Ability to cache API responses
- DDoS protection via CloudFront
- SDK generation for IOS, Android, and
Javascript
- Supports Swagger (a framework of API dev
tools)
- Request/response data transformation
T: SNS can be used to send push notifications
to Android and iOS mobile devices.
Q: What is the purpose of an SWF decision task?
A: It
tells the decider the state of the work flow execution.
E: A decision task is used to communicate (back
to the decider) that a given task has been completed.
LA Quiz 16: Monitoring
T: CloudWatch is a service that allows you to view
resource level metrics and create alarms based on metric thresholds.
Q: Why does stopping and starting an instance
(usually) fix a System Status Check error?
A:
Stopping and starting an instance causes the instance to be provisioned on
different AWS hardware.
E: Unless you have dedicated tenancy enabled,
stopping and starting an instance will generally cause it to be launched onto
different AWS host hardware.
Q: CloudTrail can log API calls from?
A: AWS
is basically one big API call, so it does not matter if the API calls come from
the command line, SDK, or console, they are all logged by CloudTrail.
Q: Which of the following CloudWatch EC2
metrics will require a custom script to enable?
A:
Memory Utilization
E: Custom scripts are needed to enable OS-level
monitoring of EC2 instances. Memory Utilization falls into that category, while
CPU Credit Usage and Utilization does not (those are host-level metrics).
T: System Status Checks are AWS
hardware/software issues that we have no control over.
T: CloudTrail is an API Logging service.
LA Quiz 17:
Deployment Services
Q: What platforms are supported in Elastic
BeanStalk?
A:
Docker, Java, Windows .NET, Node.js, PHP, Python, Ruby
T: Elastic BeanStalk is primarily used to
deploy simple, single-tier applications.
Q: What are two benefits of Cloudformation?
A1: A
great disaster recovery option
A2:
Version control your infrastructure
E: Since CloudFormation allows for you to turn
your infrastructure into code, you can use it to quickly spin up the
infrastructure in a new region (in the case of a disaster), and since it's
code, you can version control it.
T: By using Cloudformation, you can easily
rollback your applications’ infrastructure to previous versions.
Q: What AWS service allows you to treat your
infrastructure as code?
A:
Cloudformation
E: Cloudformation allows you to turn your
infrastructure into JSON-formatted templates.
LA Quiz 18:
Analytics
Q: If you want to process data in real-time,
what AWS service should you use?
A:
Kinesis
E: Kinesis is AWS's service for processing data
in real-time and outputting it to a dashboard or other AWS services.
T: In EMR, data is mapped to a cluster of
master/slave nodes for processing.
Q: If your Kinesis stream needs additional
processing power, what component will you need to add more of?
A:
Shards
E: You can scale out a Kinesis stream by adding
more "shards".
Q: In what two scenarios would you want to use
AWS Kinesis?
A1:
Mobile data capture
A2:
Capturing gaming data.
E: Kinesis is great for collecting gaming data,
such as player actions, and capturing data from IoT sensors and mobile devices.
T: EMR is a service which deploys EC2 instances
based on the Hadoop framework, and also supports Apache Spark, HBase, Presto, and
Flink.
T: A Kinesis consumer can include AWS services
such as Redshift and S3.
E:
Consumers can include Redshift and S3, but also other services like DynamoDB or
a real-time dashboard/Kinesis enabled app.
Q: What is the purpose of a Kinesis producer?
A: To
collect and send data into a Kinesis stream.
E: Kinesis producers include things like IoT
sensors and mobile devices that collect data and send it into the Kinesis
stream.
T: EMR allows you to access the underlining
operating system.
LA Quiz 19: EC2
Container Service
Q: Which of the following is NOT a use case for
using ECS?
A: Cache
big data queries
E: Cache big data queries is best done with
service like Elasticache, not ECS.
Q: What is responsible for starting and
stopping tasks on an ECS Container instance.
A: ECS
Agent
E: The ECS Agent is responsible for
starting/stopping tasks. It also monitors tasks and resource utilization.
Q: What two components does a Task Definition
define?
A1:
Which ports should be open on the container instance
A2: Which
container image to use
E: The Task Definition is the blueprint for
your application and defines items such as:
1) Which ports should be open on the container
instance
2) Which container image to use
3) Where to get the container image
4) What data volumes to use.
Q: What is the purpose of AWS ECR?
A: To
act as a container registry service
E: ECR is short for EC2 Container Registry. It
is a repository service for storing container images.
Q: What component ECS/Containers contains all
the actual software, code, and system tools that your container will use?
A:
Container/Docker Image
E: The Container/Docker Image, which is built
from the Dockerfile, contains all the actual software, code, runtime, system
tools, and libraries that will be used in the container.
LA Quiz 20: Certified
Solution Architect Concepts
T: When designing for elasticity and
scalability, you want to strive for scaling out (adding more instances) instead
of scaling up (increasing instance sizes). However, you must make sure you
start with the proper instance size.
Q: What best describes Recovery Time Objective
(RTO)?
A: The
time it takes after a disruption to restore operations back to its regular
service level.
E: The Recovery Time Objective (RTO) is the
time it takes after a disruption to restore operations back to its regular
service level (as defined by a company's operational level agreement).
Q: What service is best for logging all actions
taken against the AWS API?
A:
CloudTrail
E: Cloudtrail is AWS's logging service that can
be used to log all actions taken inside your AWS account.
Q: In the shared security responsibility model,
what are items that you are responsible for managing? (choose all that apply)
A1:
Guest operating systems
A2: AMIs
E: AWS is responsible for everything physical.
That includes the security of the physical hardware at their data centers and
their network infrastructure. You are responsible for selecting and managing
the security for AMI and the OS you install on instances.
T: S3 offers 256-bit encryption for
data-at-rest.
E: S3 offers 256-bit encryption for
data-at-rest, which is an option you can turn on/off. AWS manages the keys and
will decrypt the data when you request to download it.
Q: When designing cloud services, what design
elements should you always consider? (select all that apply)
A1:
Design for failure
A2:
Create self-healing application environments
A3:
Decouple applications
E: When designing cloud architecture, you
always want to start by designing for failure, and create self-healing whenever
possible. Decoupling your application is also best practice. However, you
should always use a minimum of TWO Availability Zones. Only using one
Availability Zone does not allow for high availability.
Q: What AWS service, if used as part of your
application's architecture, has an added benefit of helping to mitigate DDoS
attacks from hitting your back-end instances?
A:
CloudFront
E: When CloudFront is used as part of your
application's architecture, traffic from a DDoS attack will most likely be
redirected to the cached data at an edge location (instead of being routed to
your applications EC2 instances).
Q: Perfect Forward Secrecy is used to offer
SSL/TLS cipher suites for which two AWS services?
A1:
Cloudfront
A2:
Elastic Load Balancing
Q: What feature should you utilize for
redundancy if auto scaling and load balancing are not available?
A:
Elastic IP address set up for failover to "stand-by" instances
E: Setting up an Elastic IP address and having
it ready for failover is a great solution when other services that provide high
availability and fault tolerance are not available.
Q: What best describes CloudHSM?
A: A
dedicated appliance that is used to store security keys
E: CloudHSM (which is not a feature specific to
AWS) is a dedicated appliance that is used to store security keys.
Q: What it is called when you have a minimal
version of your production environment running (which can be easily increased
in size) as a disaster recovery solution?
A: Pilot
light
E: A pilot light is the practice of having a
minimally active version of your environment set up and running in a separate
region. If there is catastrophic failure on your primary environment, you can
quickly spin up the pilot light environment to become your primary environment.
LA Quiz 21: Final
Exam
Q: A colleague would like a new subnet
configured in AWS for a database cluster she is building. She expects that the
subnet will never need more than six IP addresses. Which of the following will
likely be the most appropriate choice for this subnet?
A: A /28
private subnet
E: Databases generally do not require public
access from the Internet, so a private subnet is likely the better choice from
a security perspective. /28 is the smallest possible subnet in an AWS VPC.
Q: Company B provides an online image
recognition service and utilizes SQS to decouple system components for
scalability. The SQS consumer's readers poll the image queue as often as possible
to keep end-to-end throughput as high as possible. However, Company B is
realizing that polling in tight loops is burning CPU cycles and increasing
costs with empty responses. How can company B reduce the number of empty
responses?
A:
Enable long polling by setting the ReceiveMessageWaitTimeSeconds to a number
> 0
Q: The KPL is an easy-to-use,
highly-configurable library that helps you write to an Amazon Kinesis stream.
It acts as an intermediary between your producer application code and the
stream's API actions. One of its key concepts is aggregation. Which of the
following best describes aggregation as it relates to the KPL?
A: It
refers to the storage of multiple records in a stream's record and allows
customers to increase the number of records sent per API call, which
effectively increases producer throughput.
Q: While implementing a disaster recovery
strategy in another region, you are attempting to move the data from one EBS
volume to another in a separate region. What is the best way to do this? Keep
in mind this is not a live production replication copy.
A: Take
a snapshot of the EBS volume and copy it to the desired region
Q: Elasticity is a fundamental property of the
cloud. What best describes elasticity?
A: Power
to scale computing resources up and down easily with minimal friction
Q: If an instance that belongs to an Elastic
Load Balancer's health check fails, what occurs to the instance that fails?
A: The
ELB will de-register the instance and stop sending traffic to the unhealthy
instance
Q: Your company is posting a big article on the
front page of your website tomorrow. It is expected that the demand could
potentially overwhelm your infrastructure. In the event of a load failure, how
can you set up DNS failover to a static website?
A: Use
Route 53 and the failover option to failover to a static S3 website bucket or
CloudFront distribution in the event of an issue
Q: As part of your application architecture
requirements, the company you are working for has requested the ability to run
analytics against all combined log files from the Elastic Load Balancer. Which
services are used together to collect logs and process log file analysis in an
AWS environment?
A:
Amazon S3 for storing ELB log files and Amazon EMR for processing the log files
in analysis
Q: You recently purchased and deployed four
reserved EC2 instances in the US-East-1 region’s Availability Zone 1 for a new
project. Your supervisor just informed you that this project only requires two
EC2 instances. Rather than selling the reserved instances, she asked you to
terminate the extra instances and convert two of the on-demand instances
already running in Availability Zone 1 to reserved instances. Can this be done?
A: Yes,
you can terminate the reserved instances and AWS will automatically begin
billing the two on-demand instances as reserved instances
E: If you own three Reserved Instances with the
same instance type and Availability Zone, the billing system checks each hour
to see how many total instances you have running that match those parameters.
If it is three or less, you will be charged the Reserved Instance rate for each
instance running that hour.
Q: Your supervisor asks you to create a highly
available, decoupled web application. Which of the following does not
help you accomplish this goal?
A: IAM
user credentials on EC2 instances to grant permissions to modify an SQS queue
E: Elastic Load Balancers, Auto Scaling, and
SQS can all play a part in a highly available, decoupled web application. IAM
user credentials should not be stored on a EC2 instance.
Q: Your AWS environment contains several
on-demand EC2 instances dedicated to a project that has just been cancelled.
Your supervisor does not want to incur charges for these on-demand instances
but also does not want to lose the data just yet because there is a chance the
project may be revived in the next few days. What should you do to minimize
charges for these instances in the meantime?
A: Stop
the instances as soon as possible
E: You should not terminate an instance that
you may need to place back into production in a few days. The best way to
minimize charges is to stop the instances to avoid any data transfer charges
that the instance might incur if left running.
Q: When designing a cloud service based on AWS
and you choose to use RRS on S3 instead of S3 standard storage type, what type
of trade offs do you have to build your application around?
A: RRS
only has 99.99% durability and you have to design automation around replacing
lost objects
Q: One of your more important clients is a
Telecom business who needs to process some real-time data in a distributed
manner. They suggest to you that they think they should use either Amazon SQS
or Amazon Kinesis to achieve this and they want you to tell them what would be
the difference between the two. After some research, you decide that they
should use Kinesis and are trying to put together some reasons for this. One of
the below statements is INCORRECT, regarding this. Which one?
A:
Kinesis cannot route related data records to the same record processor (as in
streaming MapReduce).
E: Kinesis can route related data records to
the same record processor
Q: Which of the following best describes what
"bastion hosts" are?
A:
Bastion hosts are instances that sit within your public subnet and are
typically accessed using SSH or RDP. Once remote connectivity has been
established with a bastion host, it then acts as a ‘jump’ server, allowing you
to use SSH or RDP to log in to other instances (within private subnets) deeper
within your network.
Q: You and a colleague create an SQS queue and
create several messages in it. You both test your ability to manually poll the
queue by using the command-line API calls. After testing, you find that your
colleague’s polling attempt retrieved messages 1, 3, and 5. Your polling
attempt retrieved messages 4, 6, and 8. Nether of your attempts retrieved
messages 2 or 7. What is a possible cause for this behavior?
A1: You
and your colleague did not see the same messages because of the visibility
timeout
A2: You
and your colleague used short polling
E: When a message is retrieved, that message is
hidden from other polling attempts until the message is deleted or the
visibility timeout expires. Short polling does not query all the servers that
the SQS messages can reside on, so multiple queries of the queue may be needed
to retrieve all messages in the queue.
T: The AMI ID used in an Auto Scaling policy is
configured in the Launch configuration
Q: When reviewing the Auto Scaling events, it
is noticed that an application is scaling up and down multiple times within the
hour. What design change could you make to optimize cost while preserving
elasticity?
A:
Change the scale down CloudWatch metric to a higher threshold
T: You cannot deny the AWS root account to EC2
instances via IAM policy.
Q: By default, is data in S3 encrypted?
A: No,
but it can be when the right APIs are called for SSE
Q: You are working for a startup company that
is building an application that receives large amounts of data. Unfortunately,
current funding has left the startup short on cash, unable to afford thousands
of dollars of storage hardware. The company has opted to use AWS. Which
services would you implement to store a virtually unlimited amount of data
without any effort to scale when demand unexpectedly increases?
A: Amazon
S3, because it provides unlimited amounts of storage data, scales
automatically, is highly available, and durable
T: Amazon SQS (Simple Queue Service) guarantees
delivery of AT LEAST 1 message but cannot guarantee it will not create
duplicates.
Q: You are consulting for a healthcare company
that has strict compliance and auditing requirements. When architecting the
application environment on AWS, which services or service features might you
enable to take advantage of monitoring to ensure auditing the environment for
compliance is easy and follows the strict healthcare compliance requirements?
A:
CloudTrail for security logs
Q: If your organization is concerned about
storing sensitive data in the cloud, you should:
A1:
Encrypt the file system on an EBS volume using Linux tools
A2:
Enable EBS Encyption
A3:
Enable S3 Encryption
Q: You are designing a global application that
takes advantage of multiple regions. As part of your application, the need to
synchronize from one region to another is required to ensure your application
is serving the same data when employing latency-based Route 53 DNS records. To
ensure this happens, you have determined that using the AWS CLI to sync files
from the primary storage servers to S3 is the best method. How might you implement
AWS CLI authentication against the S3 service?
A:
Create an EC2 IAM role and assign it to each EC2 instance that utilizes the AWS
CLI to sync the data
Q: What is the difference between an
Availability Zone and an edge location?
A: An
Availability Zone is an Amazon resource within an AWS region, whereas an edge
location will deliver cached content to the closest location to reduce latency
Q: Currently, you're helping design and
architect a highly-available application. After building the initial
environment, you've found that part of your application does not work correctly
until port 443 is added to the security group. After adding port 443 to the
appropriate security group, how much time will it take before the changes are
applied and the application begins working correctly?
A:
Changes apply instantly to the security group, and the application should be
able to immediately respond to 443 requests
Q: Your supervisor asks you to create a highly
available website which serves static content from EC2 instances. Which of the
following is not a requirement to accomplish this goal?
A: An
SQS queue
E: While an SQS queue can be an important part
of a multi-step decoupled web application, it is not necessary to host a
highly-available static website on EC2. An Auto Scaling group configured to
deploy EC2 instances in multiple subnets located in multiple Availability Zones
allows an application to remain online despite an instance or AZ failure.
Q: Your company wants to back up the onsite file
server to AWS but does not want to serve the files from S3 to your office
network when files need to be accessed. Which service and setup would you use
to accomplish this task?
A: Use
Amazon Storage Gateway and gateway-stored volumes to store the data locally and
asynchronously backup point-in-time snapshots to S3
Q: A user needs access to Elastic Load
Balancing. This is the first and possibly only time that they will require this
access. Which of the following choices would be the best way to allow this
access?
A:
Delegate access to the ELB using an IAM role
Q: You own an image manipulation application.
Your users take a picture, upload it to your app, and request filters to be
added to the image. You need to decouple the application so your users are not
waiting for the image processing to take place. How would you go about doing
this?
A: Use
Amazon SQS to store the requests using metadata and JSON in the message, use S3
to store the image, and Auto Scaling to determine when to fire off more worker
instances based on queue size
Q: You have 5 Cloudformation templates. Each
template is for a different application architecture. These architectures vary
between your blog apps and your gaming apps. What determines the cost of using
the Cloudformation templates?
A:
CloudFormation does not have a cost but you are charged for the underlying
resources it builds
Q: Your application's usage peaks at 90% during
the hours of 9 AM and 10 AM everyday. All other hours require only 10% of the
peak resources. What is the best way to scale your application so you're only
paying for max resources during peak hours?
A:
Proactive Cycle Scaling
Q: You are asked to review a plan that your
company has made to create a new application that makes use of SQS, EC2, Auto
Scaling, and CloudWatch. Which of the following action items should you advise
your company not to implement?
A:
Utilize short polling with a wait time of 20 seconds to reduce the number of
empty responses from the SQS queue
E: Polling executed with a wait time of greater
than 0 seconds is called long polling.
FALSE: When a snapshot is being taken against
an EBS volume, the volume becomes unavailable and the instance no longer has
the ability to communicate with the EBS volume until the snapshot is complete.
Q: Your EC2 instances are configured to run
behind an Amazon VPC. You have assigned two web server instances to an Elastic
Load Balancer. However, the instances and the ELB are not reachable via URL to
the elastic load balancer serving the web app data from the EC2 instances. How
might you resolve the issue so that your instances are serving the web app data
to the public Internet?
A:
Attach an internet gateway to the VPC and route it to the subnet
Q: You create an SQS queue with the default
settings for a new application your company is deploying. While new messages
are added to the queue throughout the week, management has indicated that the
application which retrieves the messages should only be run during your
company’s weekly Sunday evening maintenance window. It is quickly noticed on
Monday morning that several messages were not processed the previous evening
and the messages are no longer in the queue. What is a likely cause for this
issue?
A: The
messages surpassed the retention period for the queue
E: The default message retention period for an
SQS queue is four days, so messages older than four days would have been
deleted.
Q: Your company has an application that
requires access to a NoSQL database. Your IT department has no desire to manage
the NoSQL servers. Which Amazon service provides a fully-managed and highly
available NoSQL service?
A:
DynamoDB
Q: An AWS VPC (Virtual Private Cloud) allows
you to…
A:
…connect your cloud resources to your own encrypted IPSec VPN connections
Q: In order to establish a successful
site-to-site VPN connection from your on-premises network to the VPC (Virtual
Private Cloud), which of the following needs to be configured inside of the
VPC?
A: A
public IP address on the customer gateway for the on-premise network
E: When you configure a VPN, you're configuring
it from the VPC and from the on-premises network. You are taking information
(the public IP) from the on-premises network and configuring it inside of the
VPC.
T: Auto Scaling is a tool used for creating
elastic and self-healing applications.
Q: For basic monitoring on AWS, which metrics
are not included as part of the basic monitoring package?
A1: Free
memory
A2: Free
swap
T: Amazon Auto Scaling is not meant to handle
instant load spikes but is built to grow with a gradual increase in usage over
a short time period.
Q: Your AWS environment contains several
reserved EC2 instances dedicated to a project that has just been cancelled.
Your supervisor wants to stop incurring charges for these reserved instances immediately
and recuperate as much of the reserved instance cost as possible. What can you
do to avoid being charged for them?
A:
Terminate the instances as soon as possible, Sell the reserved instances on the
AWS Reserved Instance Marketplace
E: You should terminate the instance to avoid
any data transfer charges that the instance might incur if left running and
sell the reserved instance in the AWS Reserved Instance Marketplace to
recuperate cost.
Q: In AWS, when a request is made, the AWS service
decides whether a given request should be allowed or denied. The distinction
between a request being denied or allowed by default and an explicit deny in a
policy is important. Which of the following statements best describes this
distinction?
A: By default,
a request is denied, but this can be overridden by an allow. In contrast, if a
policy explicitly denies a request, that deny can't be overridden.
T: US-East-1 supports Multi-AZ RDS deployments.
Q: Your supervisor asks you to create a
decoupled application whose process includes dependencies on EC2 instances and
servers located in your company’s on-premises datacenter. Which of these are
you least likely to recommend as part of that process?
A: SQS
polling from an EC2 instance using IAM user credentials
E: An EC2 IAM role should be used when
deploying EC2 instances to grant permissions rather than storing IAM user
credentials in EC2 instances
Q: You manage an application that uses EC2
instances and SQS to process requests from end users. Your application is
working great, but your supervisor is concerned about the cost of the AWS
resources it uses. Which of the following would not help address that concern?
A:
Increase the visibility timeout for messages in the SQS queue
Q: Your company has moved a legacy application
from an on-premises data center to the cloud. The legacy application requires a
static IP address hard-coded into the backend, which prevents you from
deploying the application with high availability and fault tolerance using the
ELB. Which steps would you take to apply high availability and fault tolerance
to this application?
A1:
Ensure that the instance it's using has an elastic IP address assigned to it
A2:
Write a custom script that pings the health of the instance, and, if the instance
stops responding, switches the elastic IP address to a standby instance
Q: Which statement is true about Amazon SQS?
A1:
Amazon SQS (Simple Queue Service) guarantees delivery of AT LEAST 1 message but
cannot guarantee it will not create duplicates.
A2:
Amazon SQS guarantees delivery of AT LEAST 1 message but cannot guarantee
message order, although does attempt to.
Q: Your company is moving their entire 20 TB
data warehouse to the cloud. With your current bandwidth it would take 2 months
to transfer the data. Which service would allow you to quickly get your data
into AWS?
A:
Amazon Import/Export
Comments
Post a Comment