Domain: Cloud Concepts

Q 1: According to AWS, what is the benefit of Elasticity?

A. Minimize storage requirements by reducing logging and auditing activities

B. Create systems that scale to the required capacity based on changes in demand
C. Enable AWS to automatically select the most cost-effective services.
D. Accelerate the design process because recovery from failure is automated, reducing the
need for testing

Answer – B

Explanation :

The concept of Elasticity is the means of an application having the ability to scale up and
scale down based on demand. An example of such a service is the Autoscaling service

For more information on AWS Autoscaling service, please refer to the below
URL: https://aws.amazon.com/autoscaling/

A, C and D are incorrect. Elasticity will not have positive effects on storage, cost or design
agility.

Domain : Billing and Pricing

Q2: Which tool can you use to forecast your AWS spending?

A. AWS Organizations
B. Amazon Dev Pay
C. AWS Trusted Advisor
D. AWS Cost Explorer

Answer – D

Explanation :

The AWS Documentation mentions the following.

Cost Explorer is a free tool that you can use to view your costs. You can view data up to the
last 12 months. You can forecast how much you are likely to spend for the next 12 months
and get recommendations for what Reserved Instances to purchase. You can use Cost
Explorer to see patterns in how much you spend on AWS resources over time, identify areas
that need further inquiry, and see trends that you can use to understand your costs. You also
can specify time ranges for the data and view time data by day or by month.
For more information on the AWS Cost Explorer, please refer to the below
URL: http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-explorer-what-
is.html

A, B and C are incorrect. These services do not relate to billing and cost.

Domain : Technology

Q3: A business analyst would like to move away from creating complex database
queries and static spreadsheets when generating regular reports for high-level
management. They would like to publish insightful, graphically appealing reports with
interactive dashboards. Which service can they use to accomplish this?

A. Amazon QuickSight
B. Business intelligence on Amazon Redshift
C. Amazon CloudWatch dashboards
D. Amazon Athena integrated with Amazon Glue

Correct Answer – A
Explanation :

Amazon QuickSight is the most appropriate service in the scenario. It is a fully-managed

service that allows for insightful business intelligence reporting with creative data delivery
methods, including graphical and interactive dashboards. QuickSight includes machine
learning that allows users to discover inconspicuous trends and patterns on their datasets.

AWS Quick Sight tool | Source: aws.amazon.com/quicksight

 Option B is INCORRECT. Amazon Redshift service is a data warehouse and will

not meet the requirements of interactive dashboards and dynamic means of delivering
reports.
 Option C is INCORRECT. Amazon CloudWatch dashboards will not accomplish
the requirements of the scenario. They are used to monitor AWS system resources and
 infrastructure services, though they are customizable and present information
graphically.
 Option D is INCORRECT. Amazon Athena is a query service that allows for easy
data analysis in Amazon S3 by using standard SQL. The service does not meet the
requirements of the scenario.

Domain : Technology

Q4. What is the AWS feature that enables fast, easy and secure transfers of files over
long distances between your client and your Amazon S3 bucket?

A. File Transfer
B. HTTP Transfer
C. Amazon S3 Transfer Acceleration
D. S3 Acceleration

Answer – C

Explanation :

The AWS Documentation mentions the following.

Amazon S3 Transfer Acceleration enables fast, easy, and secure transfers of files over long
distances between your client and an S3 bucket. Transfer Acceleration takes advantage of
Amazon CloudFront’s globally distributed edge locations. As the data arrives at an edge
location, data is routed to Amazon S3 over an optimized network path.

For more information on S3 transfer acceleration, please visit the

Link: http://docs.aws.amazon.com/AmazonS3/latest/dev/transfer-acceleration.html

Options A, B and D are incorrect. These features deal with transferring data but not
between clients and an S3 bucket.

Domain : Security

Q5: What best describes the “Principle of Least Privilege”? Choose the correct answer
from the options given below.

A. All users should have the same baseline permissions granted to them to use basic AWS
services.
B. Users should be granted permission to access only resources they need to do their assigned
job.
C. Users should submit all access requests in written form so that there is a paper trail of who
needs access to different AWS resources.
D. Users should always have a little more permission than they need.
Answer – B

Explanation :

The principle means giving a user account only those privileges which are essential to
perform its intended function. For example, a user account for the sole purpose of creating
backups does not need to install the software. Hence, it has rights only to run backup and
backup-related applications.

For more information on the principle of least privilege, please refer to the following link:
https://en.wikipedia.org/wiki/Principle_of_least_privilege

Options A, C, and D are incorrect. These actions would not adhere to the Principle of Least
Privilege.

Domain : Security

Q6: A web administrator maintains several public and private web-based resources for
an organisation. Which service can they use to keep track of the expiry dates of
SSL/TLS certificates as well as updating and renewal?

A. AWS Data Lifecycle Manager

B. AWS License Manager
C. AWS Firewall Manager
D. AWS Certificate Manager

Correct Answer – D

Explanation :

The AWS Certificate Manager allows the web administrator to maintain one or several
SSL/TLS certificates, both private and public certificates including their update and renewal
so that the administrator does not worry about the imminent expiry of
certificates. https://aws.amazon.com/certificate-manager/

 Option A is INCORRECT. The AWS Lifecycle Manager creates life cycle policies
for specified resources to automate operations. https://docs.aws.amazon.com/dlm/?
id=docs_gateway

 Option B is INCORRECT. AWS License Manager serves the purpose of

differentiating, maintaining third-party software provisioning vendor licenses. It also
decreases the risk of license expirations and the penalties.
https://docs.aws.amazon.com/license-manager/?id=docs_gateway

 Option C is INCORRECT. AWS Firewall Manager aids in the administration of

Web Application Firewall (WAF), by presenting a centralised point of setting firewall
rules across different web resources. https://docs.aws.amazon.com/firewall-manager/?
id=docs_gateway
Domain : Security

Q7: Which of the following is the responsibility of the customer to ensure the
availability and backup of the EBS volumes?

A. Delete the data and create a new EBS volume.

B. Create EBS snapshots.
C. Attach new volumes to EC2 Instances.
D. Create copies of EBS Volumes.

Answer – B

Explanation :

Snapshots are incremental backups, which means that only the blocks on the device that have
changed after your most recent snapshot are saved.

When you create an EBS volume based on a snapshot, the new volume begins as an exact
replica of the original volume that was used to create the snapshot. The replicated volume
loads data in the background so that you can begin using it immediately.
Amazon EBS snapshots | Source: aws.amazon.com

Option A is incorrect because there is no need for backup of the volumes if data is already
deleted.

Option C is incorrect because attaching more EBS volumes doesn’t ensure availability, if
there is no snapshot then the volume cannot be available to a different availability zone.

Option D is incorrect EBS volumes cannot be copied, they can only be replicated using
snapshots.

For more information on EBS Snapshots, please refer to the below

URL:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSSnapshots.html

Domain : Security
Q8: Which of the following services can be used as an application firewall in AWS?

A. AWS Snowball
B. AWS WAF
C. AWS Firewall
D. AWS Protection

Answer – B

Explanation :

The AWS Documentation mentions the following:

AWS WAF is a web application firewall that lets you monitor the HTTP and HTTPS requests
that are forwarded to Amazon CloudFront or an Application Load Balancer. AWS WAF also
lets you control access to your content.

AWS Snowball, a part of the AWS Snow Family, is an edge computing, data migration, and
edge storage device that comes in two options. Snowball Edge Storage Optimized devices
provide both block storage and Amazon S3-compatible object storage, and 40 vCPUs.

For more information on AWS WAF, please refer to the below

URL:https://docs.aws.amazon.com/waf/latest/developerguide/waf-chapter.html
https://aws.amazon.com/snowball/?whats-new-cards.sort-
by=item.additionalFields.postDateTime&whats-new-cards.sort-order=desc

Domain : Cloud Concepts

Q9: Your design team is planning to design an application that will be hosted on the
AWS Cloud. One of their main non-functional requirements is given below:
Reduce inter-dependencies so failures do not impact other components.
Which of the following concepts does this requirement relate to?

A. Integration
B. Decoupling
C. Aggregation
D. Segregation

Answer – B

Explanation :

The entire concept of decoupling components ensures that the different components of
applications can be managed and maintained separately. If all components are tightly
coupled, the entire application would go down when one component goes down. Hence it is
always a better practice to decouple application components.
For more information on a decoupled architecture, please refer to the below
URL: http://whatis.techtarget.com/definition/decoupled-architecture

Domain : Billing and Pricing

Q10: A manufacturing firm has recently migrated their application servers to the
Amazon EC2 instance. The IT Manager is looking for the details of upcoming scheduled
maintenance activities which AWS would be performing on AWS resources, that may
impact the services on these EC2 instances.

Which of the following services can alert you about the changes that can affect
resources in your account?

A. AWS Organizations
B. AWS Personal Health Dashboard
C. AWS Trusted Advisor
D. AWS Service Health Dashboard

Answer – B

Explanation :

AWS Personal Health Dashboard provides alerts for AWS services availability &
performance which may impact resources deployed in your account. Customers get emails &
mobile notifications for scheduled maintenance activities which might impact services on
these AWS resources.

Option A is incorrect as AWS Organizations do not provide any notifications for scheduled
maintenance activities.

Option C is incorrect as AWS Trusted Advisor will provide notification on AWS resources
created within the account for cost optimization, security, fault tolerance, performance, and
service limits. It will not provide notification for scheduled maintenance activities performed
by AWS on its resources.

Option D is incorrect as Service Health Dashboard displays the general status of all AWS
services & will not display scheduled maintenance activities.

For more information on the AWS Organizations, please refer to the below
URL: https://aws.amazon.com/premiumsupport/technology/personal-health-dashboard/

Domain : Security

Q11: Which of the following AWS services can be used to retrieve configuration
changes made to AWS resources causing operational issues?
A. Amazon Inspector
B. AWS CloudFormation
C. AWS Trusted Advisor
D. AWS Config

Answer – D

Explanation :

AWS Config can be used to audit, evaluate configurations of AWS resources. If there are any
operational issues, AWS config can be used to retrieve configurational changes made to
AWS resources that may have caused these issues.

 Option A is incorrect as Amazon Inspector can be used to analyze potential security

threats for an Amazon EC2 instance against an assessment template with predefined
rules. It does not provide historical data for configurational changes done to AWS
resources.
 Option B is incorrect as AWS CloudFormation provided templates to provision and
configure resources in AWS.
 Option C is incorrect as AWS Trusted Advisor can help optimize resources with
AWS cloud with respect to cost, security, performance, fault tolerance, and service
limits. It does not provide historical data for configurational changes done to AWS
resources.

For more information on AWS Config, refer to the following

URL:https://docs.aws.amazon.com/config/latest/developerguide/WhatIsConfig.html

Domain : Security

Q12: An organization runs several EC2 instances inside a VPC using three subnets, one
for Development, one for Test, and one for Production. The Security team has some
concerns about the VPC configuration. It requires restricting communication across the
EC2 instances using Security Groups.

Which of the following options is true for Security Groups related to the scenario?

A. You can change a Security Group associated with an instance if the instance is in the
running state.
B. You can change a Security Group associated with an instance if the instance is in the
hibernate state.
C. You can change a Security Group only if there are no instances associated to it.
D. The only Security Group you can change is the Default Security Group.

Answer: A

Explanation :
  Option A is CORRECT because the AWS documentation mentions it in the section
called “Changing an Instance’s Security Group” using the following sentence: “After
you launch an instance into a VPC, you can change the security groups that are
associated with the instance. You can change the security groups for an instance when
the instance is in the running or stopped state.”
 Option B is incorrect as You can change the security groups for an instance when
the instance is in the running or stopped state, not hibernate state.
 Option C is incorrect because there have to be some instances associated.
 Option D is incorrect because other security groups can also be changed.

Reference:
https://docs.aws.amazon.com/en_pv/vpc/latest/userguide/VPC_SecurityGroups.html

Domain : Technology

Q13: Which of the following features of Amazon RDS allows for better availability of
databases? Choose the answer from the options given below.

A. VPC Peering
B. Multi-AZ
C. Read Replicas
D. Data encryption

Answer – B

Explanation :

The AWS Documentation mentions the following.

If you are looking to use replication to increase database availability while protecting your
latest database updates against unplanned outages, consider running your DB instance as a
Multi-AZ deployment.

For more information on AWS RDS, please visit the FAQ

Link:https://aws.amazon.com/rds/faqs/

Domain : Technology

Q14: Your company wants to move an existing Oracle database to the AWS Cloud.
Which of the following services can help facilitate this move?

A. AWS Database Migration Service

B. AWS VM Migration Service
C. AWS Inspector
D. AWS Trusted Advisor
Answer – A

Explanation :

The AWS Documentation mentions the following.

AWS Database Migration Service helps you migrate databases to AWS quickly and securely.
The source database remains fully operational during the migration, minimizing downtime to
applications that rely on the database. The AWS Database Migration Service can migrate
your data to and from the most widely used commercial and open-source databases.

For more information on AWS Database migration, please refer to the below
URL:https://aws.amazon.com/dms/

Domain : Security

Q15: Which of the following services allows you to analyze EC2 Instances against pre-
defined security templates to check for vulnerabilities?

A. AWS Trusted Advisor

B. AWS Inspector
C. AWS WAF
D. AWS Shield

Answer – B

Explanation :

The AWS Documentation mentions the following.

Amazon Inspector enables you to analyze the behavior of your AWS resources and helps you
to identify potential security issues. Using Amazon Inspector, you can define a collection of
AWS resources that you want to include in an assessment target. You can then create an
assessment template and launch a security assessment run of this target.

For more information on AWS Inspector, please refer to the below

URL:https://docs.aws.amazon.com/inspector/latest/userguide/inspector_introduction.html

Domain : Technology

Q16: A website for an international sport governing body would like to serve its content
to viewers from different parts of the world in their vernacular language. Which of the
following services provide location-based web personalization using geolocation
headers?
A. Amazon CloudFront
B. Amazon EC2 Instance
C. Amazon Lightsail
D. Amazon Route 53

Answer – A

Explanation :

Amazon CloudFront supports country-level location-based web content personalization with

a feature called Geolocation Headers.

You can configure CloudFront to add additional geolocation headers that provide more
granularity in your caching and origin request policies. The new headers give you more
granular control of cache behavior and your origin access to the viewer’s country name,
region, city, postal code, latitude, and longitude, all based on the viewer’s IP address.

 Option B is INCORRECT because EC2 is just a distractor, not suitable for routing
and delivery.
  Option C is INCORRECT because Amazon Lightsail will primarily allow for
developing, deploying, and hosting websites and web applications. The service will
not meet the requirements of the scenario.
 Option D is INCORRECT because the geolocation routing policy of Route53 allows
different resources to serve content based on the origin of the request. Route 53 does
not use geolocation headers.

References:

https://aws.amazon.com/about-aws/whats-new/2020/07/cloudfront-geolocation-headers/
https://aws.amazon.com/blogs/networking-and-content-delivery/leverage-amazon-cloudfront-
geolocation-headers-for-state-level-geo-targeting/

Domain : Security

Q17: Which of the following can be used to protect against DDoS attacks? Choose 2
answers from the options given below.

A. AWS EC2
B. AWS RDS
C. AWS Shield
D. AWS Shield Advanced

Answer – C and D

Explanation :

The AWS Documentation mentions the following:

AWS Shield – All AWS customers benefit from the automatic protections of AWS Shield
Standard, at no additional charge. AWS Shield Standard defends against most common,
frequently occurring network and transport layer DDoS attacks that target your web site or
applications

AWS Shield Advanced – For higher levels of protection against attacks targeting your web
applications running on Amazon EC2, Elastic Load Balancing (ELB), CloudFront, and Route
53 resources, you can subscribe to AWS Shield Advanced. AWS Shield Advanced provides
expanded DDoS attack protection for these resources.

For more information on AWS Shield, please refer to the below

URL:https://docs.aws.amazon.com/waf/latest/developerguide/ddos-overview.html

Domain : Technology

Q18: Which of the following are the recommended resources to be deployed in the
Amazon VPC private subnet?
A. NAT Gateways
B. Bastion Hosts
C. Database Servers
D. Internet Gateways

Answer – C

Explanation :

As Database servers contain confidential information, so for a security perspective, it should

be deployed in a Private Subnet.

Amazon Virtual Private Cloud (Amazon VPC) enables the user to launch AWS resources
into a virtual network that a user has defined.

Option A is incorrect because NAT devices (NAT Gateway, Nat Instance) allow instances
in private subnets to connect to the internet, other VPCs, or on-premises networks. It is
deployed in a public subnet.

Option B is incorrect because bastion host is a server whose purpose is to provide access
(SSH access) to a private network from an external network, such as the Internet. It is
deployed in a public subnet.

Option D is incorrect because an Internet Gateway is a horizontally scaled, redundant, and

highly available VPC component that allows communication between your VPC and the
internet.

For more information on AWS VPC, please refer to the below

URL:https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Networking.html
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Internet_Gateway.html
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-nat.html
https://aws.amazon.com/blogs/security/how-to-record-ssh-sessions-established-through-a-
bastion-host/

Domain : Technology

Q19: A company wants to utilize AWS storage. For them, low storage cost is
paramount. The data is rarely retrieved and a data retrieval time of 13-14 hours is
acceptable for them. What is the best storage option to use?

A. Amazon S3 Glacier
B. S3 Glacier Deep Archive
C. Amazon EBS volumes
D. AWS CloudFront

Answer – B

Explanation :
S3 Glacier Deep Archive offers the lowest cost storage in the cloud, at prices lower than
storing and maintaining data in on-premises magnetic tape libraries or archiving data offsite.

It expands our data archiving offerings, enabling you to select the optimal storage class based
on storage and retrieval costs, and retrieval times.

Option B is correct because S3 Glacier Deep Archive offers low-cost storage and retrieval
time doesn’t matter for the company. If the question asks for fast retrieval time then S3
Glacier would be correct.

Option A is incorrect because S3 Glacier is not cheaper than S3 Glacier Deep Archive.

Options C and D are incorrect because they are not suitable for data archive and faster
retrieval. Also, the CloudFront is not for storage.

With S3 Glacier, customers can store their data cost-effectively for months, years, or even
decades. S3 Glacier enables customers to offload the administrative burdens of operating and
scaling storage to AWS, so they don’t have to worry about capacity planning, hardware
provisioning, data replication, hardware failure detection, and recovery, or time-consuming
hardware migrations.

 Amazon S3 Glacier for archiving data that might infrequently need to be restored
within a few hours
 S3 Glacier Deep Archive for archiving long-term backup cycle data that might
infrequently need to be restored within 12 hours

Storage class Expedited Standard Bulk

Amazon S3 Glacier 1–5 minutes 3–5 hours 5–12 hours
S3 Glacier Deep Archive Not available Within 12 hours Within 48 hours

Reference:

https://docs.aws.amazon.com/amazonglacier/latest/dev/introduction.html
https://docs.aws.amazon.com/prescriptive-guidance/latest/backup-recovery/amazon-s3-
glacier.html
https://aws.amazon.com/s3/storage-classes/

Domain : Cloud Concepts

Q20: Which AWS service provides a fully managed NoSQL database service that
provides fast and predictable performance with seamless scalability?

A. AWS RDS
B. DynamoDB
C. Oracle RDS
D. Elastic Map Reduce
Answer: – B

Explanation :

DynamoDB is a fully managed NoSQL offering provided by AWS. It is now available in

most regions for users to consume.

For more information on AWS DynamoDB, please refer to the below

URL:http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Introduction.html

Domain : Cloud Concepts

Q21: For which of the following AWS resources, the Customer is responsible for the
infrastructure-related security configurations?

A. Amazon RDS
B. Amazon DynamoDB
C. Amazon EC2
D. AWS Fargate

Answer: C

Explanation :

Amazon EC2 is an Infrastructure as a Service (IaaS) for which customers are responsible for
the security and the management of guest operating systems.

 Options A, B, and D are incorrect as all these resources are part of abstracted
services for which AWS is responsible for the security, & infrastructure layer.
Customers are responsible for data that is saved on these resources.

For more information on the Shared responsibility model, refer to the following
URL:https://aws.amazon.com/compliance/shared-responsibility-model/

Domain : Cloud Concepts

Q22: In the shared responsibility model for infrastructure services, such as Amazon
Elastic Compute Cloud, which of the below two are customers responsibility?

A. Network infrastructure
B. Amazon Machine Images (AMIs)
C. Virtualization infrastructure
D. Physical security of hardware
E. Policies and configuration

Answer: B, E
Explanation :

In the shared responsibility model, AWS is primarily responsible for “Security of the Cloud.”
The customer is responsible for “Security in the Cloud.” In this scenario, the mentioned AWS
product is IAAS (Amazon EC2) and AWS manages the security of the following assets:

– Facilities

– Physical security of hardware

– Network infrastructure

– Virtualization infrastructure

Customers are responsible for the security of the following assets:

– Amazon Machine Images (AMIs)

– Operating systems

– Applications

– Data in transit

– Data at rest

– Data stores

– Credentials

– Policies and configuration

 Option A is incorrect. Refer to the explanation above and link in the references for
more details.
 Option B is Correct. Refer to the explanation above and link in the references for
more details.
 Option C is incorrect. Refer to the explanation above and link in the references for
more details.
 Option D is incorrect. Refer to the explanation above and link in the references for
more details.
 Option E is correct. Refer to the explanation above and link in the references for
more details.

References:

https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/welcome.html
https://aws.amazon.com/architecture/well-architected/?wa-lens-whitepapers.sort-
by=item.additionalFields.sortDate&wa-lens-whitepapers.sort-order=desc
Domain : Billing and Pricing

Q23: AWS offers two savings plans to enable more savings and flexibility for its
customers, namely, compute saving plans and EC2 Instance Savings plans.

Which of the below statement is FALSE regarding Saving Plans?

A. Capacity Reservations are not provided with Saving Plans.

B. Savings Plans are available for all the regions.
C. Savings plans will apply on ‘On-Demand Capacity Reservations’ that customers can
allocate for their needs.
D. The prices for Savings Plans do not change based on the amount of hourly commitment.

Answer: B

Explanation :

 Option A is INCORRECT. The given statement is True.

 Option B is CORRECT. The given statement is False. For China Regions, savings
plans are not available.
 Option C is INCORRECT. The given statement is True.
 Option D is INCORRECT. The given statement is True.

Reference: https://docs.aws.amazon.com/savingsplans/latest/userguide/what-is-savings-
plans.html#sp-ris

Domain : Technology

Q24: Which of the below-listed services is a region-based AWS service?

A. AWS IAM
B. Amazon EFS
C. Amazon Route 53
D. Amazon CloudFront

Answer: B

Explanation :

 Option A is INCORRECT. AWS IAM is a global service.

 Option B is CORRECT. EFS is a regional service.
 Option C is INCORRECT. Route 53 is a global service.
 Option D is INCORRECT. Amazon Cloudfront is a global service.

References:

https://aws.amazon.com/efs/
https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/
Domain : Technology

Q25: Which of the following LightSail Wizard allows the customers to “create a copy of
the LightSail instance in EC2”?

A. LightSail Backup
B. LightSail Copy
C. Upgrade to EC2
D. LightSail-EC2 snapshot

Answer: C

Explanation :

 Option A is INCORRECT. LightSail Backup is an invalid option.

 Option B is INCORRECT. LightSail Copy is an invalid option.
 Option C is CORRECT. “Upgrade to EC2” is the feature that allows customers to
“create a copy of the LightSail instance in EC2”.
To get started, you need to export your Lightsail instance manual snapshot. You’ll
then use the Upgrade to EC2 wizard to create an instance in EC2.
Customers who are comfortable with EC2 can then use the EC2 creation wizard or
API to create a new EC2 instance as they would from an existing EC2 AMI.
 Option D is INCORRECT. A LightSail-EC2 snapshot is an invalid option.

Reference:

https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-exporting-
snapshots-to-amazon-ec2
https://aws.amazon.com/lightsail/features/upgrade-to-ec2/
Domain : Technology

Q26 : Which of the following features of Amazon Connect helps better customer
engagement on AWS Cloud ?

A. Push Notification
B. High Quality Audio
C. Mailbox Simulator
D. Reputation Dashboard

Correct Answer: B

Amazon Connect is an omnichannel cloud contact centre which can be setup easily & with
low cost. It has following features which helps to provide customers a superior service ,

1. Telephone as a service
2. High quality Audio
3. Omnichannel routing
4. Web & Mobile Chat
5. Task management
6. Contact Centre automation
7. Rules Engine.

Option A is incorrect as Push Notification is not a feature of Amazon Connect. It’s one of
the features of Amazon Pinpoint.
Option C is incorrect as Mailbox Simulator is not a feature of Amazon Connect. It’s one of
the features of Amazon SES.
Option D is incorrect as Reputation Dashboard is not a feature of Amazon Connect. It’s one
of the features of Amazon SES.

For more information on Amazon Connect, refer to the following URL:

https://aws.amazon.com/connect/features/

Domain : Technology

Q27: A large IT company is looking to enable its large user base to remotely access
Linux desktops from any location. Which service can be used for this purpose ?

A. Amazon Cognito
B. Amazon AppStream 2.0
C. Amazon WorkSpaces
D. Amazon WorkLink

Correct Answer: C

Amazon WorkSpaces provides a secure managed service for virtual desktops for remote
users. It supports both Windows & Linux based virtual desktops for a large number of users.
Option A is incorrect as Amazon Cognito can be used to control access to AWS resources
from an application.
Option B is incorrect as Amazon AppStream 2.0 can be used to provide access to
applications or a non-persistent desktop from any location.
Option D is incorrect as Amazon WorkLink can be used by internal employees to securely
access internal websites & applications using mobile phones.

For more information on Amazon WorkSpaces, refer to the following URL:

https://aws.amazon.com/workspaces/features/

Domain : Cloud Concepts

Q28 : Users in the Developer Team need to deploy a multi-tier web application. Which
service can be used to create a customized portfolio that will help users for quick
deployment?

A. AWS Config
B. AWS Code Deploy
C. AWS Service Catalog
D. AWS Cloud Formation

Correct Answer: C

AWS Service Catalog can be used to create & deploy portfolio of products within AWS
infrastructure. This helps to create consistent resources within AWS infrastructure with quick
deployment. These catalogues can be used for deployment of single resource or a multi-tier
web application consisting of web, application, & database layer resources.

Option A is incorrect as AWS config is used for evaluating configuration on the resources
deployed in AWS cloud. It will not help for creating portfolios of resources for quick
deployment.
Option B is incorrect as AWS CodeDeploy is a managed service for automating software
deployment on AWS resources & on-premise systems. It is not suitable for creating portfolios
of resources for quick deployment.
Option D is incorrect as AWS CloudFormation is a service for provisioning AWS resources
using templates.

For more information on AWS Service Catalog, refer to the following URL:
https://aws.amazon.com/servicecatalog/features/

Domain : Billing and Pricing

Q29 : A large Oil & gas company is planning to deploy a high-volume application on
multiple Amazon EC2 instances. Which of the following can help to reduce operational
expenses?
A. Deploy Amazon EC2 instance with Auto-scaling
B. Deploy Amazon EC2 instance in multiple AZ’s
C. Deploy Amazon EC2 instance with Amazon instance store-backed AMI
D. Deploy Amazon EC2 instance with Cluster placement group

Correct Answer: A

Using Amazon EC2 Auto-Scaling helps to match the workload on the application with the
optimum number of the Amazon EC2 instance. Due to this, during low load on application,
Amazon EC2 instances are terminated which reduces operational cost.

Option B is incorrect as deploying an Amazon EC2 instance in a multiple AZ might

enhance application availability but will not reduce operational expenses.
Option C is incorrect as deploying an Amazon EC2 instance with Amazon instance store-
backed AMI incur charges for Amazon EC2 instance usage & storing AMI in Amazon S3.
There will be no impact on operational expense using this AMI type.
Option D is incorrect as deploying an Amazon EC2 instance in a cluster placement group
will help to have low latency between instances but will not reduce operational expenses.

For more information on reducing cost using AWS cloud , refer to the following URL:
https://aws.amazon.com/economics/

Domain : Cloud Concepts

Q30 : Which of the following activities are within the scope of AWS Support?

A. Troubleshooting API issues

B. Code Development
C. Debugging custom software
D. Third-party application configuration on AWS resources
E. Database query tuning

Correct Answers: A and D

As a part of AWS Support following activities are performed,

1. Queries regarding all AWS Services & features.

2. Best Practices to integrate, deploy & manage applications in the AWS cloud.
3. Troubleshooting API & SDK issues.
4. Troubleshooting operational issues.
5. Issues related to any AWS Tools.
6. Problems detected by EC2 health checks
7. Third-Party application configuration on AWS resources & products.

AWS Support does not include:

 Code development
 Debugging custom software
  Performing system administration tasks
 Database query tuning
 Cross-Account Support

Option B is incorrect as Code Development is not in the scope of AWS Support. This needs
to be taken care of by the customer.
Option C is incorrect as Debugging custom software is not in the scope of AWS Support.
This needs to be taken care of by the customer.
Option E is incorrect as Database query tuning is not in the scope of AWS Support. This
needs to be taken care of by the customer.

For more information on AWS Support, refer to the following URL:

https://aws.amazon.com/premiumsupport/

Domain: Billing and Pricing

Q31: I have a huge amount of data (images, documents). I want to store them on AWS
storage service S3 and know how S3 is priced to make informed decisions. Which of the
following is accounted as a cost for S3 storage? Select TWO.

A. While uploading data to an S3 bucket

B. Lifecycle transition requests

C. Outbound data transfer from S3 in US-West to an EC2 instance in US-West

D. Outbound data transfer to Amazon CloudFront

E. Outbound data transfer from S3 in US-East to an EC2 instance in US-West

Correct Answers: B and E

Explanation:

Option A is incorrect. Data transferred in from the internet to S3 does not incur any
charges.

Option B is CORRECT. Lifecycle data transfers between the storage classes can be
considered as GET/PUT operations from the source storage class to the target storage class
which will incur cost.

Option C is incorrect. Outbound data transfers from S3 within the same Region (including a
different AWS account) do not incur any charges.

Option D is incorrect. Data transferred out to Amazon CloudFront performed as a request

by CloudFront to the Origin server (S3) for caching content does not incur any charges.

Option E is CORRECT since the Outbound data transfer is done out of the region where the
S3 bucket resides.
References:

 https://aws.amazon.com/s3/pricing/
 http://pragmaticnotes.com/2020/04/22/s3-to-glacier-lifecycle-transition-see-if-its-
worth-it/

Domain: Technology

Q32: I am using the Amazon Simple Notification Service to send notifications to alert
admins whenever the CPU utilization of an EC2 instance crosses 70%. Which of the
following can be subscribers to an SNS Topic? (Select TWO)

A. Email

B. Amazon S3

C. AWS Lambda

D. Amazon CloudWatch

E. Amazon DynamoDB streams

Correct Answers: A and C

Explanation:

SNS is extremely useful for the fan-out types of applications, i.e., multiple clients that push
messages to an SNS topic & multiple listeners can be notified when a message arrives at the
Topic.

Option A is CORRECT. SNS messages can be sent to registered addresses as Email (text-
based or Object) who act as subscribers to the notification

Option B is incorrect. S3 acts as a publisher of SNS notifications. When a file is uploaded to

S3, it can publish an event that can then be subscribed to & acted upon

Option C is CORRECT. A lambda function can subscribe to an SNS Topic and can act on
any events that are published to that Topic. An S3 PUT or CREATE event for uploading
documents can have a Lambda subscriber that can pull out metadata information contained
within the documents & store it in a Dynamo DB database.

Option D is incorrect. CloudWatch will act as a publisher of events using alarms. Getting
back to our scenario, we can set CloudWatch alarms on the CPU utilization metrics of the
EC2 instance. The alarms can then be published to an SNS Topic for notifying users.

Option E is incorrect. Dynamo DB streams are events that are emitted when record
modifications occur on a Dynamo DB table like INSERT, UPDATE, etc. They are extremely
useful to create informative dashboards in real-time. Dynamo DB streams can trigger a
lambda function that can publish a message to an SNS Topic. So we can see here that
Dynamo DB stream acts as a publisher of events.
References:

 https://docs.aws.amazon.com/sns/latest/dg/welcome.html
 https://docs.aws.amazon.com/sns/latest/dg/sns-create-subscribe-endpoint-to-
topic.html

Domain: Technology

Q 33: I require different levels of access for my application that is installed on an EC2
instance. I have configured an ENI for the same purpose. Which of the following
statement is incorrect?

A. I can detach the primary ENI of my EC2 instance and connect it to another instance for
moving its Elastic IP

B. I can configure a Security Group for my ENI and restrict traffic to the EC2 instance

C. I can detach a secondary ENI containing a Private IP from one EC2 instance and attach it
to another

D. I can attach an Elastic IP to an EC2 instance in another subnet by releasing it from the ENI
in the current subnet to which it is currently attached to

Correct Answer: A

Explanation:

Option A is CORRECT. The primary ENI of an instance cannot be detached from the
instance. By default, the primary ENI is created with the creation of the EC2 instance &
deleted when the instance is terminated

Option B is incorrect since an EC2 instance may require restricted access to certain IP
addresses. This can be achieved by creating a new ENI & attaching a Public IP & Security
Group restricting permissions.

Option C is incorrect. Secondary ENI’s that are created can be detached from the instance to
which it is attached to & attached to another instance within the same subnet. The Private IP
then gets allocated to the second instance to which it is attached currently

Option D is incorrect. ENI’s are subnet specific. So for attaching an Elastic IP to an instance
in a different subnet, I need to first release it to the pool by dissociating it from an attached
instance. This way, I can attach the Elastic IP to an instance in a different subnet.

References:

 https://youtu.be/Zg8rMLE88mg
 https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html

Domain: Security
Q 34: To make programmatic calls to AWS, a user was provided an access key ID and
secret access key. However, the user has now forgotten the shared credentials and
cannot make the required programmatic calls.

How can an access key ID and secret access key be provided to the user?

A. Use the “Forgot Password” Option

B. Use “Create New Access Key” by logging in to AWS Management Console as the root
user

C. Credentials cannot be generated

D. Raise a ticket with AWS Support

Correct Answer: B

Explanation:

Option A is INCORRECT. This is an invalid option.

Option B is CORRECT.

Option C is INCORRECT. This is an incorrect option. We can create a new access key by
logging in to Management Console as a root user.

Option D is INCORRECT. This is an incorrect option. We can create a new access key by
logging in to Management Console as a root user.

Reference:

https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html

Domain: Security

Q 34: Which of the following statements accurately describe a function of AWS Secrets
Manager? [Select Two]

A. Encrypts authentication information in code, ensuring that it is unreadable, that is, not in
plain-text.

B. Replaces the need to hardcode authentication credentials in code.

C. Makes it possible to include an API call in code that retrieves authentication information
from a central repository.

D. Automatically rotates and updates the code in the application build, ensuring that
repositories are kept up to date.

E. Facilitates the embedding of authentication information in code during runtime.

Correct Answer: B and C

Explanation:

AWS Secrets Manager allows users to replace authentication information in code with an
API call to Secrets Manager. This API call then retrieves the secret programmatically. This
safeguards the secret from being compromised since the secret is removed from the code.
AWS Secrets Manager automatically rotates the secret in accordance with specified
schedules which allows the implementation of more secure short-term secrets. These, in turn,
reduce the risk of authentication information in code being compromised.

Option A is INCORRECT because AWS Secrets Manager does not encrypt authentication
information whilst it is in the code.

Option D is INCORRECT because AWS Secrets Manager does not automatically rotate or
update the application code. Rather, it automatically rotates the secret in accordance with
specified schedules.

Option E is INCORRECT because AWS Secrets Manager does not facilitate embedding
authentication information in code during runtime. Developers do not need to hard-code
authentication information in code.

Reference:

https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html

Question 1: What advantages does a database administrator obtain by using the Amazon
Relational Database Service (RDS)?

A. RDS provides 99.99999999999% reliability and durability

B. RDS databases automatically scale based on load
C. RDS enables users to dynamically adjust CPU and RAM resources
D. RDS simplifies relational database administration tasks

The correct answer is D. “RDS simplifies relational database administration tasks”.

Explanation:

Amazon RDS is a managed relational database service on which you can run several types of
database software. The service is managed so this reduces the database administration tasks
an administrator would normally undertake. The managed service includes hardware
provisioning, database setup, patching and backups.

A. “RDS provides 99.99999999999% reliability and durability” is incorrect. This is not true
of Amazon RDS.

B. “RDS databases automatically scale based on load” is incorrect. This is not true, storage
auto scaling is possible but for compute it scales by changing instance type (manual).
C. “RDS enables users to dynamically adjust CPU and RAM resources” is incorrect. You
cannot adjust CPU and RAM dynamically, you must change the instance type and reboot the
database instance.

References:

https://aws.amazon.com/rds/

https://digitalcloud.training/aws-database-services/

Question 2: A large company is interested in avoiding long-term contracts and moving from
fixed costs to variable costs. What is the value proposition of AWS for this company?

A. Economies of scale
B. Pay-as-you-go pricing
C. Volume pricing discounts
D. Automated cost optimization

The correct answer is B. “Pay-as-you-go pricing”.

Explanation:

Pay-as-you-go pricing helps companies move away from fixed costs to variable costs in a
model in which they only pay for what they actually use. There are no fixed term contracts
with AWS so that requirement is also met.

A. “Economies of scale” is incorrect. You do get good pricing because of the economies of
scale leveraged by AWS. However, the value proposition for companies wishing to avoid
fixed costs is pay-as-you-go pricing. This flexibility can be more important in some cases
than the actual cost per unit.

C. “Volume pricing discounts” is incorrect. This is not the value proposition for this company
as they are seeking to avoid long-term contracts and fixed costs, not to achieve a discount.

D. “Automated cost optimization” is incorrect. This is a not a feature that relates to the value
proposition for this customer.

References:

https://aws.amazon.com/pricing/

https://digitalcloud.training/certification-training/aws-certified-cloud-practitioner/aws-billing-
and-pricing/

Question 3: A customer needs to determine Total Cost of Ownership (TCO) for a workload
that requires physical isolation. Which hosting model should be used?

A. Dedicated Hosts
B. Reserved Instances
C. On-Demand Instances
D. Spot Instances

The correct answer is A. “Dedicated Hosts”.

Explanation:

An Amazon EC2 Dedicated Host is a physical server with EC2 instance capacity fully
dedicated to your use. Dedicated Hosts allow you to use your existing per-socket, per-core, or
per-VM software licenses, including Windows Server, Microsoft SQL Server, SUSE, and
Linux Enterprise Server.

Note that dedicated hosts can be considered “hosting model” as it determines that actual
underlying infrastructure that is used for running your workload. All of the other answers are
simply pricing plans for shared hosting models.

B. “Reserved Instances” is incorrect as this pricing model does not support physical isolation.

C. “On-Demand Instances” is incorrect as this pricing model does not support physical
isolation.

D. “Spot Instances” is incorrect as this hosting pricing does not support physical isolation.

References:

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/dedicated-hosts-overview.html

https://digitalcloud.training/certification-training/aws-certified-cloud-practitioner/aws-
compute/

Questions 4: Which design principles are enabled by the AWS Cloud to improve the
operation of workloads? (Select TWO)

A. Minimize platform design

B. Loose coupling
C. Customized hardware
D. Remove single points of failure
E. Minimum viable product

The correct answer is B. “Loose coupling” and D. “Remove single points of failure”.

Explanation:

Loose coupling is when you break systems down into smaller components that are loosely
coupled together. This reduces interdependencies between systems components. This is
achieved in the cloud using messages buses, notification and messaging services.

Removing single points of failure ensures fault tolerance and high availability. This is easily
achieved in the cloud as the architecture and features of the cloud support the implementation
of highly available and fault tolerant systems.
A. “Minimize platform design” is incorrect. This is not an operational advantage for
workloads in the cloud.

C. “Customized hardware” is incorrect. You cannot customize hardware in the cloud.

E. “Minimum viable product” is incorrect. This is not an operational advantage for workloads
in the cloud.

References:

https://d1.awsstatic.com/whitepapers/AWS_Cloud_Best_Practices.pdf

https://digitalcloud.training/certification-training/aws-certified-cloud-practitioner/
architecting-for-the-cloud/

Questions 5: A user is planning to launch three EC2 instances behind a single Elastic Load
Balancer. The deployment should be highly available.

A. Launch the instances across multiple Availability Zones in a single AWS Region.
B. Launch the instances as EC2 Spot Instances in the same AWS Region and the same
Availability Zone.
C. Launch the instances in multiple AWS Regions, and use Elastic IP addresses.
D. Launch the instances as EC2 Reserved Instances in the same AWS Region, but in different
Availability Zones.

The correct answer is A. “Launch the instances across multiple Availability Zones in a single
AWS Region.”

Explanation:

To make the deployment highly available the user should launch the instances across multiple
Availability Zones in a single AWS Region. Elastic Load Balancers can only serve targets in
a single Region so it is not possible to deploy across Regions.

B. “Launch the instances as EC2 Spot Instances in the same AWS Region and the same
Availability Zone” is incorrect. The pricing model is not relevant to high availability and
deploying in a single AZ does not result in a highly available deployment.

C. “Launch the instances in multiple AWS Regions, and use Elastic IP addresses” is
incorrect. You cannot use an ELB with instances in multiple Regions and using an EIP does
not help.

D. “Launch the instances as EC2 Reserved Instances in the same AWS Region, but in
different Availability Zones” is incorrect. Using reserved instances may not be appropriate as
we do not know whether this is going to be a long-term workload or not.

References:

https://aws.amazon.com/about-aws/global-infrastructure/regions_az/
https://digitalcloud.training/certification-training/aws-certified-cloud-practitioner/aws-global-
infrastructure/