Professional Documents
Culture Documents
Domain Wise
Domain Wise
Answer – B
Explanation :
The concept of Elasticity is the means of an application having the ability to scale up and
scale down based on demand. An example of such a service is the Autoscaling service
For more information on AWS Autoscaling service, please refer to the below
URL: https://aws.amazon.com/autoscaling/
A, C and D are incorrect. Elasticity will not have positive effects on storage, cost or design
agility.
Q2: Which tool can you use to forecast your AWS spending?
A. AWS Organizations
B. Amazon Dev Pay
C. AWS Trusted Advisor
D. AWS Cost Explorer
Answer – D
Explanation :
Cost Explorer is a free tool that you can use to view your costs. You can view data up to the
last 12 months. You can forecast how much you are likely to spend for the next 12 months
and get recommendations for what Reserved Instances to purchase. You can use Cost
Explorer to see patterns in how much you spend on AWS resources over time, identify areas
that need further inquiry, and see trends that you can use to understand your costs. You also
can specify time ranges for the data and view time data by day or by month.
For more information on the AWS Cost Explorer, please refer to the below
URL: http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-explorer-what-
is.html
A, B and C are incorrect. These services do not relate to billing and cost.
Domain : Technology
Q3: A business analyst would like to move away from creating complex database
queries and static spreadsheets when generating regular reports for high-level
management. They would like to publish insightful, graphically appealing reports with
interactive dashboards. Which service can they use to accomplish this?
A. Amazon QuickSight
B. Business intelligence on Amazon Redshift
C. Amazon CloudWatch dashboards
D. Amazon Athena integrated with Amazon Glue
Correct Answer – A
Explanation :
Domain : Technology
Q4. What is the AWS feature that enables fast, easy and secure transfers of files over
long distances between your client and your Amazon S3 bucket?
A. File Transfer
B. HTTP Transfer
C. Amazon S3 Transfer Acceleration
D. S3 Acceleration
Answer – C
Explanation :
Amazon S3 Transfer Acceleration enables fast, easy, and secure transfers of files over long
distances between your client and an S3 bucket. Transfer Acceleration takes advantage of
Amazon CloudFront’s globally distributed edge locations. As the data arrives at an edge
location, data is routed to Amazon S3 over an optimized network path.
Options A, B and D are incorrect. These features deal with transferring data but not
between clients and an S3 bucket.
Domain : Security
Q5: What best describes the “Principle of Least Privilege”? Choose the correct answer
from the options given below.
A. All users should have the same baseline permissions granted to them to use basic AWS
services.
B. Users should be granted permission to access only resources they need to do their assigned
job.
C. Users should submit all access requests in written form so that there is a paper trail of who
needs access to different AWS resources.
D. Users should always have a little more permission than they need.
Answer – B
Explanation :
The principle means giving a user account only those privileges which are essential to
perform its intended function. For example, a user account for the sole purpose of creating
backups does not need to install the software. Hence, it has rights only to run backup and
backup-related applications.
For more information on the principle of least privilege, please refer to the following link:
https://en.wikipedia.org/wiki/Principle_of_least_privilege
Options A, C, and D are incorrect. These actions would not adhere to the Principle of Least
Privilege.
Domain : Security
Q6: A web administrator maintains several public and private web-based resources for
an organisation. Which service can they use to keep track of the expiry dates of
SSL/TLS certificates as well as updating and renewal?
Correct Answer – D
Explanation :
The AWS Certificate Manager allows the web administrator to maintain one or several
SSL/TLS certificates, both private and public certificates including their update and renewal
so that the administrator does not worry about the imminent expiry of
certificates. https://aws.amazon.com/certificate-manager/
Option A is INCORRECT. The AWS Lifecycle Manager creates life cycle policies
for specified resources to automate operations. https://docs.aws.amazon.com/dlm/?
id=docs_gateway
Q7: Which of the following is the responsibility of the customer to ensure the
availability and backup of the EBS volumes?
Answer – B
Explanation :
Snapshots are incremental backups, which means that only the blocks on the device that have
changed after your most recent snapshot are saved.
When you create an EBS volume based on a snapshot, the new volume begins as an exact
replica of the original volume that was used to create the snapshot. The replicated volume
loads data in the background so that you can begin using it immediately.
Amazon EBS snapshots | Source: aws.amazon.com
Option A is incorrect because there is no need for backup of the volumes if data is already
deleted.
Option C is incorrect because attaching more EBS volumes doesn’t ensure availability, if
there is no snapshot then the volume cannot be available to a different availability zone.
Option D is incorrect EBS volumes cannot be copied, they can only be replicated using
snapshots.
Domain : Security
Q8: Which of the following services can be used as an application firewall in AWS?
A. AWS Snowball
B. AWS WAF
C. AWS Firewall
D. AWS Protection
Answer – B
Explanation :
AWS WAF is a web application firewall that lets you monitor the HTTP and HTTPS requests
that are forwarded to Amazon CloudFront or an Application Load Balancer. AWS WAF also
lets you control access to your content.
AWS Snowball, a part of the AWS Snow Family, is an edge computing, data migration, and
edge storage device that comes in two options. Snowball Edge Storage Optimized devices
provide both block storage and Amazon S3-compatible object storage, and 40 vCPUs.
Q9: Your design team is planning to design an application that will be hosted on the
AWS Cloud. One of their main non-functional requirements is given below:
Reduce inter-dependencies so failures do not impact other components.
Which of the following concepts does this requirement relate to?
A. Integration
B. Decoupling
C. Aggregation
D. Segregation
Answer – B
Explanation :
The entire concept of decoupling components ensures that the different components of
applications can be managed and maintained separately. If all components are tightly
coupled, the entire application would go down when one component goes down. Hence it is
always a better practice to decouple application components.
For more information on a decoupled architecture, please refer to the below
URL: http://whatis.techtarget.com/definition/decoupled-architecture
Q10: A manufacturing firm has recently migrated their application servers to the
Amazon EC2 instance. The IT Manager is looking for the details of upcoming scheduled
maintenance activities which AWS would be performing on AWS resources, that may
impact the services on these EC2 instances.
Which of the following services can alert you about the changes that can affect
resources in your account?
A. AWS Organizations
B. AWS Personal Health Dashboard
C. AWS Trusted Advisor
D. AWS Service Health Dashboard
Answer – B
Explanation :
AWS Personal Health Dashboard provides alerts for AWS services availability &
performance which may impact resources deployed in your account. Customers get emails &
mobile notifications for scheduled maintenance activities which might impact services on
these AWS resources.
Option A is incorrect as AWS Organizations do not provide any notifications for scheduled
maintenance activities.
Option C is incorrect as AWS Trusted Advisor will provide notification on AWS resources
created within the account for cost optimization, security, fault tolerance, performance, and
service limits. It will not provide notification for scheduled maintenance activities performed
by AWS on its resources.
Option D is incorrect as Service Health Dashboard displays the general status of all AWS
services & will not display scheduled maintenance activities.
For more information on the AWS Organizations, please refer to the below
URL: https://aws.amazon.com/premiumsupport/technology/personal-health-dashboard/
Domain : Security
Q11: Which of the following AWS services can be used to retrieve configuration
changes made to AWS resources causing operational issues?
A. Amazon Inspector
B. AWS CloudFormation
C. AWS Trusted Advisor
D. AWS Config
Answer – D
Explanation :
AWS Config can be used to audit, evaluate configurations of AWS resources. If there are any
operational issues, AWS config can be used to retrieve configurational changes made to
AWS resources that may have caused these issues.
Domain : Security
Q12: An organization runs several EC2 instances inside a VPC using three subnets, one
for Development, one for Test, and one for Production. The Security team has some
concerns about the VPC configuration. It requires restricting communication across the
EC2 instances using Security Groups.
Which of the following options is true for Security Groups related to the scenario?
A. You can change a Security Group associated with an instance if the instance is in the
running state.
B. You can change a Security Group associated with an instance if the instance is in the
hibernate state.
C. You can change a Security Group only if there are no instances associated to it.
D. The only Security Group you can change is the Default Security Group.
Answer: A
Explanation :
Option A is CORRECT because the AWS documentation mentions it in the section
called “Changing an Instance’s Security Group” using the following sentence: “After
you launch an instance into a VPC, you can change the security groups that are
associated with the instance. You can change the security groups for an instance when
the instance is in the running or stopped state.”
Option B is incorrect as You can change the security groups for an instance when
the instance is in the running or stopped state, not hibernate state.
Option C is incorrect because there have to be some instances associated.
Option D is incorrect because other security groups can also be changed.
Reference:
https://docs.aws.amazon.com/en_pv/vpc/latest/userguide/VPC_SecurityGroups.html
Domain : Technology
Q13: Which of the following features of Amazon RDS allows for better availability of
databases? Choose the answer from the options given below.
A. VPC Peering
B. Multi-AZ
C. Read Replicas
D. Data encryption
Answer – B
Explanation :
If you are looking to use replication to increase database availability while protecting your
latest database updates against unplanned outages, consider running your DB instance as a
Multi-AZ deployment.
Domain : Technology
Q14: Your company wants to move an existing Oracle database to the AWS Cloud.
Which of the following services can help facilitate this move?
Explanation :
AWS Database Migration Service helps you migrate databases to AWS quickly and securely.
The source database remains fully operational during the migration, minimizing downtime to
applications that rely on the database. The AWS Database Migration Service can migrate
your data to and from the most widely used commercial and open-source databases.
For more information on AWS Database migration, please refer to the below
URL:https://aws.amazon.com/dms/
Domain : Security
Q15: Which of the following services allows you to analyze EC2 Instances against pre-
defined security templates to check for vulnerabilities?
Answer – B
Explanation :
Amazon Inspector enables you to analyze the behavior of your AWS resources and helps you
to identify potential security issues. Using Amazon Inspector, you can define a collection of
AWS resources that you want to include in an assessment target. You can then create an
assessment template and launch a security assessment run of this target.
Domain : Technology
Q16: A website for an international sport governing body would like to serve its content
to viewers from different parts of the world in their vernacular language. Which of the
following services provide location-based web personalization using geolocation
headers?
A. Amazon CloudFront
B. Amazon EC2 Instance
C. Amazon Lightsail
D. Amazon Route 53
Answer – A
Explanation :
You can configure CloudFront to add additional geolocation headers that provide more
granularity in your caching and origin request policies. The new headers give you more
granular control of cache behavior and your origin access to the viewer’s country name,
region, city, postal code, latitude, and longitude, all based on the viewer’s IP address.
Option B is INCORRECT because EC2 is just a distractor, not suitable for routing
and delivery.
Option C is INCORRECT because Amazon Lightsail will primarily allow for
developing, deploying, and hosting websites and web applications. The service will
not meet the requirements of the scenario.
Option D is INCORRECT because the geolocation routing policy of Route53 allows
different resources to serve content based on the origin of the request. Route 53 does
not use geolocation headers.
References:
https://aws.amazon.com/about-aws/whats-new/2020/07/cloudfront-geolocation-headers/
https://aws.amazon.com/blogs/networking-and-content-delivery/leverage-amazon-cloudfront-
geolocation-headers-for-state-level-geo-targeting/
Domain : Security
Q17: Which of the following can be used to protect against DDoS attacks? Choose 2
answers from the options given below.
A. AWS EC2
B. AWS RDS
C. AWS Shield
D. AWS Shield Advanced
Answer – C and D
Explanation :
AWS Shield – All AWS customers benefit from the automatic protections of AWS Shield
Standard, at no additional charge. AWS Shield Standard defends against most common,
frequently occurring network and transport layer DDoS attacks that target your web site or
applications
AWS Shield Advanced – For higher levels of protection against attacks targeting your web
applications running on Amazon EC2, Elastic Load Balancing (ELB), CloudFront, and Route
53 resources, you can subscribe to AWS Shield Advanced. AWS Shield Advanced provides
expanded DDoS attack protection for these resources.
Domain : Technology
Q18: Which of the following are the recommended resources to be deployed in the
Amazon VPC private subnet?
A. NAT Gateways
B. Bastion Hosts
C. Database Servers
D. Internet Gateways
Answer – C
Explanation :
Amazon Virtual Private Cloud (Amazon VPC) enables the user to launch AWS resources
into a virtual network that a user has defined.
Option A is incorrect because NAT devices (NAT Gateway, Nat Instance) allow instances
in private subnets to connect to the internet, other VPCs, or on-premises networks. It is
deployed in a public subnet.
Option B is incorrect because bastion host is a server whose purpose is to provide access
(SSH access) to a private network from an external network, such as the Internet. It is
deployed in a public subnet.
Domain : Technology
Q19: A company wants to utilize AWS storage. For them, low storage cost is
paramount. The data is rarely retrieved and a data retrieval time of 13-14 hours is
acceptable for them. What is the best storage option to use?
A. Amazon S3 Glacier
B. S3 Glacier Deep Archive
C. Amazon EBS volumes
D. AWS CloudFront
Answer – B
Explanation :
S3 Glacier Deep Archive offers the lowest cost storage in the cloud, at prices lower than
storing and maintaining data in on-premises magnetic tape libraries or archiving data offsite.
It expands our data archiving offerings, enabling you to select the optimal storage class based
on storage and retrieval costs, and retrieval times.
Option B is correct because S3 Glacier Deep Archive offers low-cost storage and retrieval
time doesn’t matter for the company. If the question asks for fast retrieval time then S3
Glacier would be correct.
Option A is incorrect because S3 Glacier is not cheaper than S3 Glacier Deep Archive.
Options C and D are incorrect because they are not suitable for data archive and faster
retrieval. Also, the CloudFront is not for storage.
With S3 Glacier, customers can store their data cost-effectively for months, years, or even
decades. S3 Glacier enables customers to offload the administrative burdens of operating and
scaling storage to AWS, so they don’t have to worry about capacity planning, hardware
provisioning, data replication, hardware failure detection, and recovery, or time-consuming
hardware migrations.
Amazon S3 Glacier for archiving data that might infrequently need to be restored
within a few hours
S3 Glacier Deep Archive for archiving long-term backup cycle data that might
infrequently need to be restored within 12 hours
Reference:
https://docs.aws.amazon.com/amazonglacier/latest/dev/introduction.html
https://docs.aws.amazon.com/prescriptive-guidance/latest/backup-recovery/amazon-s3-
glacier.html
https://aws.amazon.com/s3/storage-classes/
Q20: Which AWS service provides a fully managed NoSQL database service that
provides fast and predictable performance with seamless scalability?
A. AWS RDS
B. DynamoDB
C. Oracle RDS
D. Elastic Map Reduce
Answer: – B
Explanation :
Q21: For which of the following AWS resources, the Customer is responsible for the
infrastructure-related security configurations?
A. Amazon RDS
B. Amazon DynamoDB
C. Amazon EC2
D. AWS Fargate
Answer: C
Explanation :
Amazon EC2 is an Infrastructure as a Service (IaaS) for which customers are responsible for
the security and the management of guest operating systems.
Options A, B, and D are incorrect as all these resources are part of abstracted
services for which AWS is responsible for the security, & infrastructure layer.
Customers are responsible for data that is saved on these resources.
For more information on the Shared responsibility model, refer to the following
URL:https://aws.amazon.com/compliance/shared-responsibility-model/
Q22: In the shared responsibility model for infrastructure services, such as Amazon
Elastic Compute Cloud, which of the below two are customers responsibility?
A. Network infrastructure
B. Amazon Machine Images (AMIs)
C. Virtualization infrastructure
D. Physical security of hardware
E. Policies and configuration
Answer: B, E
Explanation :
In the shared responsibility model, AWS is primarily responsible for “Security of the Cloud.”
The customer is responsible for “Security in the Cloud.” In this scenario, the mentioned AWS
product is IAAS (Amazon EC2) and AWS manages the security of the following assets:
– Facilities
– Network infrastructure
– Virtualization infrastructure
– Operating systems
– Applications
– Data in transit
– Data at rest
– Data stores
– Credentials
Option A is incorrect. Refer to the explanation above and link in the references for
more details.
Option B is Correct. Refer to the explanation above and link in the references for
more details.
Option C is incorrect. Refer to the explanation above and link in the references for
more details.
Option D is incorrect. Refer to the explanation above and link in the references for
more details.
Option E is correct. Refer to the explanation above and link in the references for
more details.
References:
https://docs.aws.amazon.com/wellarchitected/latest/security-pillar/welcome.html
https://aws.amazon.com/architecture/well-architected/?wa-lens-whitepapers.sort-
by=item.additionalFields.sortDate&wa-lens-whitepapers.sort-order=desc
Domain : Billing and Pricing
Q23: AWS offers two savings plans to enable more savings and flexibility for its
customers, namely, compute saving plans and EC2 Instance Savings plans.
Answer: B
Explanation :
Reference: https://docs.aws.amazon.com/savingsplans/latest/userguide/what-is-savings-
plans.html#sp-ris
Domain : Technology
A. AWS IAM
B. Amazon EFS
C. Amazon Route 53
D. Amazon CloudFront
Answer: B
Explanation :
References:
https://aws.amazon.com/efs/
https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/
Domain : Technology
Q25: Which of the following LightSail Wizard allows the customers to “create a copy of
the LightSail instance in EC2”?
A. LightSail Backup
B. LightSail Copy
C. Upgrade to EC2
D. LightSail-EC2 snapshot
Answer: C
Explanation :
Reference:
https://lightsail.aws.amazon.com/ls/docs/en_us/articles/amazon-lightsail-exporting-
snapshots-to-amazon-ec2
https://aws.amazon.com/lightsail/features/upgrade-to-ec2/
Domain : Technology
Q26 : Which of the following features of Amazon Connect helps better customer
engagement on AWS Cloud ?
A. Push Notification
B. High Quality Audio
C. Mailbox Simulator
D. Reputation Dashboard
Correct Answer: B
Amazon Connect is an omnichannel cloud contact centre which can be setup easily & with
low cost. It has following features which helps to provide customers a superior service ,
1. Telephone as a service
2. High quality Audio
3. Omnichannel routing
4. Web & Mobile Chat
5. Task management
6. Contact Centre automation
7. Rules Engine.
Option A is incorrect as Push Notification is not a feature of Amazon Connect. It’s one of
the features of Amazon Pinpoint.
Option C is incorrect as Mailbox Simulator is not a feature of Amazon Connect. It’s one of
the features of Amazon SES.
Option D is incorrect as Reputation Dashboard is not a feature of Amazon Connect. It’s one
of the features of Amazon SES.
Domain : Technology
Q27: A large IT company is looking to enable its large user base to remotely access
Linux desktops from any location. Which service can be used for this purpose ?
A. Amazon Cognito
B. Amazon AppStream 2.0
C. Amazon WorkSpaces
D. Amazon WorkLink
Correct Answer: C
Amazon WorkSpaces provides a secure managed service for virtual desktops for remote
users. It supports both Windows & Linux based virtual desktops for a large number of users.
Option A is incorrect as Amazon Cognito can be used to control access to AWS resources
from an application.
Option B is incorrect as Amazon AppStream 2.0 can be used to provide access to
applications or a non-persistent desktop from any location.
Option D is incorrect as Amazon WorkLink can be used by internal employees to securely
access internal websites & applications using mobile phones.
Q28 : Users in the Developer Team need to deploy a multi-tier web application. Which
service can be used to create a customized portfolio that will help users for quick
deployment?
A. AWS Config
B. AWS Code Deploy
C. AWS Service Catalog
D. AWS Cloud Formation
Correct Answer: C
AWS Service Catalog can be used to create & deploy portfolio of products within AWS
infrastructure. This helps to create consistent resources within AWS infrastructure with quick
deployment. These catalogues can be used for deployment of single resource or a multi-tier
web application consisting of web, application, & database layer resources.
Option A is incorrect as AWS config is used for evaluating configuration on the resources
deployed in AWS cloud. It will not help for creating portfolios of resources for quick
deployment.
Option B is incorrect as AWS CodeDeploy is a managed service for automating software
deployment on AWS resources & on-premise systems. It is not suitable for creating portfolios
of resources for quick deployment.
Option D is incorrect as AWS CloudFormation is a service for provisioning AWS resources
using templates.
For more information on AWS Service Catalog, refer to the following URL:
https://aws.amazon.com/servicecatalog/features/
Q29 : A large Oil & gas company is planning to deploy a high-volume application on
multiple Amazon EC2 instances. Which of the following can help to reduce operational
expenses?
A. Deploy Amazon EC2 instance with Auto-scaling
B. Deploy Amazon EC2 instance in multiple AZ’s
C. Deploy Amazon EC2 instance with Amazon instance store-backed AMI
D. Deploy Amazon EC2 instance with Cluster placement group
Correct Answer: A
Using Amazon EC2 Auto-Scaling helps to match the workload on the application with the
optimum number of the Amazon EC2 instance. Due to this, during low load on application,
Amazon EC2 instances are terminated which reduces operational cost.
For more information on reducing cost using AWS cloud , refer to the following URL:
https://aws.amazon.com/economics/
Q30 : Which of the following activities are within the scope of AWS Support?
Code development
Debugging custom software
Performing system administration tasks
Database query tuning
Cross-Account Support
Option B is incorrect as Code Development is not in the scope of AWS Support. This needs
to be taken care of by the customer.
Option C is incorrect as Debugging custom software is not in the scope of AWS Support.
This needs to be taken care of by the customer.
Option E is incorrect as Database query tuning is not in the scope of AWS Support. This
needs to be taken care of by the customer.
Q31: I have a huge amount of data (images, documents). I want to store them on AWS
storage service S3 and know how S3 is priced to make informed decisions. Which of the
following is accounted as a cost for S3 storage? Select TWO.
Explanation:
Option A is incorrect. Data transferred in from the internet to S3 does not incur any
charges.
Option B is CORRECT. Lifecycle data transfers between the storage classes can be
considered as GET/PUT operations from the source storage class to the target storage class
which will incur cost.
Option C is incorrect. Outbound data transfers from S3 within the same Region (including a
different AWS account) do not incur any charges.
Option E is CORRECT since the Outbound data transfer is done out of the region where the
S3 bucket resides.
References:
https://aws.amazon.com/s3/pricing/
http://pragmaticnotes.com/2020/04/22/s3-to-glacier-lifecycle-transition-see-if-its-
worth-it/
Domain: Technology
Q32: I am using the Amazon Simple Notification Service to send notifications to alert
admins whenever the CPU utilization of an EC2 instance crosses 70%. Which of the
following can be subscribers to an SNS Topic? (Select TWO)
A. Email
B. Amazon S3
C. AWS Lambda
D. Amazon CloudWatch
Explanation:
SNS is extremely useful for the fan-out types of applications, i.e., multiple clients that push
messages to an SNS topic & multiple listeners can be notified when a message arrives at the
Topic.
Option A is CORRECT. SNS messages can be sent to registered addresses as Email (text-
based or Object) who act as subscribers to the notification
Option C is CORRECT. A lambda function can subscribe to an SNS Topic and can act on
any events that are published to that Topic. An S3 PUT or CREATE event for uploading
documents can have a Lambda subscriber that can pull out metadata information contained
within the documents & store it in a Dynamo DB database.
Option D is incorrect. CloudWatch will act as a publisher of events using alarms. Getting
back to our scenario, we can set CloudWatch alarms on the CPU utilization metrics of the
EC2 instance. The alarms can then be published to an SNS Topic for notifying users.
Option E is incorrect. Dynamo DB streams are events that are emitted when record
modifications occur on a Dynamo DB table like INSERT, UPDATE, etc. They are extremely
useful to create informative dashboards in real-time. Dynamo DB streams can trigger a
lambda function that can publish a message to an SNS Topic. So we can see here that
Dynamo DB stream acts as a publisher of events.
References:
https://docs.aws.amazon.com/sns/latest/dg/welcome.html
https://docs.aws.amazon.com/sns/latest/dg/sns-create-subscribe-endpoint-to-
topic.html
Domain: Technology
Q 33: I require different levels of access for my application that is installed on an EC2
instance. I have configured an ENI for the same purpose. Which of the following
statement is incorrect?
A. I can detach the primary ENI of my EC2 instance and connect it to another instance for
moving its Elastic IP
B. I can configure a Security Group for my ENI and restrict traffic to the EC2 instance
C. I can detach a secondary ENI containing a Private IP from one EC2 instance and attach it
to another
D. I can attach an Elastic IP to an EC2 instance in another subnet by releasing it from the ENI
in the current subnet to which it is currently attached to
Correct Answer: A
Explanation:
Option A is CORRECT. The primary ENI of an instance cannot be detached from the
instance. By default, the primary ENI is created with the creation of the EC2 instance &
deleted when the instance is terminated
Option B is incorrect since an EC2 instance may require restricted access to certain IP
addresses. This can be achieved by creating a new ENI & attaching a Public IP & Security
Group restricting permissions.
Option C is incorrect. Secondary ENI’s that are created can be detached from the instance to
which it is attached to & attached to another instance within the same subnet. The Private IP
then gets allocated to the second instance to which it is attached currently
Option D is incorrect. ENI’s are subnet specific. So for attaching an Elastic IP to an instance
in a different subnet, I need to first release it to the pool by dissociating it from an attached
instance. This way, I can attach the Elastic IP to an instance in a different subnet.
References:
https://youtu.be/Zg8rMLE88mg
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html
Domain: Security
Q 34: To make programmatic calls to AWS, a user was provided an access key ID and
secret access key. However, the user has now forgotten the shared credentials and
cannot make the required programmatic calls.
How can an access key ID and secret access key be provided to the user?
B. Use “Create New Access Key” by logging in to AWS Management Console as the root
user
Correct Answer: B
Explanation:
Option B is CORRECT.
Option C is INCORRECT. This is an incorrect option. We can create a new access key by
logging in to Management Console as a root user.
Option D is INCORRECT. This is an incorrect option. We can create a new access key by
logging in to Management Console as a root user.
Reference:
https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html
Domain: Security
Q 34: Which of the following statements accurately describe a function of AWS Secrets
Manager? [Select Two]
A. Encrypts authentication information in code, ensuring that it is unreadable, that is, not in
plain-text.
C. Makes it possible to include an API call in code that retrieves authentication information
from a central repository.
D. Automatically rotates and updates the code in the application build, ensuring that
repositories are kept up to date.
Explanation:
AWS Secrets Manager allows users to replace authentication information in code with an
API call to Secrets Manager. This API call then retrieves the secret programmatically. This
safeguards the secret from being compromised since the secret is removed from the code.
AWS Secrets Manager automatically rotates the secret in accordance with specified
schedules which allows the implementation of more secure short-term secrets. These, in turn,
reduce the risk of authentication information in code being compromised.
Option A is INCORRECT because AWS Secrets Manager does not encrypt authentication
information whilst it is in the code.
Option D is INCORRECT because AWS Secrets Manager does not automatically rotate or
update the application code. Rather, it automatically rotates the secret in accordance with
specified schedules.
Option E is INCORRECT because AWS Secrets Manager does not facilitate embedding
authentication information in code during runtime. Developers do not need to hard-code
authentication information in code.
Reference:
https://docs.aws.amazon.com/secretsmanager/latest/userguide/intro.html
Question 1: What advantages does a database administrator obtain by using the Amazon
Relational Database Service (RDS)?
Explanation:
Amazon RDS is a managed relational database service on which you can run several types of
database software. The service is managed so this reduces the database administration tasks
an administrator would normally undertake. The managed service includes hardware
provisioning, database setup, patching and backups.
A. “RDS provides 99.99999999999% reliability and durability” is incorrect. This is not true
of Amazon RDS.
B. “RDS databases automatically scale based on load” is incorrect. This is not true, storage
auto scaling is possible but for compute it scales by changing instance type (manual).
C. “RDS enables users to dynamically adjust CPU and RAM resources” is incorrect. You
cannot adjust CPU and RAM dynamically, you must change the instance type and reboot the
database instance.
References:
https://aws.amazon.com/rds/
https://digitalcloud.training/aws-database-services/
Question 2: A large company is interested in avoiding long-term contracts and moving from
fixed costs to variable costs. What is the value proposition of AWS for this company?
A. Economies of scale
B. Pay-as-you-go pricing
C. Volume pricing discounts
D. Automated cost optimization
Explanation:
Pay-as-you-go pricing helps companies move away from fixed costs to variable costs in a
model in which they only pay for what they actually use. There are no fixed term contracts
with AWS so that requirement is also met.
A. “Economies of scale” is incorrect. You do get good pricing because of the economies of
scale leveraged by AWS. However, the value proposition for companies wishing to avoid
fixed costs is pay-as-you-go pricing. This flexibility can be more important in some cases
than the actual cost per unit.
C. “Volume pricing discounts” is incorrect. This is not the value proposition for this company
as they are seeking to avoid long-term contracts and fixed costs, not to achieve a discount.
D. “Automated cost optimization” is incorrect. This is a not a feature that relates to the value
proposition for this customer.
References:
https://aws.amazon.com/pricing/
https://digitalcloud.training/certification-training/aws-certified-cloud-practitioner/aws-billing-
and-pricing/
Question 3: A customer needs to determine Total Cost of Ownership (TCO) for a workload
that requires physical isolation. Which hosting model should be used?
A. Dedicated Hosts
B. Reserved Instances
C. On-Demand Instances
D. Spot Instances
Explanation:
An Amazon EC2 Dedicated Host is a physical server with EC2 instance capacity fully
dedicated to your use. Dedicated Hosts allow you to use your existing per-socket, per-core, or
per-VM software licenses, including Windows Server, Microsoft SQL Server, SUSE, and
Linux Enterprise Server.
Note that dedicated hosts can be considered “hosting model” as it determines that actual
underlying infrastructure that is used for running your workload. All of the other answers are
simply pricing plans for shared hosting models.
B. “Reserved Instances” is incorrect as this pricing model does not support physical isolation.
C. “On-Demand Instances” is incorrect as this pricing model does not support physical
isolation.
D. “Spot Instances” is incorrect as this hosting pricing does not support physical isolation.
References:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/dedicated-hosts-overview.html
https://digitalcloud.training/certification-training/aws-certified-cloud-practitioner/aws-
compute/
Questions 4: Which design principles are enabled by the AWS Cloud to improve the
operation of workloads? (Select TWO)
The correct answer is B. “Loose coupling” and D. “Remove single points of failure”.
Explanation:
Loose coupling is when you break systems down into smaller components that are loosely
coupled together. This reduces interdependencies between systems components. This is
achieved in the cloud using messages buses, notification and messaging services.
Removing single points of failure ensures fault tolerance and high availability. This is easily
achieved in the cloud as the architecture and features of the cloud support the implementation
of highly available and fault tolerant systems.
A. “Minimize platform design” is incorrect. This is not an operational advantage for
workloads in the cloud.
E. “Minimum viable product” is incorrect. This is not an operational advantage for workloads
in the cloud.
References:
https://d1.awsstatic.com/whitepapers/AWS_Cloud_Best_Practices.pdf
https://digitalcloud.training/certification-training/aws-certified-cloud-practitioner/
architecting-for-the-cloud/
Questions 5: A user is planning to launch three EC2 instances behind a single Elastic Load
Balancer. The deployment should be highly available.
A. Launch the instances across multiple Availability Zones in a single AWS Region.
B. Launch the instances as EC2 Spot Instances in the same AWS Region and the same
Availability Zone.
C. Launch the instances in multiple AWS Regions, and use Elastic IP addresses.
D. Launch the instances as EC2 Reserved Instances in the same AWS Region, but in different
Availability Zones.
The correct answer is A. “Launch the instances across multiple Availability Zones in a single
AWS Region.”
Explanation:
To make the deployment highly available the user should launch the instances across multiple
Availability Zones in a single AWS Region. Elastic Load Balancers can only serve targets in
a single Region so it is not possible to deploy across Regions.
B. “Launch the instances as EC2 Spot Instances in the same AWS Region and the same
Availability Zone” is incorrect. The pricing model is not relevant to high availability and
deploying in a single AZ does not result in a highly available deployment.
C. “Launch the instances in multiple AWS Regions, and use Elastic IP addresses” is
incorrect. You cannot use an ELB with instances in multiple Regions and using an EIP does
not help.
D. “Launch the instances as EC2 Reserved Instances in the same AWS Region, but in
different Availability Zones” is incorrect. Using reserved instances may not be appropriate as
we do not know whether this is going to be a long-term workload or not.
References:
https://aws.amazon.com/about-aws/global-infrastructure/regions_az/
https://digitalcloud.training/certification-training/aws-certified-cloud-practitioner/aws-global-
infrastructure/