Copyright Notice

 
AWS Certified Solutions Architect Associate Practice
Questions Copyright © 2018 Shaun L. Hummel
All Rights Reserved. No part of this work may be sold,
reproduced or transmitted in any form or by any means
without written permission from the author.
 
Disclaimer
This book was written as a study guide for obtaining AWS
certification. While every effort has been made to make this
book as accurate as possible no warranty is implied. The
author shall not be liable or responsible for any loss or
damage arising from the information contained in this book.
 
About The Author
Shaun Hummel is a Senior Network Engineer with 15 years
enterprise network planning, design and implementation
experience. Author of AWS Certified Solutions Architect
Associate: Exam Study Notes.
Contents
Introduction
1.0  EC2 Compute
2.0  Virtual Private Cloud
3.0  Storage Services
4.0  Security Architecture
5.0  Database Services
6.0  Fault Tolerant Systems
7.0  Deployment and Orchestration
8.0  Monitoring Services
Answer Key
 
Introduction The skills required for information
technology are changing rapidly with cloud computing and
network programmability. The virtualization of servers,
applications and network devices is causing an overlap of
management domains for network, systems and security
engineers. The network devices and applications now reside
at network servers as virtual machines (VM). In addition
there is a shift toward an internet-based connectivity model
that is changing how the network is managed. The server-
centric architecture redefines how network capacity is
managed as well. There are newer virtualized management
solutions have been developed for integrating physical and
virtual platforms.
 
Each group must develop new skills for virtualization,
server-based troubleshooting and cloud management. The
virtualization of applications and devices allow for an on-
demand connectivity and operational model. It is
characterized by a dynamic, elastic, scalable architecture
that is hardware independent. The new networking
paradigm uses Open APIs, overlays and SDN programmable
network devices. The virtualization overlay abstracts the
underlying network infrastructure from the application layer.
The virtualization architecture is now enabling seamless
access and global connectivity of enterprise and cloud data
center applications. The increasing popularity of cloud
computing is the result of an operational model that now
has companies migrating data center applications to cloud
facilities. According to a study almost 70% of all IP
internet traffic will terminate at a cloud facility by
2018.
 
AWS certification has become popular as a training platform
for systems administrators, engineers and architects.
Candidates must answer technical questions and have the
skills required to select, deploy, integrate and maintain AWS
cloud solutions. The study guide is comprised of 300+
practice questions. All questions are based on official AWS
certification guidelines that cover all exam topics required
to pass AWS Certified Solutions Architect Associate exam.
 
AWS Certified Solutions Architect:
Associate Exam Read each question carefully and
select the correct answer/s from the options provided. Use a
text editor (notepad) to record your answers for each
question.
EC2 Compute Question 1: What three attributes are
selectable when creating an EBS volume for an EC2
instance?
A. volume type
B. IOPS
C. region
D. CMK
E. ELB
F. EIP
Question 2: You have been asked to migrate a 10 GB
unencrypted EBS volume to an encrypted volume for
security purposes. What are three key steps required as part
of the migration?
A. pause the unencrypted instance
B. create a new encrypted volume of the same size and
availability zone
C. create a new encrypted volume of the same size in
any availability zone
D. start converter instance
E. shutdown and detach the unencrypted instance
 
Question 3: What is EC2 instance protection?
A. prevents Auto Scaling from selecting specific EC2
instance to be replaced when scaling in
B. prevents Auto Scaling from selecting specific EC2
instance to be replaced when scaling out
C. prevents Auto Scaling from selecting specific EC2
instance for termination when scaling out
D. prevents Auto Scaling from selecting specific EC2
instance for termination when scaling in
E. prevents Auto Scaling from selecting specific EC2
instance for termination when paused
F. prevents Auto Scaling from selecting specific EC2
instance for termination when stopped
 
Question 4:
What two features are supported with EBS volume Snapshot
feature?
 
A. EBS replication across regions
 
B. EBS multi-zone replication
 
C. EBS single region only
 
D. full snapshot data only
 
E. unencrypted snapshot only
 
 
Question 5:
What two resource tags are supported for an EC2 instance?
 
A. VPC endpoint
 
B. EIP
 
C. network interface
 
D. security group
 
E. Flow Log
 
Question 6:
What two options are available to alert tenants when an EC2
instance is terminated?
 
A. SNS
 
B. CloudTrail
 
C. Lambda function
 
D. SQS
 
E. STS
 
 
Question 7:
What class of EC2 instance type is recommended for
running data analytics?
 
A. memory optimized
 
B. compute optimized
 
C. storage optimized
 
D. general purpose optimized
 
 
Question 8:
What class of EC2 instance type is recommended for
database servers?
 
A. memory optimized
 
B. compute optimized
 
C. storage optimized
 
D. general purpose optimized
 
 
Question 9:
What two attributes distinguish each pricing model?
 
A. reliability
 
B. amazon service
 
C. discount
 
D. performance
 
E. redundancy
 
Question 10:
What are three standard AWS pricing models?
 
A. elastic
 
B. spot
 
C. reserved
 
D. dynamic
 
E. demand
 
 
Question 11:
How is an EBS root volume created when launching an EC2
instance from a new EBS-backed AMI?
 
A. S3 template
 
B. original AMI
 
C. snapshot
 
D. instance store
 
Question 12:
What Amazon AWS sources are available for creating an
EBS-Backed Linux AMI? (select two)
 
A. EC2 instance
 
B. Amazon SMS
 
C. VM Import/Export
 
D. EBS Snapshot
 
E. S3 bucket
 
 
Question 13:
What is required to prevent an instance from being
launched and incurring costs?
 
A. stop instance
 
B. terminate instance
 
C. terminate AMI and de-register instance
 
D. stop and de-register instance
 
E. stop, deregister AMI and terminate instance
 
 
Question 14:
What is an EBS Snapshot?
 
A. backup of an EBS root volume and instance data
 
B. backup of an EC2 instance
 
C. backup of configuration settings
 
D. backup of instance store
 
 
Question 15:
Where are ELB and Auto-Scaling groups deployed as a
unified solution for horizontal scaling?
 
A. database instances
 
B. all instances
 
C. web server instances
 
D. default VPC only
 
 
Question 16:
What feature is supported when attaching or detaching an
EBS volume from an EC2 instance?
A. EBS volume can be attached and detached to an EC2
instance in the same region
B. EBS volume can be attached and detached to an EC2
instance that is cross-region
C. EBS volume can only be copied and attached to an
EC2 instance that is cross-region
D. EBS volume can only be attached and detached to an
EC2 instance in the same Availability Zone
Question 17:
What two statements correctly describe how to add or
modify IAM roles to a running EC2 instance?
A. attach an IAM role to an existing EC2 instance from
the EC2 console
B. replace an IAM role attached to an existing EC2
instance from the EC2 console
C. attach an IAM role to the user account and relaunch
the EC2 instance
D. add the EC2 instance to a group where the role is a
member
 
Question 18: What is the default behavior for an EC2
instance when terminated? (Select two)
A. DeleteOnTermination attribute cannot be modified
B. EBS root device volume and additional attached
volumes are deleted immediately
C. EBS data volumes that you attach at launch persist
D. EBS root device volume is automatically deleted when
instance terminates
Question 19:
How do you launch an EC2 instance after it is terminated?
(Select two)
 
A. launch a new instance using the same AMI
 
B. reboot instance from CLI
 
C. launch a new instance from a Snapshot
 
D. reboot instance from management console
 
E. contact AWS support to reset
 
 
Question 20:
What service can automate EBS snapshots (backups) for
restoring EBS volumes?
 
A. CloudWatch event
 
B. SNS topic
 
C. CloudTrail
 
D. Amazon Inspector
 
E. CloudWatch alarm
 
 
 
Question 21:
What will cause AWS to terminate an EC2 instance on
launch? (Select two)
 
A. security group error
 
B. number of EC2 instances on AWS account exceeded
 
C. EBS volume limits exceeded
 
D. multiple IP addresses assigned to instance
 
E. unsupported instance type assigned
 
 
Question 22:
You recently made some configuration changes to an EC2
instance. You then launched a new EC2 instance from the
same AMI however none of the settings were saved. What is
the cause of this error?
A. did not save configuration changes to EC2 instance
B. did not save configuration changes to AMI
C. did not create new AMI
D. did not reboot EC2 instance to enable changes
 
Question 23: What statements are correct concerning
DisableApiTermination attribute? (Select two)
A. cannot enable termination protection for Spot
instances
B. termination protection is disabled by default for an
EC2 instance
C. termination protection is enabled by default for an
EC2 instance
D. can enable termination protection for Spot instances
E. DisableApiTermination attribute supported for EBS-
backed instances only
 
Question 24:
What is required to copy an encrypted EBS snapshot cross-
account? (Select two)
A. copy the unencrypted EBS snapshot to an S3 bucket
B. distribute the custom key from CloudFront
C. share the custom key for the snapshot with the target
account
D. share the encrypted EBS snapshot with the target
account
E. share the encrypted EBS snapshots publicly
F. enable root access security on both accounts
 
Question 25:
What three services enable Single-AZ as a default?
 
A. EC2
 
B. ELB
 
C. Auto-Scaling
 
D. DynamoDB
 
E. S3
 
Question 26:
What AWS service automatically publishes access logs every
five minutes?
 
A. VPC Flow Logs
 
B. Elastic Load Balancer
 
C. CloudTrail
 
D. DNS Route 53
 
Question 27:
You have developed a web-based application for file sharing
that will allow customers to access files. There are a variety
of sizes that include larger .pdf and video files. What two
solution stacks could tenants use for an online file sharing
service? (Select two)
A. EC2, ELB, Auto-Scaling, S3
B. Route 53, Auto-Scaling, DynamoDB
C. EC2, Auto-Scaling, RDS
D. CloudFront
 
Question 28:
What infrastructure services are provided to EC2 instances?
(Select three)
 
A. VPN
 
B. storage
 
C. compute
 
D. transport
 
E. security
 
F. support
 
 
Question 29:
What steps are required from AWS console to copy an EBS-
backed AMI for a database instance cross-region?
A. create Snapshot of data volume, select Copy, select
destination region
B. select Copy EBS-backed AMI option and destination
region
C. select copy database volume and destination region
D. create Snapshot of EBS-backed AMI, select Copy
Snapshot option, select destination region
E. create Snapshot of Instance-store AMI, select Copy
AMI option, select destination region
 
Question 30:
How is capacity (compute, storage and network
speed) managed and assigned to EC2 instances?
 
A. AMI
 
B. instance type
 
C. IOPS
 
D. Auto-Scaling
 
 
Question 31:
What storage type enable permanent attachment of
volumes to EC2 instances?
 
A. S3
 
B. RDS
 
C. TDS
 
D. EBS
 
E. instance store
 
 
Question 32: What is the recommended method for
migrating (copying) an EC2 instance to a different region?
A. terminate instance, select region, copy instance to
destination region
B. select AMI associated with EC2 instance and use Copy
AMI option
C. stop instance and copy AMI to destination region
D. cross-region copy is not currently supported
Question 33:
What are two attributes that define an EC2 instance type?
 
A. vCPU
 
B. license type
 
C. EBS volume storage
 
D. IP address
 
E. Auto-Scaling
 
Question 34:
How is an Amazon Elastic Load Balancer (ELB) assigned?
 
A. per EC2 instance
 
B. per Auto-Scaling group
 
C. per subnet
 
D. per VPC
 
 
Question 35:
What method detects when to replace an EC2 instance that
is assigned to an Auto-Scaling group?
 
A. health check
 
B. load balancing algorithm
 
C. EC2 health check
 
D. not currently supported
 
E. dynamic path detection
 
F. Auto-Scaling
 
 
 
Question 36:
What two statements correctly describe Auto-Scaling
groups?
 
A. horizontal scaling of capacity
 
B. decrease number of instances only
 
C. EC2 instances are assigned to a group
 
D. database instances only
 
E. no support for multiple availability zones
 
 
Question 37:
What is the default maximum number of Elastic IP
addresses assignable per Amazon AWS region?
 
A. 1
 
B. 100
 
C. 5
 
D. unlimited
 
 
Question 38:
How are snapshots for an EBS volume created when it is the
root device for an instance?
 
A. pause instance, unmount volume and snapshot
 
B. terminate instance and snapshot
 
C. unencrypt volume and snapshot dynamically
 
D. stop instance, unmount volume and snapshot
 
 
Question 39:
What cloud compute components are configured by tenants
and not Amazon AWS support engineers? (Select three)
 
A. hypervisor
 
B. upstream physical switch
 
C. virtual appliances
 
D. guest operating system
 
E. applications and databases
 
F. RDS
 
 
Question 40:
What three attributes are used to define a launch
configuration template for an Auto-Scaling group?
 
A. instance type
 
B. private IP address
 
C. Elastic IP
 
D. security group
 
E. AMI
 
 
Question 41:
What three characteristics or limitations differentiate EC2
instance types?
 
A. VPC only
B. application type
C. EBS volume only
D. virtualization type
E. AWS service selected
 
Question 42:
Select two difference between HVM and PV virtualization
types?
 
A. HVM supports all current generation instance types
B. HVM is similar to bare metal hypervisor architecture
C. PV provides better performance than HVM for most
instance types
 

D. HVM doesn’t support enhanced networking

E. HVM doesn’t support current generation instance
types
 
 
Virtual Private Cloud (VPC) Question 1:
What are the minimum components required to enable a
web-based application with public web servers and a private
database tier? (Select three)
A. Internet gateway
B. Assign EIP addressing to database instances on
private subnet
C. Virtual private gateway
D. Assign database instances to private subnet and
private IP addressing
E. Assign EIP and private IP addressing to web servers
on public subnet
 
Question 2:
Refer to the network drawing. How are packets routed
from private subnet to public subnet for the following web-
based application with a database tier?
A. Internet gateway
 
B. custom route table
 
C. 10.0.0.0/16
 
D. nat-instance-id
 
E. igw-id
 
F. add custom route table
 
 
Question 3:
What VPC component provides Network Address
Translation?
 
A. NAT instance
 
B. NAT gateway
 
C. virtual private gateway
 
D. Internet gateway
 
E. ECS
 
 
Question 4:
What are the advantages of NAT gateway over NAT
instance? (Select two)
 
A. NAT gateway requires a single EC2 instance
 
B. NAT gateway is scalable
 
C. NAT gateway translates faster
 
D. NAT gateways is a managed service
 
E. NAT gateway is Linux-based
 
 
Question 5:
What is the management responsibility of tenants and not
Amazon AWS?
 
A. EC2 instances
 
B. RDS
 
C. Beanstalk
 
D. NAT instance
 
Question 6:
What two features provide an encrypted (VPN) connection
from VPC to an enterprise data center?
 
A. Internet gateway
 
B. Amazon RDS
 
C. Virtual private gateway
 
D. CSR 1000V router
 
E. NAT gateway
 
 
Question 7:
What two attributes are supported when configuring an
Amazon Virtual private gateway (VPG)?
 
A. route propagation
 
B. Elastic IP (EIP)
 
C. DHCP
 
D. public IPv4 address
 
E. public subnets
 
 
Question 8:
What two features are available with AWS Direct Connect
service?
 
A. internet access
 
B. extend on-premises VLANs to cloud
 
C. bidirectional forwarding detection (BFD)
 
D. load balancing between Direct Connect and VPN
connection
 
E. public and private AWS services
 
 
Question 9:
When is Direct Connect a preferred solution over VPN IPsec?
 
A. fast and reliable connection
 
B. redundancy is a key requirement
 
C. fast and easy to deploy
 
D. layer 3 connectivity
 
E. layer 2 connectivity
 
Question 10:
You have been asked to setup a VPC endpoint connection
between VPC and S3 buckets for storing backups and
snapshots. What AWS components are currently required
when configuring a VPC endpoint?
 
A. Internet gateway
 
B. NAT instance
 
C. Elastic IP
 
D. private IP address
 
 
Question 11:
What are the primary advantages of VPC endpoints? (Select
two)
 
A. reliability
 
B. cost
 
C. throughput
 
D. security
 
 
Question 12:
What are the DHCP option attributes used to assign private
DNS servers to your VPC?
 
A. dns resolution and domain name
 
B. hostnames and internet domain
 
C. domain servers and domain name
 
D. domain-name-servers and domain-name
 
 
 
Question 13:
What DNS attributes are configured when Default VPC
option is selected?
 
A. DNS resolution: yes / DNS hostnames: yes
 
B. DNS resolution: yes / DNS hostnames: no
 
C. DNS resolution: no / DNS hostnames: yes
 
D. DNS resolution: no / DNS hostnames: no
 
 
Question 14:
What configuration settings are required from the remote
VPC in order to create cross-account peering? (Select three)
 
A. VPC ID
 
B. account username
 
C. account ID
 
D. CMK keys
 
E. VPC CIDR block
 
F. volume type
 
 
Question 15:
What CIDR block range is supported for IPv4 addressing and
subnetting within a single VPC?
 
A. /16 to /32
 
B. /16 to /24
 
C. /16 to /28
 
D. /16 to /20
 
 
Question 16: What problem is caused by the fact that VPC
peering does not permit transitive routing?
A. additional VPC route tables to manage
B. virtual private gateway is required
C. Internet gateway is required for each VPC
D. routing between connected spokes through hub VPC is
complex
E. increased number of peer links required
Question 17:
What two statements correctly describes Elastic Load
Balancer operation?
 
A. spans multiple regions
 
B. assigned per EC2 instance
 
C. assigned per subnet
 
D. assigned per Auto-Scaling group
 
E. no cross-region support
 
Question 18:
What are two advantages of Elastic IP (EIP) over AWS public
IPv4 addresses?
 
A. EIP can be reassigned
 
B. EIP is private
 
C. EIP is dynamic
 
D. EIP is persistent
 
E. EIP is public and private
 
Question 19:
What AWS services are globally managed? (Select four)
 
A. IAM
 
B. S3
 
C. CloudFront
 
D. Route 53
 
E. DynamoDB
 
F. WAF
 
G. ELB
 
Question 20:
What methods are available for creating a VPC? (Select
three)
 
A. AWS management console
 
B. AWS marketplace
 
C. VPC wizard
 
D. VPC console
 
E. Direct Connect
 
 
Question 21: What two default settings are configured for
tenants by AWS when Default VPC option is selected?
A. creates a size /20 default subnet in each Availability
Zone
B. creates an Internet gateway
C. creates a main route table with local route 10.0.0.0/16
D. create a virtual private gateway
E. create a security group that explicitly denies all traffic
Question 22:
What three statements correctly describes IP address
allocation within a VPC?
A. EC2 instance must be terminated to reassign an IP
address
B. EC2 instance that is paused can reassign IP address
C. EC2 instance that is stopped can reassign IP address
D. private IP addresses are allocated from a pool and can
be reassigned
E. private IP addresses can be assigned by tenant
F. VPC supports dual stack mode (IPv4/IPv6)
 
Question 23:
What are two advantages of selecting default tenancy
option for your VPC when creating it?
 
A. performance and reliability
 
B. some AWS services do not work with a dedicated
tenancy VPC
 
C. tenant can launch instances within VPC as default or
dedicated instances
 
D. instance launch is faster
 
 
 
Question 24: What is the purpose of a local route within a
VPC route table?
A. local route is derived from the default VPC CIDR block
10.0.0.0/16
B. communicate between instances within the same
subnet or different subnets
C. used to communicate between instances within the
same subnet
D. default route for communicating between private and
public subnets
E. only installed in the main route table
Question 25:
What is the default behavior when adding a new subnet to
your VPC? (Select two)
A. new subnet is associated with the main route table
B. new subnet is associated with the custom route table
C. new subnet is associated with any selected route
table
D. new subnet is assigned to the default subnet
E. new subnet is assigned from the VPC CIDR block
 
Question 26: You have enabled Amazon RDS database
services in VPC1 for an application that has public web
servers in VPC2. How do you connect the web servers to the
RDS database instance so they can communicate
considering the VPC's are in the same region?
A. VPC endpoints
B. VPN gateway
C. path-based routing
D. VPC peering
E. AWS Network Load Balancer
 
Question 27:
What AWS services now support VPC endpoints feature for
optimizing security? (Select three)
 
A. Kinesis
 
B. DNS Route 53
 
C. S3
 
D. DynamoDB
 
E. RDS
 
 
Question 28:
What are three characteristics of an Amazon
Virtual Private Cloud?
 
A. public and private IP addressing
 
B. broadcasts
 
C. multiple private IP addresses per network interface
 
D. dedicated single tenant hardware only
 
E. persistent public IP addresses
 
F. HSRP
 
 
Question 29: What is the difference between VPC main
route table and custom route table?
A. VPC only creates a main route table when started
B. custom route table is the default
C. custom route table is created for public subnets
D. custom route table is created for private subnets
E. main route table is created for public and private
subnets
 
Question 30:
What is the purpose of the native VPC router?
 
A. route packets across the internet
 
B. route packets between private cloud instances
 
C. route packets between subnets
 
D. route packets from instances to S3 storage volumes
 
E. route packets across VPN
 
 
Question 31:
How are private DNS servers assigned to an Amazon VPC?
 
A. not supported
 
B. select nondefault VPC
 
C. select default VPC
 
D. select EC-2 classic
 
 
 
Question 32:
What are two characteristics of an Amazon security group?
 
A. instance level packet filtering
 
B. deny rules only
 
C. permit rules only
 
D. subnet level packet filtering
 
E. inbound only
 
Question 33:
What statement is true of Network Access Control Lists
(ACL) operation within an Amazon VPC?
 
A. instance and subnet level packet filtering
 
B. subnet level packet filtering
 
C. inbound only
 
D. only one ACL allowed per VPC
 
E. outbound only
 
 
Question 34:
How are packets forwarded between public and private
subnets within VPC?
 
A. EIP
 
B. NAT
 
C. main route table
 
D. VPN
 
 
Question 35:
What two statements accurately describe Amazon
VPC architecture?
 
A. Elastic Load Balancer (ELB) cannot span multiple
availability zones
 
B. VPC does not support DMVPN connection
 
C. VPC subnet cannot span multiple availability zones
 
D. VPC cannot span multiple regions
 
E. Flow logs are not supported within a VPC
 
 
Question 36:
What is a requirement for attaching EC2 instances to on-
premises clients and applications?
 
A. Amazon Virtual Private Gateway (VPN)
 
B. Amazon Internet Gateway
 
C. VPN Connection
 
D. Elastic Load Balancer (ELB)
 
E. NAT
 
 
Question 37:
What two statements correctly describe Amazon virtual
private gateway?
 
A. assign to private subnets only
 
B. assign to public subnets only
 
C. single virtual private gateway per VPC
 
D. multiple virtual private gateways per VPC
 
E. single virtual private gateway per region
 
 
 
Question 38:
What is the maximum access port speed available
with Amazon Direct Connect service?
 
A. 1 Gbps
 
B. 10 Gbps
 
C. 500 Mbps
 
D. 100 Gbps
 
E. 100 Mbps
 
 
Question 39:
Refer to the drawing. Your company has asked you to
configure a peering link between two VPCs that are
currently not connected or exchanging any packets. What
destination and target is configured in the routing table of
VPC1 to enable packet forwarding to VPC2?
 

 
A. destination = 172.16.0.0/16
target = pcx-vpc2vpc1
 
B. destination = 10.0.0.0/16
target = pcx-vpc2
 
C. destination = 172.16.0.0/16
target = 10.0.0.0/16
 
D. destination = 172.16.0.0/16
target = pcx-vpc1vpc2
 
E. default route only
 
 
Question 40:
How is routing enabled by default within a VPC for an EC2
instance?
 
A. add a default route
 
B. main route table
 
C. custom route table
 
D. must be configured explicitly
 
 
Question 41:
What three features are not supported with VPC peering?
 
A. overlapping CIDR blocks
 
B. IPv6 addressing
 
C. Gateways
 
D. transitive routing
 
E. RedShift
 
F. ElastiCache
 
 
 
Question 42:
What route is used in a VPC routing table for packet
forwarding to a Gateway?
 
A. static route
 
B. 10.0.0.0/16
 
C. tenant configured
 
D. 0.0.0.0/0
 
E. 0.0.0.0/16
 
 
 
Question 43: You are asked to deploy a web application
comprised of multiple public web servers with only private
addressing assigned. What Amazon AWS solutions enables
multiple servers on a private subnet with only a single EIP
required and Availability Zone redundancy?
A. NAT instance
B. Internet gateway
C. virtual private gateway
D. NAT gateway
E. Elastic Network Interface (ENI)
 
Question 44:
What is the IP addressing schema assigned to a default
VPC?
 
A. 172.31.0.0/16 CIDR block subnetted with
172.31.0.0/20
 
B. 172.16.0.0/16 CIDR block subnetted with
172.16.0.0/24
 
C. 10.0.0.0/16 CIDR block subnetted with 10.0.0.0/24
 
D. 172.16.0.0/24 CIDR block subnetted with
172.31.0.0/18
 
 
 
Question 45:
What default configuration and components are added by
AWS when Default VPC type is selected? (Select three)
 
A. Internet gateway
 
B. virtual private gateway
 
C. NAT instance
 
D. security group
 
E. DNS
 
 
Question 46:
What feature requires tenants to disable source/destination
check?
 
A. Elastic IP (EIP)
 
B. data replication
 
C. VPC peering
 
D. NAT
 
E. Internet gateway
 
 
Storage Services
 
Question 1:
What AWS storage solution allows thousands of EC2
instances to simultaneously upload, access, delete and
share files?
 
A. EBS
 
B. S3
 
C. Glacier
 
D. EFS
 
 
Question 2:
What is required for an EFS mount target? (Select two)
 
A. EIP
 
B. DNS name
 
C. IP address
 
D. DHCP
 
E. IAM role
 
Question 3:
What connectivity features are recommended for
copying on-premises files to EFS? (Select two)
 
A. VPN IPsec
 
B. Internet Gateway
 
C. Direct Connect
 
D. File Sync
 
E. FTP
 
F. AWS Storage Gateway
 
 
Question 4:
What AWS services encrypts data at rest by default? (Select
two)
 
A. S3
 
B. AWS Storage Gateway
 
C. EBS
 
D. Glacier
 
E. RDS
 
 
 
Question 5:
What fault tolerant features does S3 storage provide?
(Select three)
 
A. cross-region replication
 
B. versioning must be disabled
 
C. cross-region asynchronous replication of objects
 
D. synchronous replication of objects within a region
 
E. multiple destination buckets
 
 
Question 6:
What is the fastest technique for deleting 900 objects in an
S3 bucket with a single HTTP request?
 
A. Multi-Part Delete API
 
B. Multi-Object Delete API
 
C. 100 objects is maximum per request
 
D. Fast-Delete API
 
 
Question 7:
What security controls technique is recommended for S3
cross-account access?
 
A. IAM group
 
B. security groups
 
C. S3 ACL
 
D. bucket policies
 
 
Question 8:
What are two advantages of cross-region replication of an
S3 bucket?
 
A. cost
 
B. security compliance
 
C. scalability
 
D. Beanstalk support
 
E. minimize latency
 
 
Question 9:
What are two primary difference between Amazon S3
Standard and S3/RRS storage classes?
 
A. Amazon Standard does not replicate at all
 
B. RRS provides higher durability
 
C. RRS provides higher availability
 
D. RRS does not replicate objects as many times
 
E. application usage is different
 
 
Question 10:
What two features are enabled with S3 services?
 
A. store objects of any size
 
B. dynamic web content
 
C. supports Provisioned IOPS
 
D. store virtually unlimited amounts of data
 
E. bucket names are globally unique
 
 
Question 11:
What new feature was recently added to SQS that defines
how messages are ordered?
 
A. streams
 
B. SNS
 
C. FIFO
 
D. TLS
 
E. decoupling
 
 
Question 12:
What two AWS storage types are persistent?
 
A. ephemeral
 
B. S3
 
C. EBS
 
D. instance store
 
E. SAML
 
 
Question 13:
Select three on-premises backup solutions used for copying
data to an Amazon AWS S3 bucket?
 
A. AWS Import/Export
 
B. RDS
 
C. Snowball
 
D. Availability Zone (AZ) replication
 
E. AWS Storage Gateway
 
 
Question 14:
You have 1 TB of data and want to archive the data that
won't be accessed that often. What Amazon AWS storage
solution is recommended?
 
A. Glacier
 
B. EBS
 
C. ephemeral
 
D. CloudFront
 
Question 15:
What are three methods of accessing DynamoDB for
customization purposes?
 
A. CLI
 
B. AWS console
 
C. API call
 
D. vCenter
 
E. Beanstalk
 
 
Question 16:
What are two primary differences between Glacier and S3
storage services?
 
A. Glacier is lower cost
 
B. S3 is lower cost
 
C. Glacier is preferred for frequent data access with
lower latency
 
D. S3 is preferred for frequent data access with lower
latency
 
E. S3 supports larger file size
 
Question 17:
What statement correctly describes the operation of AWS
Glacier archive?
 
A. archive is a group of vaults
 
B. archive is an unencrypted vault
 
C. archive supports aggregated files only
 
D. maximum file size is 1 TB
 
E. archive supports single and aggregated files
 
Question 18: What are three primary differences between
S3 vs EBS?
A. S3 is a multi-purpose public internet-based storage
B. EBS is directly assigned to a tenant VPC EC2 instance
C. EBS and S3 provide persistent storage
D. EBS snapshots are typically stored on S3 buckets
E. EBS and S3 use buckets to manage files
F. EBS and S3 are based on block level storage
 
Question 19:
What on-premises solution is available from Amazon AWS to
minimize latency for all data?
 
A. Gateway-VTL
 
B. Gateway-cached volumes
 
C. Gateway-stored volumes
 
D. EBS
 
E. S3 bucket
 
F. ElastiCache
 
 
Question 20:
What feature transitions S3 storage to Standard-IA for cost
optimization?
 
A. RRS/S3
 
B. Glacier vault
 
C. storage class analysis
 
D. path-based routing
 
 
Question 21:
How does AWS uniquely identify S3 objects?
 
A. bucket name
 
B. version
 
C. key
 
D. object tag
 
 
Question 22:
What is the advantage of read-after-write consistency for S3
buckets?
 
A. no stale reads for PUT of any new object in all regions
 
B. higher throughput for all requests
 
C. stale reads for PUT requests in some regions
 
D. no stale reads for GET requests in a single regions
 
 
Question 23:
What is the maximum single file object size supported with
Amazon S3?
 
A. 5 GB
 
B. 5 TB
 
C. 1 TB
 
D. 100 GB
 
 
Question 24:
What security problem is solved by using Cross-Origin
Resource Sharing (CORS)?
 
A. enable HTTP requests from within scripts to a different
domain
 
B. enable sharing of web-based files between different
buckets
 
C. provide security for third party objects within AWS
 
D. permits sharing objects between AWS services
Question 25:
What is recommended for migrating 40 TB of data from
on-premises to S3 when the internet link is often
overutilized?
 
A. AWS Storage gateway
 
B. AWS Snowball
 
C. AWS Import/Export
 
D. AWS Elastic File System
 
E. AWS Elasticsearch
 
F. AWS Multi-Part Upload API
 
 
Question 26:
Your company is publishing an online catalog of books that
is currently using DynamoDB for storing the information
associated with each item. There is a requirement to add
images for each book. What solution is most cost effective
and designed for that purpose?
 
A. RedShift
B. EBS
C. RDS
D. S3
E. Kinesis
 
Question 27:
You have an application that collects monitoring data from
10,000 sensors (IoT) deployed in the USA. The data points
are comprised of video events for home security and
environment status alerts. The application will be deployed
to AWS with EC2 instances as data collectors. What AWS
storage service is preferred for storing video files from
sensors?
A. RedShift
B. RDS
C. S3
D. DynamoDB
 
Security Architecture
 
Question 1:
What statements correctly describe security groups within a
VPC? (Select three)
 
A. default security group only permit inbound traffic
 
B. security groups are stateful firewalls
 
C. only allow rules are supported
 
D. allow and deny rules are supported
 
E. security groups are associated to network interfaces
 
Question 2:
What three items are required to configure a security group
rule?
 
A. protocol type
 
B. VPC name
 
C. port number
 
D. source IP
 
E. destination IP
 
F. description
 
 
Question 3:
What two source IP address types are permitted in a
security group rule?
 
A. only CIDR blocks with /16 subnet mask
 
B. source IP address 0.0.0.0/0
 
C. single source IP address with /24 subnet mask
 
D. security group id
 
E. IPv6 address with /64 prefix length
 
 
Question 4:
What protocols must be enabled for remote access to Linux-
based and Windows-based EC2 instances?
 
A. SSH, ICMP, Telnet
 
B. SSH, HTTP, RDP
 
C. SSH, HTTP, SSL
 
D. SSH, RDP, ICMP
 
 
Question 5:
Distinguish network ACLs from security groups within a VPC?
(Select three)
 
A. ACL filters at the subnet level
 
B. ACL is based on deny rules only
 
C. ACL is applied to instances and subnets
 
D. ACL is stateless
 
E. ACL supports a numbered list for filtering
 
Question 6:
What happens to the security permissions of a tenant when
an IAM role is granted? (Select two)
A. tenant inherits only permissions assigned to the IAM
role temporarily
B. add security permissions of the IAM role to existing
permissions
C. previous security permissions are no longer in effect
D. previous security permissions are deleted unless
reconfigured
E. tenant inherits only read permissions assigned to the
IAM role
 
Question 7:
Where are IAM permissions granted to invoke and execute a
Lambda function for S3 access? (Select two)
 
A. S3 bucket
 
B. EC2 instance
 
C. Lambda function
 
D. IAM role
 
E. event mapping
 
Question 8:
You have some developers working on code for an
application and they require temporary access to AWS cloud
up to an hour. What is the easiest web-based solution from
AWS to provides access and minimize security exposure?
 
A. ACL
 
B. security group
 
C. IAM group
 
D. STS
 
E. EFS
 
 
Question 9:
What two methods are used to request temporary
credentials based on AWS Security Token Service (STS)?
 
A. Web Identity Federation
 
B. LDAP
 
C. IAM identity
 
D. dynamic ACL
 
E. private key rotation
 
 
 
Question 10:
What two components are required for enabling SAML
authentication requests to AWS Identity and
Access Management (IAM)?
 
A. access keys
 
B. session token
 
C. SSO
 
D. identity provider (IdP)
 
E. SAML provider entity
 
 
Question 11:
What are two reasons for deploying Origin Access Identity
(OAI) when enabling CloudFront?
A. prevent users from deleting objects in S3 buckets
B. mitigate distributed denial of service attacks (DDoS)
C. prevent users from accessing objects with Amazon S3
URL
D. prevent users from accessing objects with CloudFront
URL
E. replace IAM for internet-based customer
authentication
 
Question 12:
What solutions are recommended to mitigate DDoS attacks?
(Select three)
 
A. host-based firewall
 
B. elastic load balancer
 
C. WAF
 
D. SSL/TLS
 
E. Bastion host
 
F. NAT gateway
 
 
 
Question 13:
What features are required to prevent users from bypassing
AWS CloudFront security? (Select three)
 
A. Bastion host
 
B. signed URL
 
C. IP whitelist
 
D. signed cookies
 
E. origin access identity (OAI)
 
 
Question 14:
What is the advantage of resource-based policies for cross-
account access?
 
A. trusted account permissions are not replaced
 
B. trusted account permissions are replaced
 
C. resource-based policies are easier to deploy
 
D. trusting account manages all permissions
 
 
Question 15:
Select three requirements for configuring a Bastion host?
 
A. EIP
 
B. SSH inbound permission
 
C. default route
 
D. CloudWatch logs group
 
E. VPN
 
F. Auto-Scaling
 
 
Question 16:
What rule must be added to the security group assigned to
a mount target instance that enables EFS access from an
EC2 instance?
A. Type = EC2, protocol = IP, port = 2049, source =
remote security group id
B. Type = EC2, protocol = EFS, port = 2049, source =
0.0.0.0/0
C. Type = NFS, protocol = TCP, port = 2049, source =
remote security group id
D. Type = NFSv4, protocol = UDP, port = 2049, source =
remote security group id
 
Question 17:
What statement correctly describes IAM architecture?
A. IAM security is unified per region and replicated based
on requirements for an AWS tenant account
B. IAM security is defined per region for roles only on an
AWS tenant account
C. IAM security is globally unified across the AWS cloud
for an AWS tenant account
D. IAM security is defined separately per region and
cross-region security enabled for an AWS tenant
account
 
Question 18:
What are two advantages of customer-managed encryption
keys (CMK)?
 
A. create and rotate encryption keys
 
B. AES-128 cipher for data at rest
 
C. audit encryption keys
 
D. encrypts data in-transit for server-side encryption only
 
 
 
Question 19:
What feature is not available with AWS Trusted Advisor?
 
A. cost optimization
 
B. infrastructure best practices
 
C. vulnerability assessment
 
D. monitor application metrics
 
 
 
Question 20:
What is required to Ping from a source instance to a
destination instance?
 
A. Network ACL: not required Security Group: allow ICMP
outbound on source/destination EC2 instances
B. Network ACL: allow ICMP inbound/outbound on
source/destination subnets Security Group: not required
 
C. Network ACL: allow ICMP inbound/outbound on
source/destination subnets Security Group: allow ICMP
outbound on source EC2 instance Security Group: allow
ICMP inbound on destination EC2 instance
D. Network ACL: allow TCP inbound/outbound on
source/destination subnets Security Group: allow TCP and
ICMP inbound on source EC2 instance
 
 
Question 21:
What two steps are required to grant cross-account
permissions between AWS accounts?
 
A. create an IAM user
 
B. attach a trust policy to S3
 
C. create a transitive policy
 
D. attach a trust policy to the role
 
E. create an IAM role
 
 
Question 22: You have configured a security group to allow
ICMP, SSH and RDP inbound and assigned the security
group to all instances in a subnet. There is no access to any
Linux-based or Windows-based instances and you cannot
Ping any instances. The network ACL for the subnet is
configured to allow all inbound traffic to the subnet. What is
the most probable cause?
A. on-premises firewall rules
B. security group and network ACL outbound rules
C. network ACL outbound rules
D. security group outbound rules
E. Bastion host required
 
Question 23:
What three techniques provide authentication security on
S3 volumes?
 
A. bucket policies
 
B. network ACL
 
C. Identity and Access Management (IAM)
 
D. encryption
 
E. AES256
 
 
Question 24: What statement correctly describes support
for AWS encryption of S3 objects?
A. tenants manage encryption for server-side encryption
of S3 objects
B. Amazon manages encryption for server-side
encryption of S3 objects
C. client-side encryption of S3 objects is not supported
D. S3 buckets are encrypted only
E. SSL is only supported with Glacier storage
 
Question 25:
What authentication method provides Federated Single
Sign-On (SSO) for cloud applications?
 
A. ADS
 
B. ISE
 
C. RADIUS
 
D. TACACS
 
E. SAML
 
 
Question 26:
Based on the Amazon security model, what infrastructure
configuration and associated security is the responsibility of
tenants and not Amazon AWS? (Select two)
 
A. dedicated cloud server
 
B. hypervisor
 
C. operating system level
 
D. application level
 
E. upstream physical switch
 
 
Question 27:
What security authentication is required before configuring
or modifying EC2 instances? (Select three)
 
A. authentication at the operating system level
 
B. EC2 instance authentication with asymmetric keys
 
C. authentication at the application level
 
D. Telnet username and password
 
E. SSH/RDP session connection
 
 
Question 28:
What feature is part of Amazon Trusted Advisor?
 
A. security compliance
 
B. troubleshooting tool
 
C. EC2 configuration tool
 
D. security certificates
 
 
Question 29:
What are two best practices for account management within
Amazon AWS?
A. do not use root account for common administrative
tasks
B. create a single AWS account with multiple IAM users
that have root privilege
C. create multiple AWS accounts with multiple IAM users
per AWS account
D. use root account for all administrative tasks
E. create multiple root user accounts for redundancy
 
Question 30:
What AWS feature is recommended for optimizing data
security?
 
A. Multi-factor authentication
 
B. username and encrypted password
 
C. Two-factor authentication
 
D. SAML
 
E. Federated LDAP
 
 
Question 31:
What IAM class enables an EC2 instance to access a file
object in an S3 bucket?
 
A. user
 
B. root
 
C. role
 
D. group
 
 
 
Question 32:
What are three recommended solutions that provide
protection and mitigation from distributed denial of service
(DDoS) attacks?
 
A. security groups
 
B. CloudWatch
 
C. encryption
 
D. WAF
 
E. data replication
 
F. Auto-Scaling
 
 
Question 33:
What are three recommended best practices when
configuring Identity and Access Management (IAM) security
services?
A. Lock or delete your root access keys when not
required
B. IAM groups are not recommended for storage security
C. create an IAM user with administrator privileges
D. share your password and/or access keys with
members of your group only
E. delete any AWS account where the access keys are
unknown
 
Question 34:
What two features create security zones between EC2
instances within a VPC?
 
A. security groups
 
B. Virtual Security Gateway
 
C. network ACL
 
D. WAF
 
 
Question 35:
What AWS service provides vulnerability assessment
services to tenants within the cloud?
 
A. Amazon WAF
B. Amazon Inspector
C. Amazon Cloud Logic
D. Amazon Trusted Advisor
 
 
 
Question 36:
What are two primary differences between AD Connector
and Simple AD for cloud directory services?
A. Simple AD requires an on-premises ADS directory
B. Simple AD is fully managed and setup in minutes
C. AD Connector requires an on-premises ADS directory
D. Simple AD is more scalable than AD Connector
E. Simple AD provides enhanced integration with IAM
 
Database Services
 
Question 1:
How is load balancing enabled for multiple tasks to the
same container instance?
 
A. path-based routing
 
B. reverse proxy
 
C. NAT
 
D. dynamic port mapping
 
E. dynamic listeners
 
 
 
Question 2:
What encryption support is available for tenants that are
deploying AWS DynamoDB?
 
A. server-side encryption
 
B. client-side encryption
 
C. client-side and server-side encryption
 
D. encryption not supported
 
E. block level encryption
 
 
 
Question 3:
What are three primary reasons for deploying ElastiCache?
 
A. data security
 
B. managed service
 
C. replication with Redis
 
D. durability
 
E. low latency
 
 
 
Question 4:
What service does not support session data persistence
store to enable web-based stateful applications?
 
A. RDS
 
B. Memcached
 
C. DynamoDB
 
D. Redis
 
E. RedShift
 
 
Question 5:
How does Memcached implement horizontal scaling?
 
A. Auto-Scaling
 
B. database store
 
C. partitioning
 
D. EC2 instances
 
E. S3 bucket
 
 
 
Question 6:
What two options are available for tenants to access
ElastiCache?
 
A. VPC peering link
 
B. EC2 instances
 
C. EFS mount
 
D. cross-region VPC
 
 
Question 7:
What two statements correctly describe in-transit encryption
support on ElastiCache platform ?
 
A. not supported for ElastiCache platform
 
B. supported on Redis replication group
 
C. encrypts cached data at rest
 
D. not supported on Memcached cluster
 
E. IPsec must be enabled first
 
 
Question 8:
What Amazon AWS platform is designed for complex
analytics of a variety of large data sets based on custom
code. The applications include machine learning and data
transformation?
 
A. EC2
 
B. Beanstalk
 
C. Redshift
 
D. EMR
 
 
Question 9:
What are two primary advantages of DynamoDB?
 
A. SQL support
 
B. managed service
 
C. performance
 
D. CloudFront integration
 
 
Question 10:
What two fault tolerant features does Amazon RDS support?
 
A. copy snapshot to a different region
 
B. create read replica to a different region
 
C. copy unencrypted read-replica only
 
D. copy read/write replica and snapshot
 
 
Question 11:
What managed services are included with Amazon RDS?
(select four)
 
A. assign network capacity to database instances
 
B. install database software
 
C. perform regular backups
 
D. data replication across multiple availability zones
 
E. data replication across single availability zone only
 
F. configure database
 
G. performance tuning
 
 
 
Question 12:
What two configuration features are required to create a
private database instance?
 
A. security group
 
B. network ACL
 
C. CloudWatch
 
D. Elastic IP (EIP)
 
E. Nondefault VPC
 
F. DNS
 
 
 
Question 13:
What storage type is recommended for an online
transaction processing (OLTP) application deployed to Multi-
AZ RDS with significant workloads?
 
A. General Purpose SSD
 
B. Magnetic
 
C. EBS volumes
 
D. Provisioned IOPS
 
 
 
Question 14:
What features are supported with Amazon RDS? (Select
three)
 
A. horizontal scaling with multiple read replicas
 
B. elastic load balancing RDS read replicas
 
C. replicate read replicas cross-region
 
D. automatic failover to master database instance
 
E. application load balancer (ALB)
 
 
Question 15:
What are three advantages of standby replica in a Multi-AZ
RDS deployment?
 
A. fault tolerance
 
B. eliminate I/O freezes
 
C. horizontal scaling
 
D. vertical scaling
 
E. data redundancy
 
 
Question 16:
What consistency model is the default used by DynamoDB?
 
A. strongly consistent
 
B. eventually consistent
 
C. no default model
 
D. casual consistency
 
E. sequential consistency
 
 
Question 17:
What does RDS use for database and log storage?
 
A. EBS
 
B. S3
 
C. instance store
 
D. local store
 
E. SSD
 
 
 
Question 18:
What statements correctly describe support for
Microsoft SQL Server within Amazon VPC? (Select three)
 
A. read/write replica
 
B. read replica only
 
C. vertical scaling
 
D. native load balancing
 
E. EBS storage only
 
F. S3 storage only
 
 
Question 19:
Select two features available with Amazon RDS for MySQL?
 
A. Auto-Scaling
 
B. read requests to standby replicas
 
C. real-time database replication
 
D. active read requests only
 
Question 20:
What are two characteristics of Amazon RDS?
 
A. database managed service
 
B. NoSQL queries
 
C. native load balancer
 
D. database write replicas
 
E. automatic failover of read replica
 
 
 
Question 21:
What caching engines are supported with Amazon
ElastiCache? (Select two)
 
A. HAProxy
 
B. Route 53
 
C. RedShift
 
D. Redis
 
E. Memcached
 
F. CloudFront
 
Question 22:
What are three primary characteristics of DynamoDB?
 
A. less scalable than RDS
 
B. static content
 
C. store metadata for S3 objects
 
D. replication to three Availability Zones
 
E. high read/write throughput
 
 
Question 23:
What are three examples of using Lambda functions to
move data between AWS services?
A. read data directly from DynamoDB streams to RDS
B. read data from Kinesis stream and write data to
DynamoDB
C. read data from DynamoDB stream to Firehose and
write to S3
D. read data from S3 and write metadata to DynamoDB
E. read data from Kinesis Firehose to Kinesis data stream
 
Question 24: You have enabled Amazon RDS database
services in VPC1 for an application with public web servers
in VPC2. How do you connect the web servers to the RDS
database instance so they can communicate considering the
VPC's are in different regions?
A. VPC endpoints
B. VPN gateway
C. path-based routing
D. publicly accessible database
E. VPC peering
 
Question 25:
You have a requirement to create an index to search
customer objects stored in S3 buckets. The solution should
enable you to create a metadata search index for each
object stored to an S3 bucket. Select the most scalable and
cost effective solution?
A. RDS, ElastiCache
B. DynamoDB, Lambda
C. RDS, EMR, ALB
D. RedShift
 
Question 26: What are three advantages of using
DynamoDB over S3 for storing IoT sensor data where there
are 100,000 data point samples sent per minute?
A. S3 must create a single file for each event
B. IoT can write data directly to DynamoDB
C. DynamoDB provides fast read/writes to a structured
table for queries
D. DynamoDB is designed for frequent access and fast
lookup of small records
E. S3 is designed for frequent access and fast lookup of
smaller records
F. IoT can write data directly to S3
 
Question 27:
Your company is a provider of online gaming that customers
access with various network access devices including
mobile phones. What is a data warehousing solutions for
large amounts of information on player behavior, statistics
and events for analysis using SQL tools?
 
A. RedShift
B. DynamoDB
C. RDS
D. DynamoDB
E. Elasticsearch
 
 
 
Question 28: What two statements are correct when
comparing Elasticsearch and RedShift as analytical tools?
A. Elasticsearch is a text search engine and document
indexing tool
B. RedShift supports complex SQL-based queries with
Petabyte sized data store
C. Elasticsearch supports SQL queries
D. RedShift provides only basic analytical services
E. Elasticsearch does not support JSON data type
 
Question 29:
What happens when read or write requests exceed capacity
units (throughput capacity) for a DynamoDB table or index?
(Select two)
A. DynamoDB automatically increases read/write units
B. DynamoDB can throttle requests so that requests are
not exceeded
C. HTTP 400 code is returned (Bad Request)
D. HTTP 500 code is returned (Server Error)
E. DynamoDB automatically increases read/write units if
provisioned throughput is enabled
 
Question 30:
What read consistency method provides lower latency for
GetItem requests?
 
A. strongly persistent
B. eventually consistent
C. strongly consistent
D. write consistent
 
 
 
Question 31:
You must specify strongly consistent read and write capacity
for your DynamoDB database. You have determined read
capacity of 128 Kbps and write capacity of 25 Kbps is
required for your application. What is the read and write
capacity units required for DynamoDB table?
A. 32 read units, 25 write units
B. 1 read unit, 1 write unit
C. 16 read units, 2.5 write units
D. 64 read units, 10 write units
 
Question 32:
What DynamoDB capacity management technique is based
on the tenant specifying an upper and lower range for
read/write capacity units?
 
A. demand
B. provisioned throughput
C. reserved capacity
D. auto scaling
E. general purpose
 
 
 
Question 33:
What is the maximum volume size of a MySQL RDS
database?
 
A. 6 TB
B. 3 TB
C. 16 TB
D. unlimited
 
 
 
Question 34:
What is the maximum size of a DynamoDB record (item)?
 
A. 400 KB
B. 64 KB
C. 1 KB
D. 10 KB
 
 
 
Fault Tolerant Systems
 
Question 1:
What two features describe an Application Load Balancer
(ALB)?
 
A. dynamic port mapping
 
B. SSL listener
 
C. layer 7 load balancer
 
D. backend server authentication
 
E. multi-region forwarding
 
 
 
Question 2:
What enables load balancing between multiple applications
per load balancer?
 
A. listeners
 
B. sticky sessions
 
C. path-based routing
 
D. backend server authentication
 
 
 
Question 3:
What three features are characteristic of Classic Load
Balancer?
 
A. dynamic port mapping
 
B. path-based routing
 
C. SSL listener
 
D. backend server authentication
 
E. ECS
 
F. Layer 4 based load balancer
 
 
Question 4:
What security feature is only available with Classic Load
Balancer?
 
A. IAM role
 
B. SAML
 
C. back-end server authentication
 
D. security groups
 
E. LDAP
 
 
Question 5:
What is a primary difference between Classic and Network
Load Balancer?
 
A. IP address target
 
B. Auto-Scaling
 
C. protocol target
 
D. cross-zone load balancing
 
E. listener
 
 
 
Question 6:
What are the first two conditions used by Amazon AWS
default termination policy for Multi-AZ architecture?
A. unprotected instance with oldest launch configuration
B. Availability Zone (AZ) with the most instances
C. at least one instance that is not protected from scale
in
D. unprotected instance closest to the next billing hour
E. random selection of any unprotected instance
 
Question 7:
What feature is used for horizontal scaling of consumers to
process data records from a Kinesis data stream?
 
A. vertical scaling shards
 
B. Auto-Scaling
 
C. Lambda
 
D. Elastic Load Balancer
 
 
 
Question 8:
What DNS records can be used for pointing a zone apex to
an Elastic Load Balancer or CloudFront distribution? (Select
two)
 
A. Alias
 
B. CNAME
 
C. MX
 
D. A
 
E. Name Server
 
 
 
Question 9:
What services are primarily provided by DNS Route 53?
(Select three)
A. load balancing web servers within a private subnet
B. resolve hostnames and IP addresses
C. load balancing web servers within a public subnet
D. load balancing data replication requests between ECS
containers
E. resolve queries and route internet traffic to AWS
resources
F. automated health checks to EC2 instances
 
Question 10:
What are two features that correctly describe Availability
Zone (AZ) architecture?
 
A. multiple regions per AZ
 
B. interconnected with private WAN links
 
C. multiple AZ per region
 
D. interconnected with public WAN links
 
E. data auto-replicated between zones in different
regions
 
F. Direct Connect supports Layer 2 connectivity to region
 
 
Question 11:
How is Route 53 configured for Warm Standby fault
tolerance? (Select two)
 
A. automated health checks
 
B. path-based routing
 
C. failover records
 
D. Alias records
 
 
Question 12:
How is DNS Route 53 configured for Multi-Site fault
tolerance? (Select two)
 
A. IP address
 
B. weighted records (non-zero)
 
C. health checks
 
D. Alias records
 
E. zero weighted records
 
 
Question 13:
What is an Availability Zone?
 
A. data center
 
B. multiple VPCs
 
C. multiple regions
 
D. single region
 
E. multiple EC2 server instances
 
 
Question 14:
How are DNS records managed with Amazon AWS to
enable high availability?
 
A. Auto-Scaling
 
B. server health checks
 
C. reverse proxy
 
D. elastic load balancing
 
 
Question 15:
What is the difference between Warm Standby and Multi-
Site fault tolerance? (Select two)
A. Multi-Site enables lower RTO and most recent RPO
B. Warm Standby enables lower RTO and most recent
RPO
C. Multi-Site provides active/active load balancing
D. Multi-Site provides active/standby load balancing
E. DNS Route 53 is not required for Warm Standby
 
Question 16:
What AWS best practice is recommended for creating fault
tolerant systems?
 
A. vertical scaling
 
B. Elastic IP (EIP)
 
C. security groups
 
D. horizontal scaling
 
E. RedShift
 
 
 
Question 17:
What two statements correctly describe versioning for
protecting data at rest on S3 buckets?
 
A. enabled by default
 
B. overwrites most current file version
 
C. restores deleted files
 
D. saves multiple versions of a single file
 
E. disabled by default
 
Question 18:
What two methods are recommended by AWS for protecting
EBS data at rest?
 
A. replication
 
B. snapshots
 
C. encryption
 
D. VPN
 
 
 
Question 19:
You have an Elastic Load Balancer assigned to a VPC with
public and private subnets. ELB is configured to load
balance traffic to a group of EC2 instances assigned to an
Auto-Scaling group. What three statements are correct?
A. Elastic Load Balancer is assigned to a public subnet
B. network ACL is assigned to Elastic Load Balancer
C. security group is assigned to Elastic Load Balancer
D. cross-zone load balancing is not supported
E. Elastic Load Balancer forwards traffic to primary
private IP address (eth0 interface) on each instance
 
Deployment and Orchestration
 
Question 1:
What Amazon AWS service is available for container
management?
 
A. ECS
 
B. Docker
 
C. Kinesis
 
D. Lambda
 
 
 
Question 2:
What is associated with Microservices? (Select two)
 
A. Application Load Balancer
 
B. Kinesis
 
C. RDS
 
D. DynamoDB
 
E. ECS
 
 
Question 3:
Where does Amazon retrieve web content when it is not in
the nearest CloudFront edge location?
 
A. secondary location
 
B. file server
 
C. EBS
 
D. S3 bucket
 
 
 
Question 4:
What two features of an API Gateway minimize the effects of
peak traffic events and minimize latency?
 
A. load balancing
 
B. firewalling
 
C. throttling
 
D. scaling
 
E. caching
 
Question 5:
What three characteristics differentiate Lambda from
traditional EC2 deployment or containerization?
 
A. Lambda is based on Kinesis scripts
 
B. Lambda is serverless
 
C. tenant has ownership of EC2 instances
 
D. tenant has no control of EC2 instances
 
E. Lambda is a code-based service
 
F. Lambda supports only S3 and Glacier
 
 
Question 6:
How is code uploaded to Lambda?
 
A. Lambda instance
 
B. Lambda container
 
C. Lambda entry point
 
D. Lambda function
 
E. Lambda AMI
 
 
Question 7:
How are Lambda functions triggered?
 
A. EC2 instance
 
B. hypervisor
 
C. Kinesis
 
D. operating system
 
E. event source
 
 
Question 8: What three statements correctly describe
standard Lambda operation?
A. Lambda function is allocated 500 MB ephemeral disk
space
B. Lambda function is allocated 100 MB EBS storage
C. Lambda stores code in S3
D. Lambda stores code in a Glacier vault
E. Lambda stores code in containers
F. maximum execution time is 300 seconds
Question 9:
What network events are restricted by Lambda? (Select two)
 
A. only inbound TCP network connections are blocked by
AWS Lambda
 
B. all inbound network connections are blocked by AWS
Lambda
 
C. all inbound and outbound connections are blocked
 
D. outbound connections support only TCP/IP sockets
 
E. outbound connections support only SSL sockets
 
 
Question 10:
How is versioning supported with Lambda? (Select two)
 
A. Lambda native support
 
B. ECS container
 
C. not supported
 
D. Aliases
 
E. replication
 
F. S3 versioning
 
 
Question 11:
What is the difference between Stream-based and AWS
Services when enabling Lambda?
A. streams maintains event source mapping in Lambda
B. streams maintains event source mapping in event
source
C. streams maintains event source mapping in EC2
instance
D. streams maintains event source mapping in
notification
E. streams maintains event source mapping in API
Question 12:
Select two custom origin servers from the following?
 
A. S3 bucket
 
B. S3 object
 
C. EC2 instance
 
D. Elastic Load Balancer
 
E. API gateway
 
 
 
Question 13:
What two attributes are only associated with CloudFront
private content?
 
A. Amazon S3 URL
 
B. signed cookies
 
C. web distribution
 
D. signed URL
 
E. object
 
 
Question 14:
How are origin servers located within CloudFront (Select
two)
 
A. DNS request
 
B. distribution list
 
C. web distribution
 
D. RTMP protocol
 
E. source mapping
 
Question 15:
Where are HTML files sourced from when they are not
cached at a CloudFront edge location?
 
A. S3 object
 
B. origin HTTP server
 
C. S3 bucket
 
D. nearest edge location
 
E. RTMP server
 
F. failover edge location
 
 
 
Question 16:
What is the capacity of a single Kinesis shard? (Select two)
 
A. 2000 PUT records per second
 
B. 1 MB/sec data input and 2 MB/sec data output
 
C. 10 MB/sec data input and 10 MB/sec data output
 
D. 1000 PUT records per second
 
E. unlimited
 
 
Question 17:
What Amazon AWS service supports real-time processing of
data stream from multiple consumers and replay of records?
 
A. DynamoDB
 
B. EMR
 
C. Kinesis data streams
 
D. SQS
 
E. RedShift
 
 
Question 18: Your company has asked you to capture and
forward a real-time data stream on a massive scale directly
to RedShift for analysis with BI tools. What AWS tool is most
appropriate that provides the feature set and cost effective?
A. DynamoDB
B. SQS
C. Elastic Map Reduce
D. Kinesis Firehose
E. SNS
F. CloudFront
 
Question 19:
What feature permits tenants to use a private domain name
instead of the domain name that CloudFront assigns to a
distribution?
 
A. Route 53
 
B. CNAME record
 
C. MX record
 
D. RTMP
 
E. Signed URL
 
 
Question 20:
What Amazon AWS service is available to guarantee the
consuming of a unique message only once?
 
A. Beanstalk
 
B. SQL
 
C. Exchange
 
D. SQS
 
 
Question 21:
What is the fastest and easiest method for migrating an on-
premises VMware virtual machine to the AWS cloud?
 
A. Amazon Marketplace
 
B. AWS Server Migration Service
 
C. AWS Storage Gateway
 
D. EC2 Import/Export
 
 
Question 22:
Select the stateless protocol from the following?
 
A. FTP
 
B. TCP
 
C. HTTP
 
D. SSH
 
 
 
Question 23:
What are three valid endpoints for an API gateway?
 
A. RESTful API
 
B. Lambda function
 
C. AWS service
 
D. web server
 
E. HTTP method
 
 
Question 24:
How is a volume selected (identified) when making an EBS
Snapshot?
 
A. account id
 
B. volume id
 
C. tag
 
D. ARN
 
Question 25:
What deployment service enables tenants to replicate an
existing AWS stack?
 
A. Beanstalk
 
B. CloudFormation
 
C. RedShift
 
D. EMR
 
 
Question 26:
What three services can invoke a Lambda function?
 
A. SNS topic
 
B. CloudWatch event
 
C. EC2 instance
 
D. security group
 
E. S3 bucket notification
 
 
Question 27:
What two services enable automatic polling of a stream for
new records only and forward them to an AWS storage
service?
 
A. SNS
 
B. Kinesis
 
C. Lambda
 
D. DynamoDB
 
 
Question 28:
Your company is deploying a web site with dynamic content
to customers in US, EU and APAC regions of the world.
Content will include live streaming videos to customers. SSL
certificates are required for security purposes. Select the
AWS service delivers all requirements and provides the
lowest latency?
A. DynamoDB
B. CloudFront
C. S3
D. Redis
 
Question 29:
What are the advantages of Beanstalk? (Select two)
 
A. orchestration and deployment abstraction
 
B. template-oriented deployment service
 
C. easiest solution for developers to deploy cloud
applications
 
D. does not support cloud containers
 
 
Question 30:
You are a network analyst with JSON scripting experience
and asked to select an AWS solution that enables automated
deployment of cloud services. The template design would
include a nondefault VPC with EC2 instances, ELB, Auto-
Scaling and active/active failover. What AWS solution is
recommended?
A. Beanstalk
B. OpsWorks
C. CloudTrail
D. CloudFormation
 
Question 31:
Select two statements that correctly describe OpsWorks?
 
A. Opsworks provides operational and configuration
automation
 
B. OpsWorks is a lower cost alternative to BeanStalk
 
C. OpsWorks is primarily a monitoring service
 
D. Chef scripts (recipes) are a key aspect of OpsWorks
 
 
Question 32:
Your company has developed an IoT application that sends
Telemetry data from 100,000 sensors. The sensors send a
data point of 1 KB at one-minute intervals to a DynamoDB
collector for monitoring purposes. What AWS stack would
enable you to store data for real-time processing and
analytics using BI tools?
A. Sensors -> Kinesis Stream -> Firehose -> DynamoDB
B. Sensors -> Kinesis Stream -> Firehose -> DynamoDB -> S3
C. Sensors -> AWS IoT -> Firehose -> RedShift
D. Sensors -> Kinesis Data Streams -> Firehose -> RDS

 
Question 33:
Your company has an application that was developed and
migrated to AWS cloud. The application leverages some
AWS services as part of the architecture. The stack includes
EC2 instances, RDS database, S3 buckets, RedShift and
Lambda functions. In addition there is IAM security
permissions configured with defined users, groups and roles.
The application is monitored with CloudWatch and STS was
recently added for permitting Web Identity Federation sign-
on from Google accounts. You want a solution that can
leverage the experience of your employees with AWS cloud
infrastructure as well. What AWS service can create a
template of the design and configuration for easier
deployment of the application to multiple regions?
A. Snowball
B. Opsworks
C. CloudFormation
D. Beanstalk
 
Monitoring Services
 
Question 1:
What statement correctly describes CloudWatch operation
within AWS cloud?
 
A. log data is stored indefinitely
 
B. log data is stored for 15 days
 
C. alarm history is never deleted
 
D. ELB is not supported
 
 
Question 2:
What are two AWS subscriber endpoint services that are
supported with SNS?
 
A. RDS
 
B. Kinesis
 
C. SQS
 
D. Lambda
 
E. EBS
 
F. ECS
 
 
 
Question 3:
What AWS services work in concert to integrate security
monitoring and audit within a VPC? (Select three)
 
A. Syslog
 
B. CloudWatch
 
C. WAF
 
D. CloudTrail
 
E. VPC Flow Log
 
 
Question 4:
How is CloudWatch integrated with Lambda? (Select two)
 
A. tenant must enable CloudWatch monitoring
 
B. network metrics such as latency are not monitored
 
C. Lambda functions are automatically monitored
through Lambda service
 
D. log group is created for each event source
 
E. log group is created for each function
 
 
Question 5:
What two statements correctly describe AWS monitoring
and audit operations?
A. CloudTrail captures API calls, stores them in an S3
bucket and generates a Cloudwatch event
B. CloudWatch alarm can send a message to a Lambda
function
C. CloudWatch alarm can send a message to an SNS
Topic that triggers an event for a Lambda function
D. CloudTrail captures all AWS events and stores them in
a log file
E. VPC logs do not support events for security groups
 
Question 6:
What is required for remote management access to your
Linux-based instance?
 
A. ACL
 
B. Telnet
 
C. SSH
 
D. RDP
 
 
 
Question 7:
What are two features of CloudWatch operation?
A. CloudWatch does not support custom metrics
B. CloudWatch permissions are granted per feature and
not AWS resource
C. collect and monitor operating system and application
generated log files
D. AWS services automatically create logs for
CloudWatch
E. CloudTrail generates logs automatically when AWS
account is activated
 
Question 8:
You are asked to select an AWS solution that will create a log
entry anytime a snapshot of an RDS database instance and
deletes the original instance. Select the AWS service that
would provide that feature?
 
A. VPC Flow Logs
 
B. RDS Access Logs
 
C. CloudWatch
 
D. CloudTrail
 
 
Question 9:
What is required to enable application and operating system
generated logs and publish to CloudWatch Logs?
 
A. Syslog
 
B. enable access logs
 
C. IAM cross-account enabled
 
D. CloudWatch Log Agent
 
 
Question 10:
What is the purpose of VPC Flow Logs?
 
A. capture VPC error messages
 
B. capture IP traffic on network interfaces
 
C. monitor network performance
 
D. monitor netflow data from subnets
 
E. enable Syslog services for VPC
 
 
Question 11:
Select two cloud infrastructure services and/or components
included with default CloudWatch monitoring?
 
A. SQS queues
 
B. operating system metrics
 
C. hypervisor metrics
 
D. virtual appliances
 
E. application level metrics
 
 
 
Question 12:
What feature enables CloudWatch to manage capacity
dynamically for EC2 instances?
 
A. replication lag
 
B. Auto-Scaling
 
C. Elastic Load Balancer
 
D. vertical scaling
 
 
Question 13:
What AWS service is used to monitor tenant remote access
and various security errors including authentication retries?
 
A. SSH
 
B. Telnet
 
C. CloudFront
 
D. CloudWatch
 
 
Question 14:
How does Amazon AWS isolate metrics from different
applications for monitoring, store and reporting purposes?
 
A. EC2 instances
 
B. Beanstalk
 
C. CloudTrail
 
D. namespaces
 
E. Docker
 
 
Question 15:
What Amazon AWS service provides account transaction
monitoring and security audit?
 
A. CloudFront
 
B. CloudTrail
 
C. CloudWatch
 
D. security group
 
 
Question 16:
What two statements correctly describe CloudWatch
monitoring of database instances?
A. metrics are sent automatically from DynamoDB and
RDS to CloudWatch
B. alarms must be configured for DynamoDB and RDS
within CloudWatch
C. metrics are not enabled automatically for DynamoDB
and RDS
D. RDS does not support monitoring of operating system
metrics
 
Question 17:
What AWS service can send notifications to customer
smartphones and mobile applications with attached video
and/or alerts?
 
A. EMR
B. Lambda
C. SQS
D. SNS
E. CloudTrail
 
*** Answer Key ***
 
EC2 Compute
 
Question 1:
What three attributes are selectable when creating an EBS
volume for an EC2 instance?
 
A. volume type
 
B. IOPS
 
C. region
 
D. CMK
 
E. ELB
 
F. EIP
 
Answer (A,B,D)
Question 2: You have been asked to migrate a 10 GB
unencrypted EBS volume to an encrypted volume for
security purposes. What are three key steps required as part
of the migration?
A. pause the unencrypted instance
B. create a new encrypted volume of the same size and
availability zone
C. create a new encrypted volume of the same size in
any availability zone
D. start converter instance
E. shutdown and detach the unencrypted instance
Answer (B,D,E)
Question 3: What is EC2 instance protection?
A. prevents Auto Scaling from selecting specific EC2
instance to be replaced when scaling in
B. prevents Auto Scaling from selecting specific EC2
instance to be replaced when scaling out
C. prevents Auto Scaling from selecting specific EC2
instance for termination when scaling out
D. prevents Auto Scaling from selecting specific EC2
instance for termination when scaling in
E. prevents Auto Scaling from selecting specific EC2
instance for termination when paused
F. prevents Auto Scaling from selecting specific EC2
instance for termination when stopped
Answer (D)
Question 4:
What two features are supported with EBS volume Snapshot
feature?
 
A. EBS replication across regions
 
B. EBS multi-zone replication
 
C. EBS single region only
 
D. full snapshot data only
 
E. unencrypted snapshot only
 
Answer (A,B)
 
 
Question 5:
What two resource tags are supported for an EC2 instance?
 
A. VPC endpoint
 
B. EIP
 
C. network interface
 
D. security group
 
E. Flow Log
 
Answer (A,E)
Question 6:
What two options are available to alert tenants when an EC2
instance is terminated?
 
A. SNS
 
B. CloudTrail
 
C. Lambda function
 
D. SQS
 
E. STS
 
Answer (A,C)
 
Question 7:
What class of EC2 instance type is recommended for
running data analytics?
 
A. memory optimized
 
B. compute optimized
 
C. storage optimized
 
D. general purpose optimized
 
Answer (B)
 
Question 8:
What class of EC2 instance type is recommended for
database servers?
 
A. memory optimized
 
B. compute optimized
 
C. storage optimized
 
D. general purpose optimized
 
Answer (A)
 
Question 9:
What two attributes distinguish each pricing model?
 
A. reliability
 
B. amazon service
 
C. discount
 
D. performance
 
E. redundancy
 
Answer (A,C)
 
Question 10:
What are three standard AWS pricing models?
 
A. elastic
 
B. spot
 
C. reserved
 
D. dynamic
 
E. demand
 
Answer (B,C,E)
 
Question 11:
How is an EBS root volume created when launching an EC2
instance from a new EBS-backed AMI?
 
A. S3 template
 
B. original AMI
 
C. snapshot
 
D. instance store
 
Answer (C)
Question 12:
What Amazon AWS sources are available for creating an
EBS-Backed Linux AMI? (select two)
 
A. EC2 instance
 
B. Amazon SMS
 
C. VM Import/Export
 
D. EBS Snapshot
 
E. S3 bucket
 
Answer (A,D)
 
Question 13:
What is required to prevent an instance from being
launched and incurring costs?
 
A. stop instance
 
B. terminate instance
 
C. terminate AMI and de-register instance
 
D. stop and de-register instance
 
E. stop, deregister AMI and terminate instance
 
Answer (E)
 
Question 14:
What is an EBS Snapshot?
 
A. backup of an EBS root volume and instance data
 
B. backup of an EC2 instance
 
C. backup of configuration settings
 
D. backup of instance store
 
Answer (A)
 
Question 15:
Where are ELB and Auto-Scaling groups deployed as a
unified solution for horizontal scaling?
 
A. database instances
 
B. all instances
 
C. web server instances
 
D. default VPC only
 
Answer (C)
 
Question 16: What feature is supported when attaching or
detaching an EBS volume from an EC2 instance?
A. EBS volume can be attached and detached to an EC2
instance in the same region
B. EBS volume can be attached and detached to an EC2
instance that is cross-region
C. EBS volume can only be copied and attached to an
EC2 instance that is cross-region
D. EBS volume can only be attached and detached to an
EC2 instance in the same Availability Zone
Answer (D)
Question 17:
What two statements correctly describe how to add or
modify IAM roles to a running EC2 instance?
A. attach an IAM role to an existing EC2 instance from
the EC2 console
B. replace an IAM role attached to an existing EC2
instance from the EC2 console
C. attach an IAM role to the user account and relaunch
the EC2 instance
D. add the EC2 instance to a group where the role is a
member
Answer (A,B)
Question 18: What is the default behavior for an EC2
instance when terminated? (Select two)
A. DeleteOnTermination attribute cannot be modified
B. EBS root device volume and additional attached
volumes are deleted immediately
C. EBS data volumes that you attach at launch persist
D. EBS root device volume is automatically deleted when
instance terminates
Answer (C,D)
Question 19:
How do you launch an EC2 instance after it is terminated?
(Select two)
 
A. launch a new instance using the same AMI
 
B. reboot instance from CLI
 
C. launch a new instance from a Snapshot
 
D. reboot instance from management console
 
E. contact AWS support to reset
 
Answer (A,C)
 
Question 20:
What service can automate EBS snapshots (backups) for
restoring EBS volumes?
 
A. CloudWatch event
 
B. SNS topic
 
C. CloudTrail
 
D. Amazon Inspector
 
E. CloudWatch alarm
 
Answer (A)
 
Question 21:
What will cause AWS to terminate an EC2 instance on
launch? (Select two)
 
A. security group error
 
B. number of EC2 instances on AWS account exceeded
 
C. EBS volume limits exceeded
 
D. multiple IP addresses assigned to instance
 
E. unsupported instance type assigned
 
Answer (B,C)
 
Question 22: You recently made some configuration
changes to an EC2 instance. You then launched a new EC2
instance from the same AMI however none of the settings
were saved. What is the cause of this error?
A. did not save configuration changes to EC2 instance
B. did not save configuration changes to AMI
C. did not create new AMI
D. did not reboot EC2 instance to enable changes
Answer (C)
Question 23: What statements are correct concerning
DisableApiTermination attribute? (Select two)
A. cannot enable termination protection for Spot
instances
B. termination protection is disabled by default for an
EC2 instance
C. termination protection is enabled by default for an
EC2 instance
D. can enable termination protection for Spot instances
E. DisableApiTermination attribute supported for EBS-
backed instances only
Answer (A,B)
Question 24:
What is required to copy an encrypted EBS snapshot cross-
account? (Select two)
A. copy the unencrypted EBS snapshot to an S3 bucket
B. distribute the custom key from CloudFront
C. share the custom key for the snapshot with the target
account
D. share the encrypted EBS snapshot with the target
account
E. share the encrypted EBS snapshots publicly
F. enable root access security on both accounts
Answer (C,D)
Question 25:
What three services enable Single-AZ as a default?
 
A. EC2
 
B. ELB
 
C. Auto-Scaling
 
D. DynamoDB
 
E. S3
Answer (A,B,C)
 
Question 26:
What AWS service automatically publishes access logs every
five minutes?
 
A. VPC Flow Logs
 
B. Elastic Load Balancer
 
C. CloudTrail
 
D. DNS Route 53
 
Answer (B)
Question 27:
You have developed a web-based application for file sharing
that will allow customers to access files. There are a variety
of sizes that include larger .pdf and video files. What two
solution stacks could tenants use for an online file sharing
service? (Select two)
A. EC2, ELB, Auto-Scaling, S3
B. Route 53, Auto-Scaling, DynamoDB
C. EC2, Auto-Scaling, RDS
D. CloudFront
 
Answer (A,D)
 
Question 28:
What infrastructure services are provided to EC2 instances?
(Select three)
 
A. VPN
 
B. storage
 
C. compute
 
D. transport
 
E. security
 
F. support
 
Answer (B,C,D)
 
Question 29:
What steps are required from AWS console to copy an EBS-
backed AMI for a database instance cross-region?
A. create Snapshot of data volume, select Copy, select
destination region
B. select Copy EBS-backed AMI option and destination
region
C. select copy database volume and destination region
D. create Snapshot of EBS-backed AMI, select Copy
Snapshot option, select destination region
E. create Snapshot of Instance-store AMI, select Copy
AMI option, select destination region
Answer (D)
Question 30:
How is capacity (compute, storage and network
speed) managed and assigned to EC2 instances?
 
A. AMI
 
B. instance type
 
C. IOPS
 
D. Auto-Scaling
 
Answer (B)
 
Question 31:
What storage type enable permanent attachment of
volumes to EC2 instances?
 
A. S3
 
B. RDS
 
C. TDS
 
D. EBS
 
E. instance store
 
Answer (D)
 
Question 32: What is the recommended method for
migrating (copying) an EC2 instance to a different region?
A. terminate instance, select region, copy instance to
destination region
B. select AMI associated with EC2 instance and use Copy
AMI option
C. stop instance and copy AMI to destination region
D. cross-region copy is not currently supported
Answer (B)
Question 33:
What are two attributes that define an EC2 instance type?
 
A. vCPU
 
B. license type
 
C. EBS volume storage
 
D. IP address
 
E. Auto-Scaling
 
Answer (A,C)
Question 34:
How is an Amazon Elastic Load Balancer (ELB) assigned?
 
A. per EC2 instance
 
B. per Auto-Scaling group
 
C. per subnet
 
D. per VPC
 
Answer (A)
 
Question 35:
What method detects when to replace an EC2 instance that
is assigned to an Auto-Scaling group?
 
A. health check
 
B. load balancing algorithm
 
C. EC2 health check
 
D. not currently supported
 
E. dynamic path detection
 
F. Auto-Scaling
 
Answer (A)
 
 
 
Question 36:
What two statements correctly describe Auto-Scaling
groups?
 
A. horizontal scaling of capacity
 
B. decrease number of instances only
 
C. EC2 instances are assigned to a group
 
D. database instances only
 
E. no support for multiple availability zones
 
Answer (A,C)
 
Question 37:
What is the default maximum number of Elastic IP
addresses assignable per Amazon AWS region?
 
A. 1
 
B. 100
 
C. 5
 
D. unlimited
 
Answer (C)
 
Question 38:
How are snapshots for an EBS volume created when it is the
root device for an instance?
 
A. pause instance, unmount volume and snapshot
 
B. terminate instance and snapshot
 
C. unencrypt volume and snapshot dynamically
 
D. stop instance, unmount volume and snapshot
 
Answer (D)
 
Question 39:
What cloud compute components are configured by tenants
and not Amazon AWS support engineers? (Select three)
 
A. hypervisor
 
B. upstream physical switch
 
C. virtual appliances
 
D. guest operating system
 
E. applications and databases
 
F. RDS
 
Answer (C,D,E)
 
Question 40:
What three attributes are used to define a launch
configuration template for an Auto-Scaling group?
 
A. instance type
 
B. private IP address
 
C. Elastic IP
 
D. security group
 
E. AMI
 
Answer (A,D,E)
 
Question 41:
What three characteristics or limitations differentiate EC2
instance types?
 
A. VPC only
B. application type
C. EBS volume only
D. virtualization type
E. AWS service selected
 
Answer (A,C,D)
Question 42:
Select two difference between HVM and PV virtualization
types?
 
A. HVM supports all current generation instance types
B. HVM is similar to bare metal hypervisor architecture
C. PV provides better performance than HVM for most
instance types
 
D. HVM doesn’t support enhanced networking
E. HVM doesn’t support current generation instance
types
 
Answer (A,B)
Virtual Private Cloud (VPC) Question 1:
What are the minimum components required to enable a
web-based application with public web servers and a private
database tier? (select three)
A. Internet gateway
B. Assign EIP addressing to database instances on
private subnet
C. Virtual private gateway
D. Assign database instances to private subnet and
private IP addressing
E. Assign EIP and private IP addressing to web servers
on public subnet
Answer (A,D,E)
Question 2:
Refer to the network drawing. How are packets routed
from private subnet to public subnet for the following web-
based application with a database tier?
A. Internet gateway
 
B. custom route table
 
C. 10.0.0.0/16
 
D. nat-instance-id
 
E. igw-id
 
F. add custom route table
 
Answer (D)
 
Question 3:
What VPC component provides Network Address
Translation?
 
A. NAT instance
 
B. NAT gateway
 
C. virtual private gateway
 
D. Internet gateway
 
E. ECS
 
Answer (D)
 
Question 4:
What are the advantages of NAT gateway over NAT
instance? (Select two)
 
A. NAT gateway requires a single EC2 instance
 
B. NAT gateway is scalable
 
C. NAT gateway translates faster
 
D. NAT gateways is a managed service
 
E. NAT gateway is Linux-based
 
Answer (B,D)
 
Question 5:
What is the management responsibility of tenants and not
Amazon AWS?
 
A. EC2 instances
 
B. RDS
 
C. Beanstalk
 
D. NAT instance
 
Answer (A,D)
Question 6:
What two features provide an encrypted (VPN) connection
from VPC to an enterprise data center?
 
A. Internet gateway
 
B. Amazon RDS
 
C. Virtual private gateway
 
D. CSR 1000V router
 
E. NAT gateway
 
Answer (C,D)
 
Question 7:
What two attributes are supported when configuring an
Amazon Virtual private gateway (VPG)?
 
A. route propagation
 
B. Elastic IP (EIP)
 
C. DHCP
 
D. public IPv4 address
 
E. public subnets
 
Answer (A,C)
 
Question 8:
What two features are available with AWS Direct Connect
service?
 
A. internet access
 
B. extend on-premises VLANs to cloud
 
C. bidirectional forwarding detection (BFD)
 
D. load balancing between Direct Connect and VPN
connection
 
E. public and private AWS services
 
Answer (C,E)
 
Question 9:
When is Direct Connect a preferred solution over VPN IPsec?
 
A. fast and reliable connection
 
B. redundancy is a key requirement
 
C. fast and easy to deploy
 
D. layer 3 connectivity
 
E. layer 2 connectivity
 
Answer (A)
Question 10:
You have been asked to setup a VPC endpoint connection
between VPC and S3 buckets for storing backups and
snapshots. What AWS components are currently required
when configuring a VPC endpoint?
 
A. Internet gateway
 
B. NAT instance
 
C. Elastic IP
 
D. private IP address
 
Answer (D)
 
Question 11:
What are the primary advantages of VPC endpoints? (Select
two)
 
A. reliability
 
B. cost
 
C. throughput
 
D. security
 
Answer (B,D)
 
Question 12:
What are the DHCP option attributes used to assign private
DNS servers to your VPC?
 
A. dns resolution and domain name
 
B. hostnames and internet domain
 
C. domain servers and domain name
 
D. domain-name-servers and domain-name
 
Answer (D)
 
 
Question 13:
What DNS attributes are configured when Default VPC
option is selected?
 
A. DNS resolution: yes / DNS hostnames: yes
 
B. DNS resolution: yes / DNS hostnames: no
 
C. DNS resolution: no / DNS hostnames: yes
 
D. DNS resolution: no / DNS hostnames: no
 
Answer (A)
Question 14:
What configuration settings are required from the remote
VPC in order to create cross-account peering? (Select three)
 
A. VPC ID
 
B. account username
 
C. account ID
 
D. CMK keys
 
E. VPC CIDR block
 
F. volume type
 
Answer (A,C,E)
 
Question 15:
What CIDR block range is supported for IPv4 addressing and
subnetting within a single VPC?
 
A. /16 to /32
 
B. /16 to /24
 
C. /16 to /28
 
D. /16 to /20
 
Answer (C)
 
Question 16: What problem is caused by the fact that VPC
peering does not permit transitive routing?
A. additional VPC route tables to manage
B. virtual private gateway is required
C. Internet gateway is required for each VPC
D. routing between connected spokes through hub VPC is
complex
E. increased number of peer links required
Answer (E)
Question 17:
What two statements correctly describes Elastic Load
Balancer operation?
 
A. spans multiple regions
 
B. assigned per EC2 instance
 
C. assigned per subnet
 
D. assigned per Auto-Scaling group
 
E. no cross-region support
 
Answer (D,E)
Question 18:
What are two advantages of Elastic IP (EIP) over AWS public
IPv4 addresses?
 
A. EIP can be reassigned
 
B. EIP is private
 
C. EIP is dynamic
 
D. EIP is persistent
 
E. EIP is public and private
 
Answer (A,D)
Question 19:
What AWS services are globally managed? (Select four)
 
A. IAM
 
B. S3
 
C. CloudFront
 
D. Route 53
 
E. DynamoDB
 
F. WAF
 
G. ELB
 
Answer (A,C,D,F)
Question 20:
What methods are available for creating a VPC? (Select
three)
 
A. AWS management console
 
B. AWS marketplace
 
C. VPC wizard
 
D. VPC console
 
E. Direct Connect
 
Answer (A,C,D)
 
Question 21: What two default settings are configured for
tenants by AWS when Default VPC option is selected?
A. creates a size /20 default subnet in each Availability
Zone
B. creates an Internet gateway
C. creates a main route table with local route 10.0.0.0/16
D. create a virtual private gateway
E. create a security group that explicitly denies all traffic
Answer (A,B)
Question 22:
What three statements correctly describes IP address
allocation within a VPC?
A. EC2 instance must be terminated to reassign an IP
address
B. EC2 instance that is paused can reassign IP address
C. EC2 instance that is stopped can reassign IP address
D. private IP addresses are allocated from a pool and can
be reassigned
E. private IP addresses can be assigned by tenant
F. VPC supports dual stack mode (IPv4/IPv6)
Answer (A,E,F)
Question 23:
What are two advantages of selecting default tenancy
option for your VPC when creating it?
 
A. performance and reliability
 
B. some AWS services do not work with a dedicated
tenancy VPC
 
C. tenant can launch instances within VPC as default or
dedicated instances
 
D. instance launch is faster
 
Answer (B,C)
 
Question 24: What is the purpose of a local route within a
VPC route table?
A. local route is derived from the default VPC CIDR block
10.0.0.0/16
B. communicate between instances within the same
subnet or different subnets
C. used to communicate between instances within the
same subnet
D. default route for communicating between private and
public subnets
E. only installed in the main route table
Answer (C)
Question 25:
What is the default behavior when adding a new subnet to
your VPC? (Select two)
A. new subnet is associated with the main route table
B. new subnet is associated with the custom route table
C. new subnet is associated with any selected route
table
D. new subnet is assigned to the default subnet
E. new subnet is assigned from the VPC CIDR block
Answer (A,E)
Question 26: You have enabled Amazon RDS database
services in VPC1 for an application that has public web
servers in VPC2. How do you connect the web servers to the
RDS database instance so they can communicate
considering the VPC's are in the same region?
A. VPC endpoints
B. VPN gateway
C. path-based routing
D. VPC peering
E. AWS Network Load Balancer
Answer (D)
Question 27:
What AWS services now support VPC endpoints feature for
optimizing security? (Select three)
 
A. Kinesis
 
B. DNS Route 53
 
C. S3
 
D. DynamoDB
 
E. RDS
 
Answer (A,C,D)
 
Question 28:
What are three characteristics of an Amazon
Virtual Private Cloud?
 
A. public and private IP addressing
 
B. broadcasts
 
C. multiple private IP addresses per network interface
 
D. dedicated single tenant hardware only
 
E. persistent public IP addresses
 
F. HSRP
 
Answer (A,C,E)
 
Question 29: What is the difference between VPC main
route table and custom route table?
A.
VPC only creates a main route table when started
B.
custom route table is the default
C.
custom route table is created for public subnets
D.
custom route table is created for private subnets
E.
main route table is created for public and private
subnets
Answer (C)
Question 30:
What is the purpose of the native VPC router?
 
A. route packets across the internet
 
B. route packets between private cloud instances
 
C. route packets between subnets
 
D. route packets from instances to S3 storage volumes
 
E. route packets across VPN
 
Answer (C)
 
Question 31:
How are private DNS servers assigned to an Amazon VPC?
 
A. not supported
 
B. select nondefault VPC
 
C. select default VPC
 
D. select EC-2 classic
 
Answer (B)
 
Question 32:
What are two characteristics of an Amazon security group?
 
A. instance level packet filtering
 
B. deny rules only
 
C. permit rules only
 
D. subnet level packet filtering
 
E. inbound only
 
Answer (A,C)
Question 33:
What statement is true of Network Access Control Lists
(ACL) operation within an Amazon VPC?
 
A. instance and subnet level packet filtering
 
B. subnet level packet filtering
 
C. inbound only
 
D. only one ACL allowed per VPC
 
E. outbound only
 
Answer (B)
 
Question 34:
How are packets forwarded between public and private
subnets within VPC?
 
A. EIP
 
B. NAT
 
C. main route table
 
D. VPN
 
Answer (B)
 
Question 35:
What two statements accurately describe Amazon
VPC architecture?
 
A. Elastic Load Balancer (ELB) cannot span multiple
availability zones
 
B. VPC does not support DMVPN connection
 
C. VPC subnet cannot span multiple availability zones
 
D. VPC cannot span multiple regions
 
E. Flow logs are not supported within a VPC
 
Answer (C,D)
 
Question 36:
What is a requirement for attaching EC2 instances to on-
premises clients and applications?
 
A. Amazon Virtual Private Gateway (VPN)
 
B. Amazon Internet Gateway
 
C. VPN Connection
 
D. Elastic Load Balancer (ELB)
 
E. NAT
 
Answer (B)
 
Question 37:
What two statements correctly describe Amazon virtual
private gateway?
 
A. assign to private subnets only
 
B. assign to public subnets only
 
C. single virtual private gateway per VPC
 
D. multiple virtual private gateways per VPC
 
E. single virtual private gateway per region
 
Answer (A,C)
 
Question 38:
What is the maximum access port speed available
with Amazon Direct Connect service?
 
A. 1 Gbps
 
B. 10 Gbps
 
C. 500 Mbps
 
D. 100 Gbps
 
E. 100 Mbps
 
Answer (B)
 
Question 39:
Refer to the drawing. Your company has asked you to
configure a peering link between two VPCs that are
currently not connected or exchanging any packets. What
destination and target is configured in the routing table of
VPC1 to enable packet forwarding to VPC2?
 

 
A. destination = 172.16.0.0/16
target = pcx-vpc2vpc1
 
B. destination = 10.0.0.0/16
target = pcx-vpc2
 
C. destination = 172.16.0.0/16
target = 10.0.0.0/16
 
D. destination = 172.16.0.0/16
target = pcx-vpc1vpc2
 
E. default route only
 
Answer (D)
 
 
Question 40:
How is routing enabled by default within a VPC for an EC2
instance?
 
A. add a default route
 
B. main route table
 
C. custom route table
 
D. must be configured explicitly
 
Answer (B)
 
Question 41:
What three features are not supported with VPC peering?
 
A. overlapping CIDR blocks
 
B. IPv6 addressing
 
C. Gateways
 
D. transitive routing
 
E. RedShift
 
F. ElastiCache
 
Answer (A,C,D)
 
Question 42:
What route is used in a VPC routing table for packet
forwarding to a Gateway?
 
A. static route
 
B. 10.0.0.0/16
 
C. tenant configured
 
D. 0.0.0.0/0
 
E. 0.0.0.0/16
 
Answer (D)
 
Question 43: You are asked to deploy a web application
comprised of multiple public web servers with only private
addressing assigned. What Amazon AWS solutions enables
multiple servers on a private subnet with only a single EIP
required and Availability Zone redundancy?
A. NAT instance
B. Internet gateway
C. virtual private gateway
D. NAT gateway
E. Elastic Network Interface (ENI)
Answer (D)
Question 44:
What is the IP addressing schema assigned to a default
VPC?
 
A. 172.31.0.0/16 CIDR block subnetted with
172.31.0.0/20
 
B. 172.16.0.0/16 CIDR block subnetted with
172.16.0.0/24
 
C. 10.0.0.0/16 CIDR block subnetted with 10.0.0.0/24
 
D. 172.16.0.0/24 CIDR block subnetted with
172.31.0.0/18
 
Answer (A)
 
 
 
Question 45:
What default configuration and components are added by
AWS when Default VPC type is selected? (Select three)
 
A. Internet gateway
 
B. virtual private gateway
 
C. NAT instance
 
D. security group
 
E. DNS
 
Answer (A,D,E)
Question 46:
What feature requires tenants to disable source/destination
check?
 
A. Elastic IP (EIP)
 
B. data replication
 
C. VPC peering
 
D. NAT
 
E. Internet gateway
 
Answer (D)
 
Storage Services
 
Question 1:
What AWS storage solution allows thousands of EC2
instances to simultaneously upload, access, delete and
share files?
 
A. EBS
 
B. S3
 
C. Glacier
 
D. EFS
 
Answer (D)
 
Question 2:
What is required for an EFS mount target? (Select two)
 
A. EIP
 
B. DNS name
 
C. IP address
 
D. DHCP
 
E. IAM role
 
Answer (B,C)
Question 3:
What connectivity features are recommended for
copying on-premises files to EFS? (Select two)
 
A. VPN IPsec
 
B. Internet Gateway
 
C. Direct Connect
 
D. File Sync
 
E. FTP
 
F. AWS Storage Gateway
 
Answer (C,D)
 
Question 4:
What AWS services encrypts data at rest by default? (Select
two)
 
A. S3
 
B. AWS Storage Gateway
 
C. EBS
 
D. Glacier
 
E. RDS
 
Answer (B,D)
 
Question 5:
What fault tolerant features does S3 storage provide?
(Select three)
 
A. cross-region replication
 
B. versioning must be disabled
 
C. cross-region asynchronous replication of objects
 
D. synchronous replication of objects within a region
 
E. multiple destination buckets
 
Answer (A,C,D)
 
Question 6:
What is the fastest technique for deleting 900 objects in an
S3 bucket with a single HTTP request?
 
A. Multi-Part Delete API
 
B. Multi-Object Delete API
 
C. 100 objects is maximum per request
 
D. Fast-Delete API
 
Answer (B)
 
Question 7:
What security controls technique is recommended for S3
cross-account access?
 
A. IAM group
 
B. security groups
 
C. S3 ACL
 
D. bucket policies
 
Answer (D)
 
Question 8:
What are two advantages of cross-region replication of an
S3 bucket?
 
A. cost
 
B. security compliance
 
C. scalability
 
D. Beanstalk support
 
E. minimize latency
 
Answer (B,E)
 
Question 9:
What are two primary difference between Amazon S3
Standard and S3/RRS storage classes?
 
A. Amazon Standard does not replicate at all
 
B. RRS provides higher durability
 
C. RRS provides higher availability
 
D. RRS does not replicate objects as many times
 
E. application usage is different
 
Answer (D,E)
 
Question 10:
What two features are enabled with S3 services?
 
A. store objects of any size
 
B. dynamic web content
 
C. supports Provisioned IOPS
 
D. store virtually unlimited amounts of data
 
E. bucket names are globally unique
 
Answer (D,E)
 
Question 11:
What new feature was recently added to SQS that defines
how messages are ordered?
 
A. streams
 
B. SNS
 
C. FIFO
 
D. TLS
 
E. decoupling
 
Answer (C)
 
Question 12:
What two AWS storage types are persistent?
 
A. ephemeral
 
B. S3
 
C. EBS
 
D. instance store
 
E. SAML
 
Answer (B,C)
 
Question 13:
Select three on-premises backup solutions used for copying
data to an Amazon AWS S3 bucket?
 
A. AWS Import/Export
 
B. RDS
 
C. Snowball
 
D. Availability Zone (AZ) replication
 
E. AWS Storage Gateway
 
Answer (A,C,E)
 
Question 14:
You have 1 TB of data and want to archive the data that
won't be accessed that often. What Amazon AWS storage
solution is recommended?
 
A. Glacier
 
B. EBS
 
C. ephemeral
 
D. CloudFront
 
Answer (A)
Question 15:
What are three methods of accessing DynamoDB for
customization purposes?
 
A. CLI
 
B. AWS console
 
C. API call
 
D. vCenter
 
E. Beanstalk
 
Answer (A,B,C)
 
Question 16:
What are two primary differences between Glacier and S3
storage services?
 
A. Glacier is lower cost
 
B. S3 is lower cost
 
C. Glacier is preferred for frequent data access with
lower latency
 
D. S3 is preferred for frequent data access with lower
latency
 
E. S3 supports larger file size
 
Answer (A,D)
Question 17:
What statement correctly describes the operation of AWS
Glacier archive?
 
A. archive is a group of vaults
 
B. archive is an unencrypted vault
 
C. archive supports aggregated files only
 
D. maximum file size is 1 TB
 
E. archive supports single and aggregated files
 
Answer (E)
Question 18: What are three primary differences between
S3 vs EBS?
A. S3 is a multi-purpose public internet-based storage
B. EBS is directly assigned to a tenant VPC EC2 instance
C. EBS and S3 provide persistent storage
D. EBS snapshots are typically stored on S3 buckets
E. EBS and S3 use buckets to manage files
F. EBS and S3 are based on block level storage
Answer (A,B,D)
Question 19:
What on-premises solution is available from Amazon AWS to
minimize latency for all data?
 
A. Gateway-VTL
 
B. Gateway-cached volumes
 
C. Gateway-stored volumes
 
D. EBS
 
E. S3 bucket
 
F. ElastiCache
 
Answer (C)
 
Question 20:
What feature transitions S3 storage to Standard-IA for cost
optimization?
 
A. RRS/S3
 
B. Glacier vault
 
C. storage class analysis
 
D. path-based routing
 
Answer (C)
 
Question 21:
How does AWS uniquely identify S3 objects?
 
A. bucket name
 
B. version
 
C. key
 
D. object tag
 
Answer (C)
 
Question 22:
What is the advantage of read-after-write consistency for S3
buckets?
 
A. no stale reads for PUT of any new object in all regions
 
B. higher throughput for all requests
 
C. stale reads for PUT requests in some regions
 
D. no stale reads for GET requests in a single regions
 
Answer (A)
 
Question 23:
What is the maximum single file object size supported with
Amazon S3?
 
A. 5 GB
 
B. 5 TB
 
C. 1 TB
 
D. 100 GB
 
Answer (B)
 
Question 24:
What security problem is solved by using Cross-Origin
Resource Sharing (CORS)?
 
A. enable HTTP requests from within scripts to a different
domain
 
B. enable sharing of web-based files between different
buckets
 
C. provide security for third party objects within AWS
 
D. permits sharing objects between AWS services
Answer (A)
Question 25:
What is recommended for migrating 40 TB of data from on-
premises to S3 when the internet link is often overutilized?
 
A. AWS Storage gateway
 
B. AWS Snowball
 
C. AWS Import/Export
 
D. AWS Elastic File System
 
E. AWS Elasticsearch
 
F. AWS Multi-Part Upload API
 
Answer (B)
 
Question 26:
Your company is publishing an online catalog of books that
is currently using DynamoDB for storing the information
associated with each item. There is a requirement to add
images for each book. What solution is most cost effective
and designed for that purpose?
 
A. RedShift
B. EBS
C. RDS
D. S3
E. Kinesis
Answer (D)
 
Question 27:
You have an application that collects monitoring data from
10,000 sensors (IoT) deployed in the USA. The datapoints
are comprised of video events for home security and
environment status alerts. The application will be deployed
to AWS with EC2 instances as data collectors. What AWS
storage service is preferred for storing video files from
sensors?
 
A. RedShift
B. RDS
C. S3
D. DynamoDB
 
Answer (C)
 
Security Architecture
 
Question 1:
What statements correctly describe security groups within a
VPC? (Select three)
 
A. default security group only permit inbound traffic
 
B. security groups are stateful firewalls
 
C. only allow rules are supported
 
D. allow and deny rules are supported
 
E. security groups are associated to network interfaces
 
Answer (B,C,E)
Question 2:
What three items are required to configure a security group
rule?
 
A. protocol type
 
B. VPC name
 
C. port number
 
D. source IP
 
E. destination IP
 
F. description
 
Answer (A,C,D)
 
 
 
 
Question 3:
What two source IP address types are permitted in a
security group rule?
 
A. only CIDR blocks with /16 subnet mask
 
B. source IP address 0.0.0.0/0
 
C. single source IP address with /24 subnet mask
 
D. security group id
 
E. IPv6 address with /64 prefix length
 
Answer (B,D)
 
 
 
 
Question 4:
What protocols must be enabled for remote access to Linux-
based and Windows-based EC2 instances?
 
A. SSH, ICMP, Telnet
 
B. SSH, HTTP, RDP
 
C. SSH, HTTP, SSL
 
D. SSH, RDP, ICMP
 
Answer (D)
 
Question 5:
Distinguish network ACLs from security groups within a VPC?
(Select three)
 
A. ACL filters at the subnet level
 
B. ACL is based on deny rules only
 
C. ACL is applied to instances and subnets
 
D. ACL is stateless
 
E. ACL supports a numbered list for filtering
 
Answer (A,D,E)
Question 6:
What happens to the security permissions of a tenant when
an IAM role is granted? (Select two)
A. tenant inherits only permissions assigned to the IAM
role temporarily
B. add security permissions of the IAM role to existing
permissions
C. previous security permissions are no longer in effect
D. previous security permissions are deleted unless
reconfigured
E. tenant inherits only read permissions assigned to the
IAM role
Answer (A,C)
Question 7:
Where are IAM permissions granted to invoke and execute a
Lambda function for S3 access? (Select two)
 
A. S3 bucket
 
B. EC2 instance
 
C. Lambda function
 
D. IAM role
 
E. event mapping
 
Answer (A,D)
Question 8:
You have some developers working on code for an
application and they require temporary access to AWS cloud
up to an hour. What is the easiest web-based solution from
AWS to provides access and minimize security exposure?
 
A. ACL
 
B. security group
 
C. IAM group
 
D. STS
 
E. EFS
 
Answer (D)
 
Question 9:
What two methods are used to request temporary
credentials based on AWS Security Token Service (STS)?
 
A. Web Identity Federation
 
B. LDAP
 
C. IAM identity
 
D. dynamic ACL
 
E. private key rotation
 
Answer (A,C)                  
 
Question 10:
What two components are required for enabling SAML
authentication requests to AWS Identity and
Access Management (IAM)?
 
A. access keys
 
B. session token
 
C. SSO
 
D. identity provider (IdP)
 
E. SAML provider entity
 
Answer (D,E)
 
Question 11:
What are two reasons for deploying Origin Access Identity
(OAI) when enabling CloudFront?
A. prevent users from deleting objects in S3 buckets
B. mitigate distributed denial of service attacks (DDoS)
C. prevent users from accessing objects with Amazon S3
URL
D. prevent users from accessing objects with CloudFront
URL
E. replace IAM for internet-based customer
authentication
Answer (B,C)
Question 12:
What solutions are recommended to mitigate DDoS attacks?
(Select three)
 
A. host-based firewall
 
B. elastic load balancer
 
C. WAF
 
D. SSL/TLS
 
E. Bastion host
 
F. NAT gateway
 
Answer (B,C,E)
 
Question 13:
What features are required to prevent users from bypassing
AWS CloudFront security? (Select three)
 
A. Bastion host
 
B. signed URL
 
C. IP whitelist
 
D. signed cookies
 
E. origin access identity (OAI)
 
Answer (B,D,E)
 
Question 14:
What is the advantage of resource-based policies for cross-
account access?
 
A. trusted account permissions are not replaced
 
B. trusted account permissions are replaced
 
C. resource-based policies are easier to deploy
 
D. trusting account manages all permissions
 
Answer (A)
 
Question 15:
Select three requirements for configuring a Bastion host?
 
A. EIP
 
B. SSH inbound permission
 
C. default route
 
D. CloudWatch logs group
 
E. VPN
 
F. Auto-Scaling
 
Answer (A,B,D)
 
 
 
 
Question 16:
What rule must be added to the security group assigned to
a mount target instance that enables EFS access from an
EC2 instance?
A. Type = EC2, protocol = IP, port = 2049, source =
remote security group id
B. Type = EC2, protocol = EFS, port = 2049, source =
0.0.0.0/0
C. Type = NFS, protocol = TCP, port = 2049, source =
remote security group id
D. Type = NFSv4, protocol = UDP, port = 2049, source =
remote security group id
Answer (C)
 
Question 17: What statement correctly describes IAM
architecture?
A. IAM security is unified per region and replicated based
on requirements for an AWS tenant account
B. IAM security is defined per region for roles only on an
AWS tenant account
C. IAM security is globally unified across the AWS cloud
for an AWS tenant account
D. IAM security is defined separately per region and
cross-region security enabled for an AWS tenant
account
Answer (C)
Question 18:
What are two advantages of customer-managed encryption
keys (CMK)?
 
A. create and rotate encryption keys
 
B. AES-128 cipher for data at rest
 
C. audit encryption keys
 
D. encrypts data in-transit for server-side encryption only
 
Answer (A,C)
 
Question 19:
What feature is not available with AWS Trusted Advisor?
 
A. cost optimization
 
B. infrastructure best practices
 
C. vulnerability assessment
 
D. monitor application metrics
 
Answer (C)
 
Question 20:
What is required to Ping from a source instance to a
destination instance?
 
A. Network ACL: not required Security Group: allow ICMP
outbound on source/destination EC2 instances
B. Network ACL: allow ICMP inbound/outbound on
source/destination subnets Security Group: not required
C. Network ACL: allow ICMP inbound/outbound on
source/destination subnets Security Group: allow ICMP
outbound on source EC2 instance Security Group: allow
ICMP inbound on destination EC2 instance
D. Network ACL: allow TCP inbound/outbound on
source/destination subnets Security Group: allow TCP and
ICMP inbound on source EC2 instance
Answer (C)
 
 
 
 
Question 21:
What two steps are required to grant cross-account
permissions between AWS accounts?
 
A. create an IAM user
 
B. attach a trust policy to S3
 
C. create a transitive policy
 
D. attach a trust policy to the role
 
E. create an IAM role
 
Answer (D,E)
 
 
 
Question 22: You have configured a security group to allow
ICMP, SSH and RDP inbound and assigned the security
group to all instances in a subnet. There is no access to any
Linux-based or Windows-based instances and you cannot
Ping any instances. The network ACL for the subnet is
configured to allow all inbound traffic to the subnet. What is
the most probable cause?
A. on-premises firewall rules
B. security group and network ACL outbound rules
C. network ACL outbound rules
D. security group outbound rules
E. Bastion host required
Answer (C)
Question 23:
What three techniques provide authentication security on
S3 volumes?
 
A. bucket policies
 
B. network ACL
 
C. Identity and Access Management (IAM)
 
D. encryption
 
E. AES256
 
Answer (A,B,C)
 
Question 24: What statement correctly describes support
for AWS encryption of S3 objects?
A. tenants manage encryption for server-side encryption
of S3 objects
B. Amazon manages encryption for server-side
encryption of S3 objects
C. client-side encryption of S3 objects is not supported
D. S3 buckets are encrypted only
E. SSL is only supported with Glacier storage
Answer (B)
Question 25:
What authentication method provides Federated Single
Sign-On (SSO) for cloud applications?
 
A. ADS
 
B. ISE
 
C. RADIUS
 
D. TACACS
 
E. SAML
 
Answer (E)
 
Question 26:
Based on the Amazon security model, what infrastructure
configuration and associated security is the responsibility of
tenants and not Amazon AWS? (Select two)
 
A. dedicated cloud server
 
B. hypervisor
 
C. operating system level
 
D. application level
 
E. upstream physical switch
 
Answer (C,D)
 
Question 27:
What security authentication is required before configuring
or modifying EC2 instances? (Select three)
 
A. authentication at the operating system level
 
B. EC2 instance authentication with asymmetric keys
 
C. authentication at the application level
 
D. Telnet username and password
 
E. SSH/RDP session connection
 
Answer (A,B,E)
 
Question 28:
What feature is part of Amazon Trusted Advisor?
 
A. security compliance
 
B. troubleshooting tool
 
C. EC2 configuration tool
 
D. security certificates
 
Answer (A)
 
Question 29:
What are two best practices for account management within
Amazon AWS?
A. do not use root account for common administrative
tasks
B. create a single AWS account with multiple IAM users
that have root privilege
C. create multiple AWS accounts with multiple IAM users
per AWS account
D. use root account for all administrative tasks
E. create multiple root user accounts for redundancy
Answer (A,C)
Question 30:
What AWS feature is recommended for optimizing data
security?
 
A. Multi-factor authentication
 
B. username and encrypted password
 
C. Two-factor authentication
 
D. SAML
 
E. Federated LDAP
 
Answer (A)
Question 31:
What IAM class enables an EC2 instance to access a file
object in an S3 bucket?
 
A. user
 
B. root
 
C. role
 
D. group
 
Answer (C)
 
Question 32:
What are three recommended solutions that provide
protection and mitigation from distributed denial of service
(DDoS) attacks?
 
A. security groups
 
B. CloudWatch
 
C. encryption
 
D. WAF
 
E. data replication
 
F. Auto-Scaling
 
Answer (A,B,D)
Question 33:
What are three recommended best practices when
configuring Identity and Access Management (IAM) security
services?
A. Lock or delete your root access keys when not
required
B. IAM groups are not recommended for storage security
C. create an IAM user with administrator privileges
D. share your password and/or access keys with
members of your group only
E. delete any AWS account where the access keys are
unknown
Answer (A,C,E)
Question 34:
What two features create security zones between EC2
instances within a VPC?
 
A. security groups
 
B. Virtual Security Gateway
 
C. network ACL
 
D. WAF
 
Answer (A,B)
Question 35:
What AWS service provides vulnerability assessment
services to tenants within the cloud?
 
A. Amazon WAF
B. Amazon Inspector
C. Amazon Cloud Logic
D. Amazon Trusted Advisor
 
Answer (B)
 
Question 36:
What are two primary differences between AD Connector
and Simple AD for cloud directory services?
 
A. Simple AD requires an on-premises ADS directory
B. Simple AD is fully managed and setup in minutes
C. AD Connector requires an on-premises ADS directory
D. Simple AD is more scalable than AD Connector
E. Simple AD provides enhanced integration with IAM
 
Answer (B,C)
 
Database Services
 
Question 1:
How is load balancing enabled for multiple tasks to the
same container instance?
 
A. path-based routing
 
B. reverse proxy
 
C. NAT
 
D. dynamic port mapping
 
E. dynamic listeners
 
Answer (D)
 
Question 2:
What encryption support is available for tenants that are
deploying AWS DynamoDB?
 
A. server-side encryption
 
B. client-side encryption
 
C. client-side and server-side encryption
 
D. encryption not supported
 
E. block level encryption
 
Answer (B)
 
Question 3:
What are three primary reasons for deploying ElastiCache?
 
A. data security
 
B. managed service
 
C. replication with Redis
 
D. durability
 
E. low latency
 
Answer (B,C,E)
 
Question 4:
What service does not support session data persistence
store to enable web-based stateful applications?
 
A. RDS
 
B. Memcached
 
C. DynamoDB
 
D. Redis
 
E. RedShift
 
Answer (B)
Question 5:
How does Memcached implement horizontal scaling?
 
A. Auto-Scaling
 
B. database store
 
C. partitioning
 
D. EC2 instances
 
E. S3 bucket
 
Answer (C)
 
Question 6:
What two options are available for tenants to access
ElastiCache?
 
A. VPC peering link
 
B. EC2 instances
 
C. EFS mount
 
D. cross-region VPC
 
Answer (A,B)
Question 7:
What two statements correctly describe in-transit encryption
support on ElastiCache platform ?
 
A. not supported for ElastiCache platform
 
B. supported on Redis replication group
 
C. encrypts cached data at rest
 
D. not supported on Memcached cluster
 
E. IPsec must be enabled first
 
Answer (B,D)
Question 8:
What Amazon AWS platform is designed for complex
analytics of a variety of large data sets based on custom
code. The applications include machine learning and data
transformation?
 
A. EC2
 
B. Beanstalk
 
C. Redshift
 
D. EMR
 
Answer (D)
Question 9:
What are two primary advantages of DynamoDB?
 
A. SQL support
 
B. managed service
 
C. performance
 
D. CloudFront integration
 
Answer (B,C)
 
Question 10:
What two fault tolerant features does Amazon RDS support?
 
A. copy snapshot to a different region
 
B. create read replica to a different region
 
C. copy unencrypted read-replica only
 
D. copy read/write replica and snapshot
 
Answer (A,B)
 
Question 11:
What managed services are included with Amazon RDS?
(select four)
 
A. assign network capacity to database instances
 
B. install database software
 
C. perform regular backups
 
D. data replication across multiple availability zones
 
E. data replication across single availability zone only
 
F. configure database
 
G. performance tuning
 
Answer (A,B,C,D)
 
Question 12:
What two configuration features are required to create a
private database instance?
 
A. security group
 
B. network ACL
 
C. CloudWatch
 
D. Elastic IP (EIP)
 
E. Nondefault VPC
 
F. DNS
 
Answer (A,F)
 
Question 13:
What storage type is recommended for an online
transaction processing (OLTP) application deployed to Multi-
AZ RDS with significant workloads?
 
A. General Purpose SSD
 
B. Magnetic
 
C. EBS volumes
 
D. Provisioned IOPS
 
Answer (D)
 
Question 14:
What features are supported with Amazon RDS? (Select
three)
 
A. horizontal scaling with multiple read replicas
 
B. elastic load balancing RDS read replicas
 
C. replicate read replicas cross-region
 
D. automatic failover to master database instance
 
E. application load balancer (ALB)
 
Answer (A,C,E)
 
Question 15:
What are three advantages of standby replica in a Multi-AZ
RDS deployment?
 
A. fault tolerance
 
B. eliminate I/O freezes
 
C. horizontal scaling
 
D. vertical scaling
 
E. data redundancy
 
Answer (A,B,E)
 
Question 16:
What consistency model is the default used by DynamoDB?
 
A. strongly consistent
 
B. eventually consistent
 
C. no default model
 
D. casual consistency
 
E. sequential consistency
 
Answer (B)
 
Question 17:
What does RDS use for database and log storage?
 
A. EBS
 
B. S3
 
C. instance store
 
D. local store
 
E. SSD
 
Answer (A)
 
Question 18:
What statements correctly describe support for
Microsoft SQL Server within Amazon VPC? (Select three)
 
A. read/write replica
 
B. read replica only
 
C. vertical scaling
 
D. native load balancing
 
E. EBS storage only
 
F. S3 storage only
 
Answer (B,C,D)
Question 19:
Select two features available with Amazon RDS for MySQL?
 
A. Auto-Scaling
 
B. read requests to standby replicas
 
C. real-time database replication
 
D. active read requests only
 
Answer (B,C)
Question 20:
What are two characteristics of Amazon RDS?
 
A. database managed service
 
B. NoSQL queries
 
C. native load balancer
 
D. database write replicas
 
E. automatic failover of read replica
 
Answer (A,C)
 
Question 21:
What caching engines are supported with Amazon
ElastiCache? (Select two)
 
A. HAProxy
 
B. Route 53
 
C. RedShift
 
D. Redis
 
E. Memcached
 
F. CloudFront
 
Answer (D,E)
Question 22:
What are three primary characteristics of DynamoDB?
 
A. less scalable than RDS
 
B. static content
 
C. store metadata for S3 objects
 
D. replication to three Availability Zones
 
E. high read/write throughput
 
Answer (C,D,E)
 
Question 23:
What are three examples of using Lambda functions to
move data between AWS services?
A. read data directly from DynamoDB streams to RDS
B. read data from Kinesis stream and write data to
DynamoDB
C. read data from DynamoDB stream to Firehose and
write to S3
D. read data from S3 and write metadata to DynamoDB
E. read data from Kinesis Firehose to Kinesis data stream
Answer (B,C,D)
Question 24: You have enabled Amazon RDS database
services in VPC1 for an application with public web servers
in VPC2. How do you connect the web servers to the RDS
database instance so they can communicate considering the
VPC's are in different regions?
A. VPC endpoints
B. VPN gateway
C. path-based routing
D. publicly accessible database
E. VPC peering
Answer (D)
Question 25:
You have a requirement to create an index to search
customer objects stored in S3 buckets. The solution should
enable you to create a metadata search index for each
object stored to an S3 bucket. Select the most scalable and
cost effective solution?
 
A. RDS, ElastiCache
B. DynamoDB, Lambda
C. RDS, EMR, ALB
D. RedShift
Answer (B)
 
Question 26: What are three advantages of using
DynamoDB over S3 for storing IoT sensor data where there
are 100,000 datapoint samples sent per minute?
A. S3 must create a single file for each event
B. IoT can write data directly to DynamoDB
C. DynamoDB provides fast read/writes to a structured
table for queries
D. DynamoDB is designed for frequent access and fast
lookup of small records
E. S3 is designed for frequent access and fast lookup of
smaller records
F. IoT can write data directly to S3
Answer (B,C,D)
Question 27:
Your company is a provider of online gaming that customers
access with various network access devices including
mobile phones. What is a data warehousing solutions for
large amounts of information on player behavior, statistics
and events for analysis using SQL tools?
 
A. RedShift
B. DynamoDB
C. RDS
D. DynamoDB
E. Elasticsearch
 
Answer (A)
 
Question 28: What two statements are correct when
comparing Elasticsearch and RedShift as analytical tools?
A. Elasticsearch is a text search engine and document
indexing tool
B. RedShift supports complex SQL-based queries with
Petabyte sized data store
C. Elasticsearch supports SQL queries
D. RedShift provides only basic analytical services
E. Elasticsearch does not support JSON data type
Answer (A,B)
Question 29:
What happens when read or write requests exceed capacity
units (throughput capacity) for a DynamoDB table or index?
(Select two)
A. DynamoDB automatically increases read/write units
B. DynamoDB can throttle requests so that requests are
not exceeded
C. HTTP 400 code is returned (Bad Request)
D. HTTP 500 code is returned (Server Error)
E. DynamoDB automatically increases read/write units if
provisioned throughput is enabled
 
Answer (B,C)
 
Question 30:
What read consistency method provides lower latency for
GetItem requests?
 
A. strongly persistent
B. eventually consistent
C. strongly consistent
D. write consistent
 
Answer (B)
 
Question 31:
You must specify strongly consistent read and write capacity
for your DynamoDB database. You have determined read
capacity of 128 Kbps and write capacity of 25 Kbps is
required for your application. What is the read and write
capacity units required for DynamoDB table?
 
A. 32 read units, 25 write units
B. 1 read unit, 1 write unit
C. 16 read units, 2.5 write units
D. 64 read units, 10 write units
 
Answer (A)
 
Question 32:
What DynamoDB capacity management technique is based
on the tenant specifying an upper and lower range for
read/write capacity units?
 
A. demand
B. provisioned throughput
C. reserved capacity
D. auto scaling
E. general purpose
 
Answer (D)
 
Question 33:
What is the maximum volume size of a MySQL RDS
database?
 
A. 6 TB
B. 3 TB
C. 16 TB
D. unlimited
 
Answer (C)
 
Question 34:
What is the maximum size of a DynamoDB record (item)?
 
A. 400 KB
B. 64 KB
C. 1 KB
D. 10 KB
 
Answer (A)
 
Fault Tolerant Systems
 
Question 1:
What two features describe an Application Load Balancer
(ALB)?
 
A. dynamic port mapping
 
B. SSL listener
 
C. layer 7 load balancer
 
D. backend server authentication
 
E. multi-region forwarding
 
Answer (A,C)
 
Question 2:
What enables load balancing between multiple applications
per load balancer?
 
A. listeners
 
B. sticky sessions
 
C. path-based routing
 
D. backend server authentication
 
Answer (C)
 
Question 3:
What three features are characteristic of Classic Load
Balancer?
 
A. dynamic port mapping
 
B. path-based routing
 
C. SSL listener
 
D. backend server authentication
 
E. ECS
 
F. Layer 4 based load balancer
 
Answer (C,D,F)
 
Question 4:
What security feature is only available with Classic Load
Balancer?
 
A. IAM role
 
B. SAML
 
C. back-end server authentication
 
D. security groups
 
E. LDAP
 
Answer (C)
 
Question 5:
What is a primary difference between Classic and Network
Load Balancer?
 
A. IP address target
 
B. Auto-Scaling
 
C. protocol target
 
D. cross-zone load balancing
 
E. listener
 
Answer (A)
 
Question 6: What are the first two conditions used by
Amazon AWS default termination policy for Multi-AZ
architecture?
A. unprotected instance with oldest launch configuration
B. Availability Zone (AZ) with the most instances
C. at least one instance that is not protected from scale
in
D. unprotected instance closest to the next billing hour
E. random selection of any unprotected instance
Answer (B,C)
Question 7:
What feature is used for horizontal scaling of consumers to
process data records from a Kinesis data stream?
 
A. vertical scaling shards
 
B. Auto-Scaling
 
C. Lambda
 
D. Elastic Load Balancer
 
Answer (B)
 
Question 8:
What DNS records can be used for pointing a zone apex to
an Elastic Load Balancer or CloudFront distribution? (Select
two)
 
A. Alias
 
B. CNAME
 
C. MX
 
D. A
 
E. Name Server
 
Answer (A,D)
 
 
 
Question 9: What services are primarily provided by DNS
Route 53? (Select three)
A. load balancing web servers within a private subnet
B. resolve hostnames and IP addresses
C. load balancing web servers within a public subnet
D. load balancing data replication requests between ECS
containers
E. resolve queries and route internet traffic to AWS
resources
F. automated health checks to EC2 instances
Answer (B,E,F)
Question 10:
What are two features that correctly describe Availability
Zone (AZ) architecture?
 
A. multiple regions per AZ
 
B. interconnected with private WAN links
 
C. multiple AZ per region
 
D. interconnected with public WAN links
 
E. data auto-replicated between zones in different
regions
 
F. Direct Connect supports Layer 2 connectivity to region
 
Answer (B,C)
Question 11:
How is Route 53 configured for Warm Standby fault
tolerance? (Select two)
 
A. automated health checks
 
B. path-based routing
 
C. failover records
 
D. Alias records
 
Answer (A,C)
Question 12:
How is DNS Route 53 configured for Multi-Site fault
tolerance? (Select two)
 
A. IP address
 
B. weighted records (non-zero)
 
C. health checks
 
D. Alias records
 
E. zero weighted records
 
Answer (B,C)
Question 13:
What is an Availability Zone?
 
A. data center
 
B. multiple VPCs
 
C. multiple regions
 
D. single region
 
E. multiple EC2 server instances
 
Answer (A)
 
Question 14:
How are DNS records managed with Amazon AWS to
enable high availability?
 
A. Auto-Scaling
 
B. server health checks
 
C. reverse proxy
 
D. elastic load balancing
 
Answer (C)
Question 15:
What is the difference between Warm Standby and Multi-
Site fault tolerance? (Select two)
A. Multi-Site enables lower RTO and most recent RPO
B. Warm Standby enables lower RTO and most recent
RPO
C. Multi-Site provides active/active load balancing
D. Multi-Site provides active/standby load balancing
E. DNS Route 53 is not required for Warm Standby
Answer (A,C)
Question 16:
What AWS best practice is recommended for creating fault
tolerant systems?
 
A. vertical scaling
 
B. Elastic IP (EIP)
 
C. security groups
 
D. horizontal scaling
 
E. RedShift
 
Answer (D)
 
Question 17:
What two statements correctly describe versioning for
protecting data at rest on S3 buckets?
 
A. enabled by default
 
B. overwrites most current file version
 
C. restores deleted files
 
D. saves multiple versions of a single file
 
E. disabled by default
 
Answer (C,E)
Question 18:
What two methods are recommended by AWS for protecting
EBS data at rest?
 
A. replication
 
B. snapshots
 
C. encryption
 
D. VPN
 
Answer (B,C)
 
Question 19: You have an Elastic Load Balancer assigned
to a VPC with public and private subnets. ELB is configured
to load balance traffic to a group of EC2 instances assigned
to an Auto-Scaling group. What three statements are
correct?
A.
Elastic Load Balancer is assigned to a public subnet
B.
network ACL is assigned to Elastic Load Balancer
C.
security group is assigned to Elastic Load Balancer
D.
cross-zone load balancing is not supported
E.
Elastic Load Balancer forwards traffic to primary
private IP address (eth0 interface) on each instance
Answer (A,C,E)
Deployment
 
Question 1:
What Amazon AWS service is available for container
management?
 
A. ECS
 
B. Docker
 
C. Kinesis
 
D. Lambda
 
Answer (A)
 
Question 2:
What is associated with Microservices? (Select two)
 
A. Application Load Balancer
 
B. Kinesis
 
C. RDS
 
D. DynamoDB
 
E. ECS
 
Answer (A,E)
Question 3:
Where does Amazon retrieve web content when it is not in
the nearest CloudFront edge location?
 
A. secondary location
 
B. file server
 
C. EBS
 
D. S3 bucket
 
Answer (D)
 
Question 4:
What two features of an API Gateway minimize the effects of
peak traffic events and minimize latency?
 
A. load balancing
 
B. firewalling
 
C. throttling
 
D. scaling
 
E. caching
 
Answer (C,E)
Question 5:
What three characteristics differentiate Lambda from
traditional EC2 deployment or containerization?
 
A. Lambda is based on Kinesis scripts
 
B. Lambda is serverless
 
C. tenant has ownership of EC2 instances
 
D. tenant has no control of EC2 instances
 
E. Lambda is a code-based service
 
F. Lambda supports only S3 and Glacier
 
Answer (B,D,E)
 
Question 6:
How is code uploaded to Lambda?
 
A. Lambda instance
 
B. Lambda container
 
C. Lambda entry point
 
D. Lambda function
 
E. Lambda AMI
 
Answer (D)
 
Question 7:
How are Lambda functions triggered?
 
A. EC2 instance
 
B. hypervisor
 
C. Kinesis
 
D. operating system
 
E. event source
 
Answer (E)
 
Question 8: What three statements correctly describe
standard Lambda operation?
A. Lambda function is allocated 500 MB ephemeral disk
space
B. Lambda function is allocated 100 MB EBS storage
C. Lambda stores code in S3
D. Lambda stores code in a Glacier vault
E. Lambda stores code in containers
F. maximum execution time is 300 seconds
Answer (A,C,F)
Question 9: What network events are restricted by
Lambda? (Select two)
A. only inbound TCP network connections are blocked by
AWS Lambda
B. all inbound network connections are blocked by AWS
Lambda
C. all inbound and outbound connections are blocked
D. outbound connections support only TCP/IP sockets
E. outbound connections support only SSL sockets
Answer (B,D)
Question 10:
How is versioning supported with Lambda? (Select two)
 
A. Lambda native support
 
B. ECS container
 
C. not supported
 
D. Aliases
 
E. replication
 
F. S3 versioning
 
Answer (A,D)
 
Question 11: What is the difference between Stream-based
and AWS Services when enabling Lambda?
A. streams maintains event source mapping in Lambda
B. streams maintains event source mapping in event
source
C. streams maintains event source mapping in EC2
instance
D. streams maintains event source mapping in
notification
E. streams maintains event source mapping in API
Answer (A)
Question 12:
Select two custom origin servers from the following?
 
A. S3 bucket
 
B. S3 object
 
C. EC2 instance
 
D. Elastic Load Balancer
 
E. API gateway
 
Answer (C,D)
 
Question 13:
What two attributes are only associated with CloudFront
private content?
 
A. Amazon S3 URL
 
B. signed cookies
 
C. web distribution
 
D. signed URL
 
E. object
 
Answer (B,D)
 
Question 14:
How are origin servers located within CloudFront (Select
two)
 
A. DNS request
 
B. distribution list
 
C. web distribution
 
D. RTMP protocol
 
E. source mapping
 
Answer (A,C)
Question 15:
Where are HTML files sourced from when they are not
cached at a CloudFront edge location?
 
A. S3 object
 
B. origin HTTP server
 
C. S3 bucket
 
D. nearest edge location
 
E. RTMP server
 
F. failover edge location
 
Answer (B)
 
 
Question 16:
What is the capacity of a single Kinesis shard? (Select two)
 
A. 2000 PUT records per second
 
B. 1 MB/sec data input and 2 MB/sec data output
 
C. 10 MB/sec data input and 10 MB/sec data output
 
D. 1000 PUT records per second
 
E. unlimited
 
Answer (B,D)
Question 17:
What Amazon AWS service supports real-time processing of
data stream from multiple consumers and replay of records?
 
A. DynamoDB
 
B. EMR
 
C. Kinesis data streams
 
D. SQS
 
E. RedShift
 
Answer (C)
 
Question 18: Your company has asked you to capture and
forward a real-time data stream on a massive scale directly
to RedShift for analysis with BI tools. What AWS tool is most
appropriate that provides the feature set and cost effective?
A. DynamoDB
B. SQS
C. Elastic Map Reduce
D. Kinesis Firehose
E. SNS
F. CloudFront
Answer (D)
Question 19:
What feature permits tenants to use a private domain name
instead of the domain name that CloudFront assigns to a
distribution?
 
A. Route 53
 
B. CNAME record
 
C. MX record
 
D. RTMP
 
E. Signed URL
 
Answer (B)
 
Question 20:
What Amazon AWS service is available to guarantee the
consuming of a unique message only once?
 
A. Beanstalk
 
B. SQL
 
C. Exchange
 
D. SQS
 
Answer (D)
 
Question 21:
What is the fastest and easiest method for migrating an on-
premises VMware virtual machine to the AWS cloud?
 
A. Amazon Marketplace
 
B. AWS Server Migration Service
 
C. AWS Storage Gateway
 
D. EC2 Import/Export
 
Answer (B)
 
Question 22:
Select the stateless protocol from the following?
 
A. FTP
 
B. TCP
 
C. HTTP
 
D. SSH
 
Answer (C)
 
Question 23:
What are three valid endpoints for an API gateway?
 
A. RESTful API
 
B. Lambda function
 
C. AWS service
 
D. web server
 
E. HTTP method
 
Answer (B,C,D)
 
 
 
Question 24:
How is a volume selected (identified) when making an EBS
Snapshot?
 
A. account id
 
B. volume id
 
C. tag
 
D. ARN
 
Answer (D)
Question 25:
What deployment service enables tenants to replicate an
existing AWS stack?
 
A. Beanstalk
 
B. CloudFormation
 
C. RedShift
 
D. EMR
 
Answer (B)
 
Question 26:
What three services can invoke a Lambda function?
 
A. SNS topic
 
B. CloudWatch event
 
C. EC2 instance
 
D. security group
 
E. S3 bucket notification
 
Answer (A,B,E)
 
Question 27:
What two services enable automatic polling of a stream for
new records only and forward them to an AWS storage
service?
 
A. SNS
 
B. Kinesis
 
C. Lambda
 
D. DynamoDB
 
Answer (B,C)
 
Question 28: Your company is deploying a web site with
dynamic content to customers in US, EU and APAC regions
of the world. Content will include live streaming videos to
customers. SSL certificates are required for security
purposes. Select the AWS service delivers all requirements
and provides the lowest latency?
A. DynamoDB
B. CloudFront
C. S3
D. Redis
Answer (B)
Question 29:
What are the advantages of Beanstalk? (Select two)
 
A. orchestration and deployment abstraction
 
B. template-oriented deployment service
 
C. easiest solution for developers to deploy cloud
applications
 
D. does not support cloud containers
 
Answer (A,C)
 
Question 30: You are a network analyst with JSON scripting
experience and asked to select an AWS solution that
enables automated deployment of cloud services. The
template design would include a nondefault VPC with EC2
instances, ELB, Auto-Scaling and active/active failover. What
AWS solution is recommended?
A. Beanstalk
B. OpsWorks
C. CloudTrail
D. CloudFormation
Answer (D)
Question 31:
Select two statements that correctly describe OpsWorks?
 
A. Opsworks provides operational and configuration
automation
 
B. OpsWorks is a lower cost alternative to BeanStalk
 
C. OpsWorks is primarily a monitoring service
 
D. Chef scripts (recipes) are a key aspect of OpsWorks
 
Answer (A,D)
 
Question 32:
Your company has developed an IoT application that sends
Telemetry data from 100,000 sensors. The sensors send a
datapoint of 1 KB at one-minute intervals to a DynamoDB
collector for monitoring purposes. What AWS stack would
enable you to store data for real-time processing and
analytics using BI tools?
 
A. Sensors -> Kinesis Stream -> Firehose -> DynamoDB
B. Sensors -> Kinesis Stream -> Firehose -> DynamoDB -> S3
C. Sensors -> AWS IoT -> Firehose -> RedShift
D. Sensors -> Kinesis Data Streams -> Firehose -> RDS
 
Answer (C)
Question 33:
Your company has an application that was developed and
migrated to AWS cloud. The application leverages some
AWS services as part of the architecture. The stack includes
EC2 instances, RDS database, S3 buckets, RedShift and
Lambda functions. In addition there is IAM security
permissions configured with defined users, groups and roles.
 
The application is monitored with CloudWatch and STS was
recently added for permitting Web Identity Federation sign-
on from Google accounts. You want a solution that can
leverage the experience of your employees with AWS cloud
infrastructure as well. What AWS service can create a
template of the design and configuration for easier
deployment of the application to multiple regions?
 
A. Snowball
B. Opsworks
C. CloudFormation
D. Beanstalk
 
Answer (C)
Monitoring Services
 
Question 1:
What statement correctly describes CloudWatch operation
within AWS cloud?
 
A. log data is stored indefinitely
 
B. log data is stored for 15 days
 
C. alarm history is never deleted
 
D. ELB is not supported
 
Answer (A)
 
Question 2:
What are two AWS subscriber endpoint services that are
supported with SNS?
 
A. RDS
 
B. Kinesis
 
C. SQS
 
D. Lambda
 
E. EBS
 
F. ECS
 
Answer (C,D)
 
Question 3:
What AWS services work in concert to integrate security
monitoring and audit within a VPC? (Select three)
 
A. Syslog
 
B. CloudWatch
 
C. WAF
 
D. CloudTrail
 
E. VPC Flow Log
 
Answer (B,D,E)
 
Question 4:
How is CloudWatch integrated with Lambda? (Select two)
 
A. tenant must enable CloudWatch monitoring
 
B. network metrics such as latency are not monitored
 
C. Lambda functions are automatically monitored
through Lambda service
 
D. log group is created for each event source
 
E. log group is created for each function
 
Answer (C,E)
 
Question 5:
What two statements correctly describe AWS monitoring
and audit operations?
A. CloudTrail captures API calls, stores them in an S3
bucket and generates a Cloudwatch event
B. CloudWatch alarm can send a message to a Lambda
function
C. CloudWatch alarm can send a message to an SNS
Topic that triggers an event for a Lambda function
D. CloudTrail captures all AWS events and stores them in
a log file
E. VPC logs do not support events for security groups
Answer (A,C)
Question 6:
What is required for remote management access to your
Linux-based instance?
 
A. ACL
 
B. Telnet
 
C. SSH
 
D. RDP
 
Answer (C)
 
Question 7:
What are two features of CloudWatch operation?
A. CloudWatch does not support custom metrics
B. CloudWatch permissions are granted per feature and
not AWS resource
C. collect and monitor operating system and application
generated log files
D. AWS services automatically create logs for
CloudWatch
E. CloudTrail generates logs automatically when AWS
account is activated
Answer (B,C)
Question 8:
You are asked to select an AWS solution that will create a log
entry anytime a snapshot of an RDS database instance and
deletes the original instance. Select the AWS service that
would provide that feature?
 
A. VPC Flow Logs
 
B. RDS Access Logs
 
C. CloudWatch
 
D. CloudTrail
 
Answer (D)
 
Question 9:
What is required to enable application and operating system
generated logs and publish to CloudWatch Logs?
 
A. Syslog
 
B. enable access logs
 
C. IAM cross-account enabled
 
D. CloudWatch Log Agent
 
Answer (D)
 
Question 10:
What is the purpose of VPC Flow Logs?
 
A. capture VPC error messages
 
B. capture IP traffic on network interfaces
 
C. monitor network performance
 
D. monitor netflow data from subnets
 
E. enable Syslog services for VPC
 
Answer (B)
 
Question 11:
Select two cloud infrastructure services and/or components
included with default CloudWatch monitoring?
 
A. SQS queues
 
B. operating system metrics
 
C. hypervisor metrics
 
D. virtual appliances
 
E. application level metrics
 
Answer (A,C)
 
Question 12:
What feature enables CloudWatch to manage capacity
dynamically for EC2 instances?
 
A. replication lag
 
B. Auto-Scaling
 
C. Elastic Load Balancer
 
D. vertical scaling
 
Answer (B)
 
Question 13:
What AWS service is used to monitor tenant remote access
and various security errors including authentication retries?
 
A. SSH
 
B. Telnet
 
C. CloudFront
 
D. CloudWatch
 
Answer (D)
 
Question 14:
How does Amazon AWS isolate metrics from different
applications for monitoring, store and reporting purposes?
 
A. EC2 instances
 
B. Beanstalk
 
C. CloudTrail
 
D. namespaces
 
E. Docker
 
Answer (D)
 
Question 15:
What Amazon AWS service provides account transaction
monitoring and security audit?
 
A. CloudFront
 
B. CloudTrail
 
C. CloudWatch
 
D. security group
 
Answer (B)
 
Question 16:
What two statements correctly describe CloudWatch
monitoring of database instances?
A. metrics are sent automatically from DynamoDB and
RDS to CloudWatch
B. alarms must be configured for DynamoDB and RDS
within CloudWatch
C. metrics are not enabled automatically for DynamoDB
and RDS
D. RDS does not support monitoring of operating system
metrics
Answer (A,B)
Question 17: What AWS service can send notifications to
customer smartphones and mobile applications with
attached video and/or alerts?
A. EMR
B. Lambda
C. SQS
D. SNS
E. CloudTrail
Answer (D) Amazon Books • AWS Certified
Solutions Architect Associate Exam: Study Notes • AWS
Certified Solutions Architect Associate Exam: Certification
Practice Questions (full answer key version)