AWS Solution Architect Associate Dump1

100% Valid and Newest Version AWS-Solution-Architect-Associate Questions & Answers shared by Certleader 100% Valid and Newest
100% Valid and Newest Version AWS-Solution-Architect-Associate Questions & Answers shared by Certleader
https://www.certleader.com/AWS-Solution-Architect-Associate-dumps.html (315 Q&As) https://www.certleader.com/AWS-Solution-Architect-Associate-dumps.html (315 Q&As)
Explanation:
Key pairs consist of a public and private key, where you use the private key to create a digital signature, and then AWS uses the corresponding public key to
NEW QUESTION 1 validate the signature. Key pairs are used only for Amazon EC2 and Amazon CIoudFront.
A user is storing a large number of objects on AWS S3. The user wants to implement the search functionality among the objects. How can the user achieve this? Reference: http://docs.aws.amazon.com/generaI/latest/gr/aws-sec-cred-types.html
A. Use the indexing feature of S3.

B. Tag the objects with the metadata to search on that. NEW QUESTION 6
C. Use the query functionality of S3. Does Amazon DynamoDB support both increment and decrement atomic operations?
D. Make your own DB system which stores the S3 metadata for the search functionalit
A. Only increment, since decrement are inherently impossible with DynamoDB's data model.
Answer: D B. No, neither increment nor decrement operations.
C. Yes, both increment and decrement operations.
Explanation: D. Only decrement, since increment are inherently impossible with DynamoDB's data mode
In Amazon Web Services, AWS S3 does not provide any query facility. To retrieve a specific object the user needs to know the exact bucket / object key. In this
case it is recommended to have an own DB system which manages the S3 metadata and key mapping. Answer: C
Reference: http://media.amazonwebservices.com/AWS_Storage_Options.pdf
Explanation:
Amazon DynamoDB supports increment and decrement atomic operations.
NEW QUESTION 2 Reference: http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/APISummary.html
You are migrating an internal sewer on your DC to an EC2 instance with EBS volume. Your server disk usage is around 500GB so you just copied all your data to
a 2TB disk to be used with AWS Import/Export. Where will the data be imported once it arrives at Amazon?
NEW QUESTION 7
A. to a 2TB EBS volume You need to import several hundred megabytes of data from a local Oracle database to an Amazon RDS DB instance. What does AWS recommend you use to
B. to an S3 bucket with 2 objects of 1TB accomplish this?
C. to an 500GB EBS volume
D. to an S3 bucket as a 2TB snapshot A. Oracle export/import utilities
B. Oracle SQL Developer
Answer: B C. Oracle Data Pump
D. DBMS_FILE_TRANSFER
Explanation:
An import to Amazon EBS will have different results depending on whether the capacity of your storage device is less than or equal to 1 TB or greater than 1 TB. Answer: C
The maximum size of an Amazon EBS snapshot is 1 TB, so if the device image is larger than 1 TB, the image is chunked and stored on Amazon S3. The target
location is determined based on the total capacity of the device, not the amount of data on the device. Explanation:
Reference: http://docs.aws.amazon.com/AWSImportExport/latest/DG/Concepts.html How you import data into an Amazon RDS DB instance depends on the amount of data you have and the number and variety of database objects in your
database.
For example, you can use Oracle SQL Developer to import a simple, 20 MB database; you want to use Oracle Data Pump to import complex databases or
NEW QUESTION 3 databases that are several hundred megabytes or several terabytes in size.
An edge location refers to which Amazon Web Service? Reference: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Oracle.Procedural.Importing.htmI
A. An edge location is refered to the network configured within a Zone or Region

B. An edge location is an AWS Region NEW QUESTION 8
C. An edge location is the location of the data center used for Amazon CIoudFront. An Elastic IP address (EIP) is a static IP address designed for dynamic cloud computing. With an EIP, you can mask the failure of an instance or software by
D. An edge location is a Zone within an AWS Region rapidly remapping the address to another instance in your account. Your EIP is associated with your AWS account, not a particular EC2 instance, and it remains
associated with your account until you choose to explicitly release it. By default how many EIPs is each AWS account limited to on a per region basis?
Answer: C
A. 1
Explanation: B. 5
Amazon CIoudFront is a content distribution network. A content delivery network or content distribution network (CDN) is a large distributed system of sewers C. Unlimited
deployed in multiple data centers across the world. The location of the data center used for CDN is called edge location. D. 10
Amazon CIoudFront can cache static content at each edge location. This means that your popular static content (e.g., your site’s logo, navigational images,
cascading style sheets, JavaScript code, etc.) will be available at a nearby edge location for the browsers to download with low latency and improved performance Answer: B
for viewers. Caching popular static content with Amazon CIoudFront also helps you offload requests for such files from your origin sever — CIoudFront serves the
cached copy when available and only makes a request to your origin server if the edge location receMng the browser’s request does not have a copy of the file. Explanation:
Reference: http://aws.amazon.com/c|oudfront/ By default, all AWS accounts are limited to 5 Elastic IP addresses per region for each AWS account, because public (IPv4) Internet addresses are a scarce public
resource. AWS strongly encourages you to use an EIP primarily for load balancing use cases, and use DNS hostnames for all other inter-node communication.
If you feel your architecture warrants additional EIPs, you would need to complete the Amazon EC2 Elastic IP Address Request Form and give reasons as to your
NEW QUESTION 4 need for additional addresses. Reference:
Does DynamoDB support in-place atomic updates? http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.htmI#using-instance-ad dressing-limit
A. Yes
B. No NEW QUESTION 9
C. It does support in-place non-atomic updates In Amazon EC2, partial instance-hours are billed .
D. It is not defined
A. per second used in the hour
Answer: A B. per minute used
C. by combining partial segments into full hours
Explanation: D. as full hours
DynamoDB supports in-place atomic updates.
Reference: Answer: D
http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/\NorkingWithItems.htmI#Working WithItems.AtomicCounters
Explanation:
Partial instance-hours are billed to the next hour. Reference: http://aws.amazon.com/ec2/faqs/
NEW QUESTION 5
In Amazon AWS, which of the following statements is true of key pairs?
NEW QUESTION 10
A. Key pairs are used only for Amazon SDKs. You are checking the workload on some of your General Purpose (SSD) and Provisioned IOPS (SSD) volumes and it seems that the I/O latency is higher than you
B. Key pairs are used only for Amazon EC2 and Amazon CIoudFront. require. You should probably check the to make sure that your application is not trying to drive more IOPS than you have
C. Key pairs are used only for Elastic Load Balancing and AWS IAM. provisioned.
D. Key pairs are used for all Amazon service
A. Amount of IOPS that are available
Answer: B B. Acknowledgement from the storage subsystem
C. Average queue length
The Leader of IT Certification visit - https://www.certleader.com The Leader of IT Certification visit - https://www.certleader.com
100% Valid and Newest Version AWS-Solution-Architect-Associate Questions & Answers shared by Certleader 100% Valid and Newest Version AWS-Solution-Architect-Associate Questions & Answers shared by Certleader
D. Time it takes for the I/O operation to complete A. Define maintenance period for database engines
B. Launch Amazon RDS instances in a subnet
Answer: C C. Create, describe, modify, and delete DB instances
D. Control what IP addresses or EC2 instances can connect to your databases on a DB instance
Explanation:
In EBS workload demand plays an important role in getting the most out of your General Purpose (SSD) and Provisioned IOPS (SSD) volumes. In order for your Answer: D
volumes to deliver the amount of IOPS that are available, they need to have enough I/O requests sent to them. There is a relationship between the demand on the
volumes, the amount of IOPS that are available to them, and the latency of the request (the amount of time it takes for the I/O operation to complete). Explanation:
Latency is the true end-to-end client time of an I/O operation; in other words, when the client sends a IO, how long does it take to get an acknowledgement from In Amazon RDS, security groups are used to control what IP addresses or EC2 instances can connect to your databases on a DB instance.
the storage subsystem that the IO read or write is complete. When you first create a DB instance, its firewall prevents any database access except through rules specified by an associated security group.
If your I/O latency is higher than you require, check your average queue length to make sure that your application is not trying to drive more IOPS than you have Reference: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.htmI
provisioned. You can maintain high IOPS while keeping latency down by maintaining a low average queue length (which is achieved by provisioning more IOPS for
your volume).
Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-workload-demand.htmI NEW QUESTION 23
An organization has created an application which is hosted on the AWS EC2 instance. The application stores images to S3 when the end user uploads to it. The
organization does not want to store the AWS secure credentials required to access the S3 inside the instance. Which of the below mentioned options is a possible
NEW QUESTION 10 solution to avoid any security threat?
Much of your company's data does not need to be accessed often, and can take several hours for retrieval time, so it's stored on Amazon Glacier. However
someone within your organization has expressed concerns that his data is more sensitive than the other data, and is wondering whether the high A. Use the IAM based single sign between the AWS resources and the organization application.
level of encryption that he knows is on S3 is also used on the much cheaper Glacier service. Which of the following statements would be most applicable in B. Use the IAM role and assign it to the instance.
regards to this concern? C. Since the application is hosted on EC2, it does not need credentials to access S3.
D. Use the X.509 certificates instead of the access and the secret access key
A. There is no encryption on Amazon Glacier, that's why it is cheaper.
B. Amazon Glacier automatically encrypts the data using AES-128 a lesser encryption method than Amazon S3 but you can change it to AES-256 if you are willing Answer: B
to pay more.
C. Amazon Glacier automatically encrypts the data using AES-256, the same as Amazon S3. Explanation:
D. Amazon Glacier automatically encrypts the data using AES-128 a lesser encryption method than Amazon S3. The AWS IAM role uses temporary security credentials to access AWS services. Once the role is assigned to an instance, it will not need any security credentials
to be stored on the instance. Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
Answer: C
Explanation: NEW QUESTION 27

Like Amazon S3, the Amazon Glacier service provides low-cost, secure, and durable storage. But where S3 is designed for rapid retrieval, Glacier is meant to be You log in to IAM on your AWS console and notice the following message. "Delete your root access keys." Why do you think IAM is requesting this?
used as an archival service for data that is not accessed often, and for which retrieval times of several hours are suitable.
Amazon Glacier automatically encrypts the data using AES-256 and stores it durably in an immutable form. Amazon Glacier is designed to provide average annual A. Because the root access keys will expire as soon as you log out.
durability of 99.999999999% for an archive. It stores each archive in multiple facilities and multiple devices. Unlike traditional systems which can require laborious B. Because the root access keys expire after 1 week.
data verification and manual repair, Glacier performs regular, systematic data integrity checks, and is built to be automatically self-healing. C. Because the root access keys are the same for all users.
Reference: http://d0.awsstatic.com/whitepapers/Security/AWS%20Security%20Whitepaper.pdf D. Because they provide unrestricted access to your AWS resource
Answer: D
NEW QUESTION 12
is a fast, filexible, fully managed push messaging service. Explanation:
In AWS an access key is required in order to sign requests that you make using the command-line interface (CLI), using the AWS SDKs, or using direct API calls.
A. Amazon SNS Anyone who has the access key for your root account has unrestricted access to all the resources in your account, including billing information. One of the best
B. Amazon SES ways to protect your account is to not have an access key for your root account. We recommend that unless you must have a root access key (this is very rare),
C. Amazon SQS that you do not generate one. Instead, AWS best practice is to create one or more AWS Identity and Access Management (IAM) users, give them the necessary
D. Amazon FPS permissions, and use IAM users for everyday interaction with AWS.
Reference:
Answer: A http://docs.aws.amazon.com/general/latest/gr/aws-access-keys-best-practices.htmI#root-password
Explanation:
Amazon Simple Notification Service (Amazon SNS) is a fast, filexible, fully managed push messaging service. Amazon SNS makes it simple and cost-effective to NEW QUESTION 32
push to mobile devices such as iPhone, iPad, Android, Kindle Fire, and internet connected smart devices, as well as pushing to other distributed services. You need to change some settings on Amazon Relational Database Service but you do not want the database to reboot immediately which you know might
Reference: http://aws.amazon.com/sns/?nc1=h_I2_as happen depending on the setting that you change. Which of the following will cause an immediate DB instance reboot to occur?
A. You change storage type from standard to PIOPS, and Apply Immediately is set to true.
NEW QUESTION 17 B. You change the DB instance class, and Apply Immediately is set to false.
As AWS grows, most of your cIients' main concerns seem to be about security, especially when all of their competitors also seem to be using AWS. One of your C. You change a static parameter in a DB parameter group.
clients asks you whether having a competitor who hosts their EC2 instances on the same physical host would make it easier for the competitor to hack into the D. You change the backup retention period for a DB instance from 0 to a nonzero value or from a nonzero value to 0, and Apply Immediately is set to false.
cIient's data. Which of the following statements would be the best choice to put your cIient's mind at rest?
Answer: A
A. Different instances running on the same physical machine are isolated from each other via a 256-bit Advanced Encryption Standard (AES-256).
B. Different instances running on the same physical machine are isolated from each other via the Xen hypervisor and via a 256-bit Advanced Encryption Standard Explanation:
(AES-256). A DB instance outage can occur when a DB instance is rebooted, when the DB instance is put into a state that prevents access to it, and when the database is
C. Different instances running on the same physical machine are isolated from each other via the Xen hypervisor. restarted. A reboot can occur when you manually reboot your DB instance or when you change a DB instance setting that requires a reboot before it can take
D. Different instances running on the same physical machine are isolated from each other via IAM permissions. effect.
A DB instance reboot occurs immediately when one of the following occurs:
Answer: C You change the backup retention period for a DB instance from 0 to a nonzero value or from a nonzero value to 0 and set Apply Immediately to true.
You change the DB instance class, and Apply Immediately is set to true.
Explanation: You change storage type from standard to PIOPS, and Apply Immediately is set to true.
Amazon Elastic Compute Cloud (EC2) is a key component in Amazon’s Infrastructure as a Service (IaaS), providing resizable computing capacity using server A DB instance reboot occurs during the maintenance window when one of the following occurs:
instances in AWS’s data centers. Amazon EC2 is designed to make web-scale computing easier by enabling you to obtain and configure capacity with minimal You change the backup retention period for a DB instance from 0 to a nonzero value or from a nonzero value to 0, and Apply Immediately is set to false.
friction. You change the DB instance class, and Apply Immediately is set to false. Reference:
You create and launch instances, which are collections of platform hardware and software. Different instances running on the same physical machine are isolated http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_Troub|eshooting.htm|#CHAP_TroubI eshooting.Security
from each other via the Xen hypervisor.
Amazon is active in the Xen community, which provides awareness of the latest developments. In addition, the AWS firewall resides within the hypervisor layer,
between the physical network interface and the instance's virtual interface. All packets must pass through this layer, thus an instance’s neighbors have no more NEW QUESTION 35
access to that instance than any other host on the Internet and can be treated as if they are on You are setting up a very complex financial services grid and so far it has 5 Elastic IP (EIP) addresses.
separate physical hosts. The physical RAM is separated using similar mechanisms. You go to assign another EIP address, but all accounts are limited to 5 Elastic IP addresses per region by default, so you aren't able to. What is the reason for
Reference: http://d0.awsstatic.com/whitepapers/Security/AWS%20Security%20Whitepaper.pdf this?
A. For security reasons.

NEW QUESTION 19 B. Hardware restrictions.
In Amazon RDS, security groups are ideally used to: C. Public (IPV4) internet addresses are a scarce resource.
D. There are only 5 network interfaces per instanc In AWS EC2, while configuring a security group, the user needs to specify the IP address in CIDR notation. The CIDR IP range 10.20.30.40/32 says it is for a
single IP 10.20.30.40. If the user specifies the IP as 10.20.30.40 only, the security group will not accept and ask it in a CIRD format.
Answer: C Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html
Explanation:
Public (IPV4) internet addresses are a scarce resource. There is only a limited amount of public IP space available, and Amazon EC2 is committed to helping use NEW QUESTION 45
that space efficiently. You have been using T2 instances as your CPU requirements have not been that intensive. However you now start to think about larger instance types and start
By default, all accounts are limited to 5 Elastic IP addresses per region. If you need more than 5 Elastic IP addresses, AWS asks that you apply for your limit to be looking at M and IV|3 instances. You are a little confused as to the differences between them as they both seem to have the same ratio of CPU and memory.
raised. They will ask you to think through your use case and help them understand your need for additional addresses. Which statement below is incorrect as to why you would use one over the other?
Reference: http://aws.amazon.com/ec2/faqs/#How_many_instances_can_I_run_in_Amazon_EC2
A. M3 instances are less expensive than M1 instances.
B. IV|3 instances are configured with more swap memory than M instances.
NEW QUESTION 37 C. IV|3 instances provide better, more consistent performance that M instances for most use-cases.
You want to use AWS Import/Export to send data from your S3 bucket to several of your branch offices. What should you do if you want to send 10 storage units to D. M3 instances also offer SSD-based instance storage that delivers higher I/O performanc
AWS?
Answer: B
A. Make sure your disks are encrypted prior to shipping.
B. Make sure you format your disks prior to shipping. Explanation:
C. Make sure your disks are 1TB or more. Amazon EC2 allows you to set up and configure everything about your instances from your operating system up to your applications. An Amazon Nlachine Image
D. Make sure you submit a separate job request for each devic (AMI) is simply a packaged-up environment that includes all the necessary bits to set up and boot your instance.
M1 and M3 Standard instances have the same ratio of CPU and memory, some reasons below as to why you would use one over the other.
Answer: D IV|3 instances provide better, more consistent performance that M instances for most use-cases. M3 instances also offer SSD-based instance storage that delivers
higher I/O performance.
Explanation: M3 instances are also less expensive than M1 instances. Due to these reasons, we recommend M3 for applications that require general purpose instances with a
When using Amazon Import/Export, a separate job request needs to be submitted for each physical device even if they belong to the same import or export job. balance of compute, memory, and network resources.
Reference: http://docs.aws.amazon.com/AWSImportExport/latest/DG/Concepts.html However, if you need more disk storage than what is provided in M3 instances, you may still find M1 instances useful for running your applications.
Reference: https://aws.amazon.com/ec2/faqs/
NEW QUESTION 38
A user needs to run a batch process which runs for 10 minutes. This will only be run once, or at maximum twice, in the next month, so the processes will be NEW QUESTION 48
temporary only. The process needs 15 X-Large instances. The process downloads the code from S3 on each instance when it is launched, and then generates a A user wants to achieve High Availability with PostgreSQL DB. Which of the below mentioned functionalities helps achieve HA?
temporary log file. Once the instance is terminated, all the data will be lost. Which of the below mentioned pricing models should the user choose in this case?
A. Mu|ti AZ
A. Spot instance. B. Read Replica
B. Reserved instance. C. Multi region
C. On-demand instance. D. PostgreSQL does not support HA
D. EBS optimized instanc
Answer: A
Answer: A
Explanation:
Explanation: The Multi AZ feature allows the user to achieve High Availability. For Multi AZ, Amazon RDS automatically provisions and maintains a synchronous "standby"
In Amazon Web Services, the spot instance is useful when the user wants to run a process temporarily. The spot instance can terminate the instance if the other replica in a different Availability Zone. Reference: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html
user outbids the existing bid. In this case all storage is temporary and the data is not required to be persistent. Thus, the spot instance is a good option to save
money.
Reference: http://aws.amazon.com/ec2/purchasing-options/spot-instances/ NEW QUESTION 53
A user has created photo editing software and hosted it on EC2. The software accepts requests from the user about the photo format and resolution and sends a
message to S3 to enhance the picture accordingly. Which of the below mentioned AWS services will help make a scalable software with the AWS infrastructure in
NEW QUESTION 41 this scenario?
An existing client comes to you and says that he has heard that launching instances into a VPC (virtual private cloud) is a better strategy than launching instances
into a EC2-classic which he knows is what you currently do. You suspect that he is correct and he has asked you to do some research about this and get back to A. AWS Simple Notification Service
him. Which of the following statements is true in regards to what ability launching your instances into a VPC instead of EC2-Classic gives you? B. AWS Simple Queue Service
C. AWS Elastic Transcoder
A. All of the things listed here. D. AWS Glacier
B. Change security group membership for your instances while they're running
C. Assign static private IP addresses to your instances that persist across starts and stops Answer: B
D. Define network interfaces, and attach one or more network interfaces to your instances
Explanation:
Answer: A Amazon Simple Queue Service (SQS) is a fast, reliable, scalable, and fully managed message queuing service. SQS provides a simple and cost-effective way to
decouple the components of an application. The user can configure SQS, which will decouple the call between the EC2 application and S3. Thus, the application
Explanation: does not keep waiting for S3 to provide the data.
By launching your instances into a VPC instead of EC2-Classic, you gain the ability to: Assign static private IP addresses to your instances that persist across Reference: http://aws.amazon.com/sqs/faqs/
starts and stops Assign multiple IP addresses to your instances
Define network interfaces, and attach one or more network interfaces to your instances Change security group membership for your instances while they're
running NEW QUESTION 55
Control the outbound traffic from your instances (egress filtering) in addition to controlling the inbound traffic to them (ingress filtering) Which one of the following answers is not a possible state of Amazon CIoudWatch Alarm?
Add an additional layer of access control to your instances in the form of network access control lists (ACL)
Run your instances on single-tenant hardware A. INSUFFICIENT_DATA
Reference: http://media.amazonwebservices.com/AWS_CIoud_Best_Practices.pdf B. ALARM
C. OK
D. STATUS_CHECK_FAILED
NEW QUESTION 44
A user is accessing an EC2 instance on the SSH port for IP 10.20.30.40. Which one is a secure way to configure that the instance can be accessed only from this Answer: D
IP?
Explanation:
A. In the security group, open port 22 for IP 10.20.30.40 Amazon CIoudWatch Alarms have three possible states: OK: The metric is within the defined threshold ALARM: The metric is outside of the defined threshold
B. In the security group, open port 22 for IP 10.20.30.40/32 INSUFFICIENT_DATA: The alarm has just started, the metric is not available, or not enough data is available for the metric to determine the alarm state
C. In the security group, open port 22 for IP 10.20.30.40/24 Reference: http://docs.aws.amazon.com/AmazonCIoudWatch/latest/DeveloperGuide/AlarmThatSendsEmaiI.html
D. In the security group, open port 22 for IP 10.20.30.40/0
Answer: B NEW QUESTION 58

In Amazon EC2, if your EBS volume stays in the detaching state, you can force the detachment by clicking .
Explanation:
A. Force Detach
B. Detach Instance
C. AttachVoIume NEW QUESTION 71
D. Attachlnstance You have been asked to tighten up the password policies in your organization after a serious security breach, so you need to consider every possible security
measure. Which of the following is not an account password policy for IAM Users that can be set?
Answer: A
A. Force IAM users to contact an account administrator when the user has allowed his or her password to expue.
Explanation: B. A minimum password length.
If your volume stays in the detaching state, you can force the detachment by clicking Force Detach. Reference: C. Force IAM users to contact an account administrator when the user has entered his password incorrectly.
http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/ebs-detaching-volume.html D. Prevent IAM users from reusing previous password
Answer: C
NEW QUESTION 62
An organization has a statutory requirement to protect the data at rest for data stored in EBS volumes. Which of the below mentioned options can the organization Explanation:
use to achieve data protection? IAM users need passwords in order to access the AWS Management Console. (They do not need passwords if they will access AWS resources programmatically
by using the CLI, AWS SDKs, or the APIs.)
A. Data replication. You can use a password policy to do these things: Set a minimum password length.
B. Data encryption. Require specific character types, including uppercase letters, lowercase letters, numbers, and non-alphanumeric characters. Be sure to remind your users that
C. Data snapshot. passwords are case sensitive. Allow all IAM users to change their own passwords.
D. All the options listed her Require IAM users to change their password after a specified period of time (enable password expiration). Prevent IAM users from reusing previous passwords.
Force IAM users to contact an account administrator when the user has allowed his or her password to expue.
Answer: D Reference: http://docs.aws.amazon.com/|AM/Iatest/UserGuide/Using_ManagingPasswordPoIicies.htm|
Explanation:
For protecting the Amazon EBS data at REST, the user can use options, such as Data Encryption (Windows / Linux / third party based), Data Replication (AWS NEW QUESTION 73
internally replicates data for redundancy), A major client who has been spending a lot of money on his internet service provider asks you to set up an AWS Direct Connection to try and save him some
and Data Snapshot (for point in time backup). money. You know he needs high-speed connectMty. Which connection port speeds are available on AWS Direct Connect?
Reference: http://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf
A. 500Mbps and 1Gbps
B. 1Gbps and 10Gbps
NEW QUESTION 67 C. 100Mbps and 1Gbps
You have a number of image files to encode. In an Amazon SQS worker queue, you create an Amazon SQS message for each file specifying the command (jpeg- D. 1Gbps
encode) and the location of the file in Amazon S3. Which of the following statements best describes the functionality of Amazon SQS?
Answer: B
A. Amazon SQS is a distributed queuing system that is optimized for horizontal scalability, not for single-threaded sending or receMng speeds.
B. Amazon SQS is for single-threaded sending or receMng speeds. Explanation:
C. Amazon SQS is a non-distributed queuing system. AWS Direct Connect is a network service that provides an alternative to using the internet to utilize AWS cloud services.
D. Amazon SQS is a distributed queuing system that is optimized for vertical scalability and for single-threaded sending or receMng speeds. Using AWS Direct Connect, data that would have previously been transported over the Internet can now be delivered through a private network connection
between AWS and your datacenter or corporate network.
Answer: A 1Gbps and 10Gbps ports are available. Speeds of 50Mbps, 100Mbps, 200Mbps, 300Mbps, 400Mbps, and 500Mbps can be ordered from any APN partners
supporting AWS Direct Connect.
Explanation: Reference: https://aws.amazon.com/directconnect/faqs/
Amazon SQS is a distributed queuing system that is optimized for horizontal scalability, not for
single-threaded sending or receMng speeds. A single client can send or receive Amazon SQS messages at a rate of about 5 to 50 messages per second. Higher
receive performance can be achieved by requesting multiple messages (up to 10) in a single call. It may take several seconds before a message that has been to NEW QUESTION 76
a queue is available to be received. In Amazon EC2, what is the limit of Reserved Instances per Availability Zone each month?
Reference: http://media.amazonwebservices.com/AWS_Storage_Options.pdf
A. 5
B. 20
NEW QUESTION 68 C. 50
Select the correct statement: Within Amazon EC2, when using Linux instances, the device name D. 10
/dev/sda1 is .
Answer: B
A. reserved for EBS volumes
B. recommended for EBS volumes Explanation:
C. recommended for instance store volumes There are 20 Reserved Instances per Availability Zone in each month.
D. reserved for the root device Reference: http://docs.aws.amazon.com/generaI/latest/gr/aws_service_Iimits.html
Answer: D
NEW QUESTION 81
Explanation: You have just set up yourfirst Elastic Load Balancer (ELB) but it does not seem to be configured properly. You discover that before you start using ELB, you have
Within Amazon EC2, when using a Linux instance, the device name /dev/sda1 is reserved for the root device. to configure the listeners for your load balancer. Which protocols does ELB use to support the load balancing of applications?
Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/device_naming.htmI
A. HTTP and HTTPS
B. HTTP, HTTPS , TCP, SSL and SSH
NEW QUESTION 69 C. HTTP, HTTPS , TCP, and SSL
You receive the following request from a client to quickly deploy a static website for them, specifically on AWS. The requirements are low-cost, reliable, online D. HTTP, HTTPS , TCP, SSL and SFTP
storage, and a reliable and cost-effective way to route customers to the website, as well as a way to deliver content with low latency and high data transfer speeds
so that visitors to his website don't experience unnecessary delays. What do you think would be the minimum AWS services that could fulfill the cIient's request? Answer: C
A. Amazon Route 53, Amazon CIoudFront and Amazon VPC. Explanation:

B. Amazon S3, Amazon Route 53 and Amazon RDS Before you start using Elastic Load BaIancing(ELB), you have to configure the listeners for your load balancer. A listener is a process that listens for connection
C. Amazon S3, Amazon Route 53 and Amazon CIoudFront requests. It is configured with a protocol and a port number for front-end (client to load balancer) and back-end (load balancer to back-end instance) connections.
D. Amazon S3 and Amazon Route 53. Elastic Load Balancing supports the load balancing of applications using HTTP, HTTPS (secure HTTP), TCP, and SSL (secure TCP) protocols. The HTTPS uses
the SSL protocol to establish secure connections over the HTTP layer. You can also use SSL protocol to establish secure connections over the TCP layer.
Answer: C The acceptable ports for both HTTPS/SSL and HTTP/TCP connections are 25, 80, 443, 465, 587, and
1024-65535.
Explanation: Reference:
You can easily and inexpensively use AWS to host a website that uses client-side technologies (such as HTML, CSS, and JavaScript) and does not require server- http://docs.aws.amazon.com/E|asticLoadBaIancing/latest/DeveIoperGuide/elb-listener-config.htmI
side technologies (such as PHP and ASP.NET). This type of site is called a static website, and is used to display content that does not change frequently. Before
you create and deploy a static website, you must plan your architecture to ensure that it meets your requirements. Amazon S3, Amazon Route 53, and Amazon
CIoudFront would be required in this instance. NEW QUESTION 86
Reference: http://docs.aws.amazon.com/gettingstarted/latest/swh/website-hosting-intro.html After setting up some EC2 instances you now need to set up a monitoring solution to keep track of these instances and to send you an email when the CPU hits a
certain threshold. Which statement below best describes what thresholds you can set to trigger a CIoudWatch Alarm?
A. Set a target value and choose whether the alarm will trigger when the value is greater than (>), greater than or equal to (>=), less than (<), or less than or equal Reference: http://docs.aws.amazon.com/cloudhsm/latest/userguide/ha-best-practices.html
to (<=) that value.
B. Thresholds need to be set in IAM not CIoudWatch
C. Only default thresholds can be set you can't choose your own thresholds. NEW QUESTION 92
D. Set a target value and choose whether the alarm will trigger when the value hits this threshold You have been asked to build AWS infrastructure for disaster recovery for your local applications and within that you should use an AWS Storage Gateway as part
of the solution. Which of the following best describes the function of an AWS Storage Gateway?
Answer: A
A. Accelerates transferring large amounts of data between the AWS cloud and portable storage devices .
Explanation: B. A web service that speeds up distribution of your static and dynamic web content.
Amazon CIoudWatch is a monitoring service for AWS cloud resources and the applications you run on AWS. You can use Amazon CIoudWatch to collect and C. Connects an on-premises software appliance with cloud-based storage to provide seamless and secure integration between your on-premises IT environment
track metrics, collect and monitor log files, and set and AWS's storage infrastructure.
alarms. D. Is a storage service optimized for infrequently used data, or "cold data."
When you create an alarm, you first choose the Amazon CIoudWatch metric you want it to monitor. Next, you choose the evaluation period (e.g., five minutes or
one hour) and a statistical value to measure (e.g., Average or Maximum). Answer: C
To set a threshold, set a target value and choose whether the alarm will trigger when the value is greater than (>), greater than or equal to (>=), less than (<), or
less than or equal to (<=) that value. Explanation:
Reference: http://aws.amazon.com/cIoudwatch/faqs/ AWS Storage Gateway connects an on-premises software appliance with cloud-based storage to provide seamless integration with data security features between
your on-premises IT environment and the Amazon Web Services (AWS) storage infrastructure. You can use the service to store data in the AWS cloud for scalable
and cost-effective storage that helps maintain data security. AWS Storage Gateway offers both volume-based and tape-based storage solutions:
NEW QUESTION 88 Volume gateways Gateway-cached volumes Gateway-stored volumes
A gaming company comes to you and asks you to build them infrastructure for their site. They are not sure how big they will be as with all start ups they have Gateway-virtual tape library (VTL)
limited money and big ideas. What they do tell you is that if the game becomes successful, like one of their previous games, it may rapidly grow to millions of users Reference:
and generate tens (or even hundreds) of thousands of writes and reads per second. After http://media.amazonwebservices.com/architecturecenter/AWS_ac_ra_disasterrecovery_07.pdf
considering all of this, you decide that they need a fully managed NoSQL database service that provides fast and predictable performance with seamless
scalability. Which of the following databases do you think would best fit their needs?
NEW QUESTION 93
A. Amazon DynamoDB An organization has a statutory requirement to protect the data at rest for the S3 objects. Which of the below mentioned options need not be enabled by the
B. Amazon Redshift organization to achieve data security?
C. Any non-relational database.
D. Amazon SimpIeDB A. MFA delete for S3 objects
B. Client side encryption
Answer: A C. Bucket versioning
D. Data replication
Explanation:
Amazon DynamoDB is a fully managed NoSQL database service that provides fast and predictable Answer: D
performance with seamless scalability. Amazon DynamoDB enables customers to offload the administrative burdens of operating and scaling distributed
databases to AWS, so they don’t have to worry about hardware provisioning, setup and configuration, replication, software patching, or cluster scaHng. Explanation:
Today’s web-based applications generate and consume massive amounts of data. For example, an AWS S3 provides multiple options to achieve the protection of data at REST. The options include Permission (Policy), Encryption (Client and Server Side), Bucket
online game might start out with only a few thousand users and a light database workload consisting of 10 writes per second and 50 reads per second. However, if Versioning and MFA based delete. The user can enable any of these options to achieve data protection. Data replication is an internal facility by AWS where S3
the game becomes successful, it may rapidly grow to millions of users and generate tens (or even hundreds) of thousands of writes and reads per second. It may replicates each object across all the Availability Zones and the organization need not
also create terabytes or more of data per day. Developing your applications against Amazon DynamoDB enables you to start small and simply dial-up your request enable it in this case.
capacity for a table as your requirements scale, without incurring downtime. You pay highly cost-efficient rates for the request capacity you provision, and let Reference: http://media.amazonwebservices.com/AWS_Security_Best_Practices.pdf
Amazon DynamoDB do the work over partitioning your data and traffic over sufficient server capacity to meet your needs. Amazon DynamoDB does the database
management and administration, and you simply store and request your data. Automatic replication and failover provides built-in fault tolerance, high availability,
and data durability. Amazon DynamoDB gives you the peace of mind that your database is fully managed and can grow with your application requirements. NEW QUESTION 98
Reference: http://aws.amazon.com/dynamodb/faqs/ Which of the following features are provided by Amazon EC2?
A. Exadata Database Machine, Optimized Storage Management, Flashback Technology, and Data Warehousing
NEW QUESTION 89 B. Instances, Amazon Machine Images (AMIs), Key Pairs, Amazon EBS Volumes, Firewall, Elastic IP address, Tags, and Virtual Private Clouds (VPCs)
You're trying to delete an SSL certificate from the IAM certificate store, and you're getting the message "Certificate: <certificate-id> is being used by CIoudFront." C. Real Application Clusters (RAC), Elasticache Machine Images (EMIs), Data Warehousing, Flashback Technology, Dynamic IP address
Which of the following statements is probably the reason why you are getting this error? D. Exadata Database Machine, Real Application Clusters (RAC), Data Guard, Table and Index Partitioning, and Data Pump Compression
A. Before you can delete an SSL certificate, you need to either rotate SSL certificates or revert from using a custom SSL certificate to using the default CIoudFront Answer: B
certificate.
B. You can't delete SSL certificates . You need to request it from AWS. Explanation:
C. Before you can delete an SSL certificate, you need to set up the appropriate access level in IAM Amazon EC2 provides the following features:
D. Before you can delete an SSL certificate you need to set up https on your serve · Virtual computing environments, known as instances;
· Pre-configured templates for your instances, known as Amazon Nlachine Images (AMIs), that package the bits you need for your server (including the operating
Answer: A system and additional software)
· Various configurations of CPU, memory, storage, and networking capacity for your instances, known as instance types
Explanation: · Secure login information for your instances using key pairs (AWS stores the public key, and you store the private key in a secure place)
CIoudFront is a web service that speeds up distribution of your static and dynamic web content, for example, .htmI, .css, .php, and image files, to end users. · Storage volumes for temporary data that's deleted when you stop or terminate your instance, known as instance store volumes
Every CIoudFront web distribution must be associated either with the default CIoudFront certificate or with a custom SSL certificate. Before you can delete an SSL · Persistent storage volumes for your data using Amazon Elastic Block Store (Amazon EBS), known as Amazon EBS volumes
certificate, you need to either rotate SSL certificates (replace the current custom SSL certificate with another custom SSL certificate) or revert from using a custom · MuItipIe physical locations for your resources, such as instances and Amazon EBS volumes, known as regions and Availability Zones
SSL certificate to using the default CIoudFront certificate. · A firewall that enables you to specify the protocols, ports, and source IP ranges that can reach your instances using security groups
Reference: http://docs.aws.amazon.com/AmazonCIoudFront/latest/Deve|operGuide/Troubleshooting.htm| · Static IP addresses for dynamic cloud computing, known as Elastic IP addresses
· Metadata, known as tags, that you can create and assign to your Amazon EC2 resources
· Virtual networks you can create that are logically isolated from the rest of the AWS cloud, and that you can optionally connect to your own network, known as
NEW QUESTION 90 virtual private clouds (VPCs).
In relation to AWS CIoudHSM, High-availability (HA) recovery is hands-off resumption by failed HA group members. Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/concepts.html
Prior to the introduction of this function, the HA feature provided redundancy and performance, but required that a failed/lost group member be reinstated.
A. automatically NEW QUESTION 99

B. periodically A user has created an ELB with the availability zone US-East-1A. The user wants to add more zones to ELB to achieve High Availability. How can the user add
C. manually more zones to the existing ELB?
D. continuosly
A. The user should stop the ELB and add zones and instances as required
Answer: C B. The only option is to launch instances in different zones and add to ELB
C. It is not possible to add more zones to the existing ELB
Explanation: D. The user can add zones on the fly from the AWS console
In relation to AWS CIoudHS|VI, High-availability (HA) recovery is hands-off resumption by failed HA group members.
Prior to the introduction of this function, the HA feature provided redundancy and performance, but required that a failed/lost group member be manually Answer: D
reinstated.
Explanation: A. A security group

The user has created an Elastic Load Balancer with the availability zone and wants to add more zones to the existing ELB. The user can do so in two ways: B. An instance type
From the console or CLI, add new zones to ELB; C. A storage cluster
Launch instances in a separate AZ and add instances to the existing ELB. Reference: D. An object
http://docs.aws.amazon.com/EIasticLoadBaIancing/latest/DeveIoperGuide/enable-disable-az.html
Answer: A
NEW QUESTION 101 Explanation:

A user is sending bulk emails using AWS SES. The emails are not reaching some of the targeted audience because they are not authorized by the ISPs. How can A security group acts as a firewall that controls the traffic allowed to reach one or more instances. When you launch an instance, you assign it one or more security
the user ensure that the emails are all delivered? groups.
Reference: http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/UsingIAM.htmI
A. Send an email using DKINI with SES.
B. Send an email using SMTP with SES.
C. Open a ticket with AWS support to get it authorized with the ISP. NEW QUESTION 117
D. Authorize the ISP by sending emails from the development accoun Just when you thought you knew every possible storage option on AWS you hear someone mention Reduced Redundancy Storage (RRS) within Amazon S3.
What is the ideal scenario to use Reduced Redundancy Storage (RRS)?
Answer: A
A. Huge volumes of data
Explanation: B. Sensitve data
Domain Keys Identified MaiI (DKIM) is a standard that allows senders to sign their email messages and ISPs, and use those signatures to verify that those C. Non-critical or reproducible data
messages are legitimate and have not been modified by a third party in transit. D. Critical data
Reference: http://docs.aws.amazon.com/ses/latest/DeveloperGuide/dkim.html
Answer: C

In AWS CIoudHSM, in addition to the AWS recommendation that you use two or more HSM appliances in a high-availability configuration to prevent the loss of Reduced Redundancy Storage (RRS) is a new storage option within Amazon S3 that enables customers to reduce their costs by storing non-critical, reproducible
keys and data, you can also perform a remote backup/restore of a Luna SA partition if you have purchased a: data at lower levels of redundancy than Amazon S3’s standard storage. RRS provides a lower cost, less durable, highly available storage option that is designed
to sustain the loss of data in a single facility.
A. Luna Restore HSNI. RRS is ideal for non-critical or reproducible data.
B. Luna Backup HSM. For example, RRS is a cost-effective solution for sharing media content that is durably stored elsewhere. RRS also makes sense if you are storing thumbnails and
C. Luna HSNI. other resized images that can be easily reproduced from an original image.
D. Luna SA HSM. Reference: https://aws.amazon.com/s3/faqs/
Answer: B
NEW QUESTION 118
Explanation: A user has hosted an application on EC2 instances. The EC2 instances are configured with ELB and Auto Scaling. The application server session time out is 2
In AWS CIoudHSM, you can perform a remote backup/restore of a Luna SA partition if you have purchased a Luna Backup HSM. hours. The user wants to configure connection draining to ensure that all in-flight requests are supported by ELB even though the instance is being deregistered.
Reference: http://docs.aws.amazon.com/cloudhsm/latest/userguide/cloud-hsm-backup-restore.html What time out period should the user specify for connection draining?
A. 1 hour
NEW QUESTION 108 B. 30 minutes
A user has defined an AutoScaIing termination policy to first delete the instance with the nearest billing hour. AutoScaIing has launched 3 instances in the US- C. 5 minutes
East-1A region and 2 instances in the US-East-1 B region. One of the instances in the US-East-1B region is running nearest to the billing hour. Which instance will D. 2 hours
AutoScaIing terminate first while executing the termination action?
Answer: A
A. Random Instance from US-East-1A
B. Instance with the nearest billing hour in US-East-1 B Explanation:
C. Instance with the nearest billing hour in US-East-1A The Elastic Load Balancer connection draining feature causes the load balancer to stop sending new requests to the back-end instances when the instances are
D. Random instance from US-East-1B deregistering or become unhealthy, while ensuring that in-flight requests continue to be served. The user can specify a maximum time of 3600
seconds (1 hour) for the load balancer to keep the connections alive before reporting the instance as deregistered. If the user does not specify the maximum
Answer: C timeout period, by default, the load balancer will close the connections to the deregistering instance after 300 seconds.
Reference:
Explanation: http://docs.aws.amazon.com/EIasticLoadBaIancing/latest/DeveIoperGuide/config-conn-drain.htmI
Even though the user has configured the termination policy, before AutoScaIing selects an instance to terminate, it first identifies the Availability Zone that has
more instances than the other Availability Zones used by the group. Within the selected Availability Zone, it identifies the instance that matches the specified
termination policy. NEW QUESTION 122
Reference: http://docs.aws.amazon.com/AutoScaIing/latest/DeveIoperGuide/us-termination-policy.html How can you apply more than 100 rules to an Amazon EC2-Classic?
A. By adding more security groups

NEW QUESTION 113 B. You need to create a default security group specifying your required rules if you need to use more than 100 rules per security group.
Can you encrypt EBS volumes? C. By default the Amazon EC2 security groups support 500 rules.
D. You can't add more than 100 rules to security groups for an Amazon EC2 instanc
A. Yes, you can enable encryption when you create a new EBS volume using the AWS Management Console, API, or CLI.
B. No, you should use a third-party software to perform raw block-level encryption of an EBS volume. Answer: D
C. Yes, but you must use a third-party API for encrypting data before it's loaded on EBS.
D. Yes, you can encrypt with the special "ebs_encrypt" command through Amazon API Explanation:
In EC2-Classic, you can associate an instance with up to 500 security groups and add up to 100 rules to a security group.
Answer: A Reference: http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/using-network-security.htmI
Explanation:
With Amazon EBS encryption, you can now create an encrypted EBS volume and attach it to a supported instance type. Data on the volume, disk I/O, and NEW QUESTION 124
snapshots created from the volume are then all encrypted. The encryption occurs on the servers that host the EC2 instances, providing encryption of data as it When controlling access to Amazon EC2 resources, each Amazon EBS Snapshot has a attribute that controls which AWS accounts can use the snapshot.
moves between EC2 instances and EBS storage. EBS encryption is based on the industry standard AES-256 cryptographic algorithm.
To get started, simply enable encryption when you create a new EBS volume using the AWS Management Console, API, or CLI. Amazon EBS encryption is A. createVoIumePermission
available for all the latest EC2 instances in all commercially available AWS regions. B. LaunchPermission
Reference: C. SharePermission
https://aws.amazon.com/about-aws/whats-new/2014/05/21/Amazon-EBS-encryption-now-avai|abIe/ D. RequestPermission
Answer: A
NEW QUESTION 115
While controlling access to Amazon EC2 resources, which of the following acts as a firewall that controls the traffic allowed to reach one or more instances? Explanation:
Each Amazon EBS Snapshot has a createVoIumePermission attribute that you can set to one or more AWS Account IDs to share the AM with those AWS
Accounts. To allow several AWS Accounts to use a particular EBS snapshot, you can use the snapshots's createVoIumePermission attribute to include a list of the months resu Iting in significant financial losses. Your CIO is strongly agreeing to move the application to AWS. While working on achieving buy-in from the other
accounts that can use it. company executives, he asks you to develop a disaster recovery plan to help improve Business continuity in the short term. He specifies a target Recovery Time
Reference: http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/UsingIAM.html Objective (RTO) of 4 hours and a Recovery Point Objective (RPO) of 1 hour or less. He also asks you to implement the solution within 2 weeks. Your database is
200GB in size and you have a 20Mbps Internet connection.
How would you do this while minimizing costs?
NEW QUESTION 128
A customer has a 10 GB AWS Direct Connect connection to an AWS region where they have a web application hosted on Amazon Elastic Computer Cloud (EC2). A. Create an EBS backed private AMI which includes a fresh install of your applicatio
The application has dependencies on an on-premises mainframe database that uses a BASE (Basic Available. Sort stale Eventual consistency) rather than an B. Develop a CIoudFormation template which includes your AMI and the required EC2, AutoScaIing, and ELB resources to support deploying the application
ACID (Atomicity. Consistency isolation. Durability) consistency model. across Multiple- Availability-Zone
The application is exhibiting undesirable behavior because the database is not able to handle the volume of writes. How can you reduce the load on your on- C. Asynchronously replicate transactions from your on-premises database to a database instance in AWS across a secure VPN connection.
premises database resources in the most D. Deploy your application on EC2 instances within an Auto Scaling group across multiple availability zone
cost-effective way? E. Asynchronously replicate transactions from your on-premises database to a database instance in AWS across a secure VPN connection.
F. Create an EBS backed private AMI which includes a fresh install of your applicatio
A. Use an Amazon Elastic Map Reduce (EMR) S3DistCp as a synchronization mechanism between the on-premises database and a Hadoop cluster on AWS. G. Setup a script in your data center to backup the local database every 1 hour and to encrypt and copy the resulting file to an 53 bucket using multi-part upload.
B. Modify the application to write to an Amazon SQS queue and develop a worker process to flush the queue to the on-premises database. H. Install your application on a compute-optimized EC2 instance capable of supporting the application 's average loa
C. Modify the application to use DynamoDB to feed an EMR cluster which uses a map function to write to the on-premises database. I. Synchronously replicate transactions from your on-premises database to a database instance in AWS across a secure Direct Connect connection.
D. Provision an RDS read-replica database on AWS to handle the writes and synchronize the two databases using Data Pipeline.
Answer: A
Answer: A
Explanation:
Explanation: Overview of Creating Amazon EBS-Backed AMIs
Reference: https://aws.amazon.com/blogs/aws/category/amazon-elastic-map-reduce/ First, launch an instance from an AMI that's similar to the AMI that you'd like to create. You can connect to your instance and customize it. When the instance is
configured correctly, ensure data integrity by
stopping the instance before you create an AMI, then create the image. When you create an Amazon EBS-backed AMI, we automatically register it for you.
NEW QUESTION 130 Amazon EC2 powers down the instance before creating the AMI to ensure that everything on the instance is stopped and in a consistent state during the creation
You have launched an EC2 instance with four (4) 500GB EBS Provisioned IOPS volumes attached The EC2 Instance Is EBS-Optimized and supports 500 Mbps process. If you're confident that your instance is in a consistent state appropriate for AMI creation, you can tell Amazon EC2 not to power down and reboot the
throughput between EC2 and EBS The two EBS volumes are configured as a single RAID o device, and each Provisioned IOPS volume is provisioned with instance. Some file systems, such as XFS, can freeze and unfreeze actMty, making it safe to create the image without rebooting the instance.
4.000 IOPS (4 000 16KB reads or writes) for a total of 16.000 random IOPS on the instance The EC2 Instance initially delivers the expected 16 000 IOPS random During the AMI-creation process, Amazon EC2 creates snapshots of your instance's root volume and any other EBS volumes attached to your instance. If any
read and write performance Sometime later in order to increase the total random 1/0 performance of the instance, you add an additional two 500 GB EBS volumes attached to the instance are encrypted, the new AMI only launches successfully on instances that support Amazon EBS encryption. For more information,
Provisioned IOPS volumes to the RAID Each volume Is provisioned to 4.000 IOPs like the original four for a total of 24.000 IOPS on the EC2 instance Monitoring see Amazon EBS Encryption.
shows that the EC2 instance CPU utilization increased from 50% to 70%. but the total random IOPS measured at the instance level does not increase at all. Depending on the size of the volumes, it can take several minutes for the AMI-creation process to complete (sometimes up to 24 hours).You may find it more
What is the problem and a valid solution? efficient to create snapshots of your volumes prior to creating your AMI. This way, only small, incremental snapshots need to be created when the AMI is created,
and the process completes more quickly (the total time for snapshot creation remains the same). For more information, see Creating an Amazon EBS Snapshot.
A. Larger storage volumes support higher Provisioned IOPS rates: increase the provisioned volumestorage of each of the 6 EBS volumes to ITB After the process completes, you have a new AMI and snapshot created from the root volume of the instance. When you launch an instance using the new AMI,
B. The EBS-Optimized throughput limits the total IOPS that can be utilized use an EBS-Optimized instance that provides larger throughput. we create a new EBS volume for its root volume using the snapshot. Both the AMI and the snapshot incur charges to your account until you delete them. For more
C. Small block sizes cause performance degradation, limiting the 1'0 throughput, configure the instance device driver and file system to use 64KB blocks to information, see Deregistering Your AMI.
increase throughput. If you add instance-store volumes or EBS volumes to your instance in addition to the root device volume, the block device mapping for the new AMI contains
D. RAID 0 only scales linearly to about 4 devices, use RAID 0 with 4 EBS Provisioned IOPS volumes but increase each Provisioned IOPS EBS volume to 6.000 information for these volumes, and the block device mappings for instances that you launch from the new AMI automatically contain information for these volumes.
IOPS. The instance-store volumes specified in the block device mapping for the new instance are new and don't contain any data from the instance store volumes of the
E. The standard EBS instance root volume limits the total IOPS rate, change the instant root volume to also be a 500GB 4.000 Provisioned IOPS volume. instance you used to create the AMI. The data on EBS volumes persists. For more information, see Block Device Mapping.
Answer: E
NEW QUESTION 135
Your system recently experienced down time during the troubleshooting process. You found that a new administrator mistakenly terminated several production
NEW QUESTION 131 EC2 instances.
A web design company currently runs several FTP servers that their 250 customers use to upload and download large graphic files They wish to move this system Which of the following strategies will help prevent a similar situation in the future? The administrator still must be able to:
to AWS to make it more scalable, but they wish to maintain customer privacy and Keep costs to a minimum. - launch, start stop, and terminate development resources.
What AWS architecture would you recommend? - launch and start production instances.
A. ASK their customers to use an 53 client instead of an FTP clien A. Create an IAM user, which is not allowed to terminate instances by leveraging production EC2 termination protection.
B. Create a single 53 bucket Create an IAM user for each customer Put the IAM Users in a Group that has an IAM policy that permits access to sub-directories B. Leverage resource based tagging along with an IAM user, which can prevent specific users from terminating production EC2 resources.
within the bucket via use of the 'username' Policy variable. C. Leverage EC2 termination protection and multi-factor authentication, which together require users to authenticate before terminating EC2 instances
C. Create a single 53 bucket with Reduced Redundancy Storage turned on and ask their customers to use an 53 client instead of an FTP client Create a bucket for D. Create an IAM user and apply an IAM role which prevents users from terminating production EC2 instances.
each customer with a Bucket Policy that permits access only to that one customer.
D. Create an auto-scaling group of FTP servers with a scaling policy to automatically scale-in when minimum network traffic on the auto-scaling group is below a Answer: B
given threshol
E. Load a central list of ftp users from 53 as part of the user Data startup script on each Instance. Explanation:
F. Create a single 53 bucket with Requester Pays turned on and ask their customers to use an 53 client instead of an FTP client Create a bucket tor each Working with volumes
customer with a Bucket Policy that permits access only to that one customer. When an API action requires a caller to specify multiple resources, you must create a policy statement that allows users to access all required resources. If you
need to use a Condition element with one or more of these resources, you must create multiple statements as shown in this example.
Answer: A The following policy allows users to attach volumes with the tag "volume_user=iam-user-name" to instances with the tag "department=dev", and to detach those
volumes from those instances. If you attach this policy to an IAM group, the aws:username policy variable gives each IAM user in the group permission to attach or
detach volumes from the instances with a tag named voIume_ user that has his or her IAM user name as a value.
NEW QUESTION 132 {
You would like to create a mirror image of your production environment in another region for disaster recovery purposes. Which of the following AWS resources do "Version": "2012-10-I7",
not need to be recreated in the second region? (Choose 2 answers) "Statement": [{
"Effect": "A||ow", "Action": [ "ec2:AttachVoIume",
A. Route 53 Record Sets "ec2:DetachVoIume" I,
B. IM Roles "Resource": "arn :aws:ec2:us-east-1:123456789012:instanee/*", "Condition": {
C. Elastic IP Addresses (EIP) "StringEqua|s": { "ec2:ResourceTag/department": "dev" I
D. EC2 Key Pairs I I,
E. Launch configurations {
F. Security Groups "Effect": "A||ow", "Action": [ "ec2:AttachVoIume", "ec2:DetachVoIume" I,
"Resource": "arn:aws:ec2:us-east-1:123456789012:voIume/*", "Condition": {
Answer: AC "StringEqua|s": {
"ec2:ResourceTag/voIume_user": "${aws:username}" I
Explanation: IIII
Reference: Launching instances (Runlnstances)
http://tech.com/wp-content/themes/optimize/download/AWSDisaster_Recovery.pdf (page 6) The Runlnstances API action launches one or more instances. Runlnstances requires an AM and creates an instance; and users can specify a key pair and
security group in the request. Launching into EC2-VPC requires a subnet, and creates a network interface. Launching from an Amazon EBS-backed AM creates a
volume. Therefore, the user must have permission to use these Amazon EC2 resources. The caller can also configure the instance using optional parameters to
NEW QUESTION 134 Run Instances, such as the instance type and a subnet. You can create a policy statement that requires users to specify an optional parameter, or restricts users to
Your company currently has a 2-tier web application running in an on-premises data center. You have experienced several infrastructure failures in the past two particular values for a parameter. The examples in this section demonstrate some of the many possible ways that you can control the configuration of an instance
that a user can launch. }

Note that by default, users don't have permission to describe, start, stop, or terminate the resulting instances. One way to grant the users permission to manage }
the resulting instances is to create a specific tag for each instance, and then create a statement that enables them to manage instances with that tag. For more },
information, see 2: Working with instances. {
a. AMI "Effect": "A||ow",
The following policy allows users to launch instances using only the AM|s that have the specified tag, "department=dev", associated with them. The users can't "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:region::image/ami-*",
launch instances using other ANI Is because the Condition element of the first statement requires that users specify an AM that has this tag. The users also can't "arn:aws:ec2:region:account:network-interface/* "arn:aws:ec2:region:account:instance/*", "arn:aws:ec2:region:account:subnet/*",
launch into a subnet, as the policy does not grant permissions for the subnet and network interface resources. They can, however, launch into EC2-Ciassic. The "arn:aws:ec2:region:account:voIume/*", "arn:aws:ec2:region:account:key-pair/*", "arn:aws:ec2:region:account:security-group/*"
second statement uses a wildcard to enable users to create instance resources, and requires users to specify the key pair }
project_keypair and the security group sg-1a2b3c4d. Users are still able to launch instances without a key pair. }
{ c. Subnet
"Version": "2012-10-I7", The following policy allows users to launch instances using only the specified subnet, subnet-12345678. The group can't launch instances into any another subnet
"Statement": [{ I, (unless another statement grants the users permission to do so). Users are still able to launch instances into EC2-Ciassic.
{ {
"Effect": "A||ow", "Version": "2012-10-17",
"Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:region::image/ami-*" I, "Statement": [{
"Condition": { "StringEqua|s": { "Effect": "A||ow",
"ec2:ResourceTag/department": "dev" I "Action": "ec2:RunInstances", "Resource": [
I I, "arn :aws :ec2: region:account:subnet/subnet-123456 78",
{ "arn:aws:ec2:region:account:network-interface/*", "arn:aws:ec2:region:account:instance/*", "arn:aws:ec2:region:account:voIume/*",
"Effect": "A||ow", "arn:aws:ec2:region::image/ami-*", "arn:aws:ec2:region:account:key-pair/*", "arn:aws:ec2:region:account:security-group/*"
"Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:region:account:instance/*", "arn:aws:ec2:region:account:voIume/*", }
"arn:aws:ec2:region:account:key-pair/project_keypair", }
"arn :aws :ec2: region: account:security-group/sg-1a 2b3c4d" I Alternatively, you could create a policy that denies users permission to launch an instance into any other subnet. The statement does this by denying permission to
I create a network interface, except where subnet subnet-12345678 is specified. This denial overrides any other policies that are created to allow launching
} instances into other subnets. Users are still able to launch instances into EC2-Classic.
Alternatively, the following policy allows users to launch instances using only the specified AMIs, ami-9e1670f7 and ami-45cf5c3c. The users can't launch an {
instance using other AMIs (unless another statement grants the users permission to do so), and the users can't launch an instance into a subnet. "Version": "2012-10-17",
{ "Statement": [{
"Version": "2012-10-17", "Effect": "Deny",
"Statement": [{ "Action": "ec2:RunInstances", "Resource": [
"Effect": "A||ow", "arn:aws:ec2:region:account:network-interface/*" l,
"Action": "ec2:RunInstances", "Resource": [ "Condition": { "ArnNotEquaIs": {
"arn:aws:ec2:region::image/ami-9e1670f7", "arn:aws:ec2:region::image/ami-45cf5c3c", "arn:aws:ec2:region:account:instance/*", "ec2:Subnet": "arn :aws:ec2:region:account:subnet/subnet-12345678"
"arn:aws:ec2:region:account:voIume/*", "arn:aws:ec2:region:account:key-pair/*", "arn:aws:ec2:region:account:security-group/*" }
} }
} },
Alternatively, the following policy allows users to launch instances from all AMs owned by Amazon. The Condition element of the first statement tests whether {
ec2:0wner is amazon. The users can't launch an instance using other AM Is (unless another statement grants the users permission to do so). "Effect": "A||ow",
The users are able to launch an instance into a subnet. "Version": "2012-10-17", "Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:region::image/ami-*",
"Statement": [{ "arn:aws:ec2:region:account:network-interface/*", "arn:aws:ec2:region:account:instance/*", "arn:aws:ec2:region:account:subnet/*",
"Effect": "A| low", "arn:aws:ec2:region:account:voIume/*", "arn:aws:ec2:region:account:key-pair/*", "arn:aws:ec2:region:account:security-group/*"
"Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:region::image/ami-*" l, }
"Condition": { "StringEqua|s": { "ec2:0wner": "amazon" }
}
},
{ NEW QUESTION 139
"Effect": "A||ow", A web company is looking to implement an external payment service into their highly available application deployed in a VPC Their application EC2 instances are
"Action": "ec2:RunInstances", "Resource" : [ "arn:aws:ec2:region:account:instance/*", "arn:aws:ec2:region:account:subnet/*", behind a public lacing ELB Auto scaling is used to add additional instances as traffic increases under normal load the application runs 2 instances in the
"arn:aws:ec2:region:account:voIume/*", Auto Scaling group but at peak it can scale 3x in size. The application instances need to communicate with the payment service over the Internet which requires
"arn:aws:ec2:region:account:network-interface/*", "arn:aws:ec2:region:account:key-pair/*", "arn:aws:ec2:region:account:security-group/*" whitelisting of all public IP addresses used to communicate with it. A maximum of 4 whitelisting IP addresses are allowed at a time and can be added through an
I API.
}I How should they architect their solution?
}
b. Instance type A. Route payment requests through two NAT instances setup for High Availability and whitelist the Elastic IP addresses attached to the MAT instances.
The following policy allows users to launch instances using only the t2.micro or t2.sma|I instance type, which you might do to control costs. The users can't launch B. Whitelist the VPC Internet Gateway Public IP and route payment requests through the Internet Gateway.
larger instances because the Condition element of the first statement tests whether ec2:1nstanceType is either t2.micro or t2.smaII. C. Whitelist the ELB IP addresses and route payment requests from the Application servers through the ELB.
{ D. Automatically assign public IP addresses to the application instances in the Auto Scaling group and run a script on boot that adds each instances public IP
"Version": "2012-10-I7", address to the payment validation whitelist API.
"Statement": [{
"Effect": "A| low", Answer: D
"Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:region:account:instance/*" I,
"Condition": { "StringEqua|s": {
"ec2:1nstanceType": ["t2.micro", "t2.smaII"] NEW QUESTION 143
} A newspaper organization has a on-premises application which allows the public to search its back catalogue and retrieve indMdual newspaper pages via a
} website written in Java They have scanned the old newspapers into JPEGs (approx 17TB) and used Optical Character Recognition (OCR) to populate a
}, commercial search product. The hosting platform and software are now end of life and the organization wants to migrate Its archive to AW5 and produce a cost
{ efficient architecture and still be designed for availability and durability. Which is the most appropriate?
"Effect": "A||ow",
"Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:region::image/ami-*", "arn:aws:ec2:region:account:subnet/*", A. Use 53 with reduced redundancy Io store and serve the scanned files, install the commercial search application on EC2 Instances and configure with auto-
"arn:aws:ec2:region:account:network-interface/*", "arn:aws:ec2:region:account:voIume/*", "arn:aws:ec2:region:account:key-pair/*", scaling and an Elastic Load Balancer.
"arn:aws:ec2:region:account:security-group/*" B. Model the environment using CIoudFormation use an EC2 instance running Apache webserver and an open source search application, stripe multiple standard
I EB5 volumes together to store the JPEGs and search index.
}I C. Use 53 with standard redundancy to store and serve the scanned files, use CIoud5earch for queryprocessing, and use Elastic Beanstalk to host the website
} across multiple availability zones.
Alternatively, you can create a policy that denies users permission to launch any instances except t2.micro and t2.sma|I instance types. D. Use a single-AZ RD5 My5QL instance Io store the search index 33d the JPEG images use an EC2 instance to serve the website and translate user queries into
{ 5QL.
"Version": "2012-10-17", E. Use a CIoudFront download distribution to serve the JPEGs to the end users and Install the current commercial search product, along with a Java Container Tor
"Statement": [{ the website on EC2 instances and use Route53 with DNS round-robin.
"Effect": "Deny",
"Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:region:account:instance/*" l, Answer: C
"Condition": { "StringNotEqua|s": {
"ec2:1nstanceType": ["t2.micro", "t2.smaII"] Explanation:
There is no such thing as "NIost appropriate" without knowing all your goals. I find your scenarios very fuzzy, since you can obviously mix-n-match between them. I A. End-to-end protection of data in transit
think you should decide by layers instead: Load Balancer Layer: ELB or just DNS, or roll-your-own. (Using DNS+EIPs is slightly cheaper, but less reliable than B. End-to-end Identity authentication
ELB.) C. Data encryption across the Internet
Storage Layer for 17TB of Images: This is the perfect use case for 53. Off-load all the web requests directly to the relevant JPEGs in 53. Your EC2 boxes just D. Protection of data in transit over the Internet
generate links to them. E. Peer identity authentication between VPN gateway and customer gateway
If your app already serves it's own images (not links to images), you might start with EFS. But more than likely, you can just setup a web server to re-write or re- F. Data integrity protection across the Internet
direct all JPEG links to 53 pretty easily.
If you use 53, don't serve directly from the bucket- Serve via a CNAME in domain you control. That way, you can switch in C|oudFront easily. Answer: C0EF
EBS will be way more expensive, and you'II need 2x the drives if you need 2 boxes. Yuck. Consider a smaller storage format. For example, JPEG200 or WebP or
other tools might make for smaller images. There is also the DejaVu format from a while back.
Cache Layer: Adding Cloud Front in front of 53 will help people on the other side of the world-- well, possibly. Typical archives follow a power law. The long tail of NEW QUESTION 152
requests means that most JPEGs won't be requested enough to be in the cache. So you are only speeding up the most popular objects. You can always wait, and You are designing an intrusion detection prevention (IDS/IPS) solution for a customer web application in a single VPC. You are considering the options for
switch in CF later after you know your costs better. (In some cases, it can actually lower costs.) implementing IOS IPS protection for traffic coming from the Internet.
You can also put CIoudFront in front of your app, since your archive search results should be fairly static. This will also allow you to run with a smaller instance Which of the following options would you consider? (Choose 2 answers)
type, since CF will handle much of the load if you do it right.
Database Layer: A few options: A. Implement IDS/IPS agents on each Instance running In VPC
Use whatever your current server does for now, and replace with something else down the road. Don't under-estimate this approach, sometimes it's better to start B. Configure an instance in each subnet to switch its network interface card to promiscuous mode and analyze network traffic.
now and optimize later. C. Implement Elastic Load Balancing with SSL listeners In front of the web applications
Use RDS to run MySQL/ Postgres D. Implement a reverse proxy layer in front of web servers and configure IDS/ IPS agents on each reverse proxy server.
I'm not as familiar with EIasticSearch I Cloudsearch, but obviously Cloudsearch will be less maintenance+setup.
App Layer: Answer: BD
When creating the app layer from scratch, consider Cloud Formation and/or OpsWorks. It's extra stuff to learn, but helps down the road.
Java+ Tomcat is right up the alley of E|asticBeanstaIk. (Basically EC2 + Autoscale + ELB).
Preventing Abuse: When you put something in a public 53 bucket, people will hot-link it from their web pages. If you want to prevent that, your app on the EC2 box NEW QUESTION 153
can generate signed links to 53 that expire in a few hours. Now everyone will be forced to go thru the app, and the app can apply rate limiting, etc. Saving money: Your company policies require encryption of sensitive data at rest. You are considering the possible options for protecting data while storing it at rest on an EBS
If you don't mind having downtime: data volume, attached to an EC2 instance. Which of these options would allow you to encrypt your data at rest? (Choose 3 answers)
run everything in one AZ (both DBs and EC2s). You can always add servers and AZs down the road, as long as it's architected to be stateless. In fact, you should
use multiple regions if you want it to be really robust. A. Implement third party volume encryption tools
use Reduced Redundancy in 53 to save a few hundred bucks per month (Someone will have to "go fix it" every time it breaks, including having an off-line copy to B. Do nothing as EBS volumes are encrypted by default
repair 53.) C. Encrypt data inside your applications before storing it on EBS
Buy Reserved Instances on your EC2 boxes to make them cheaper. (Start with the RI market and buy a partially used one to get started.) It's just a coupon saying D. Encrypt data using native data encryption drivers at the file system level
"if you run this type of box in this AZ, you will save on the per-hour costs." You can get 1/2 to 1/3 off easily. E. Implement SSL/TLS for all services running on the server
Rewrite the application to use less memory and CPU -that way you can run on fewer/ smaller boxes. (Nlay or may not be worth the investment.)
If your app will be used very infrequently, you will save a lot of money by using Lambda. I'd be worried that it would be quite slow if you tried to run a Java Answer: ACD
application on it though ..
We're missing some information like load, latency expectations from search, indexing speed, size of the search index, etc. But with what you've given us, I would
go with 53 as the storage for the files (53 rocks. It is really, really awesome). If you're stuck with the commercial search application, then on EC2 instances with NEW QUESTION 155
autoscaling and an ELB. If you are allowed an alternative search engine, Elasticsearch is probably your best bet. I'd run it on EC2 instead ofthe AWS Elasticsearch Your team has a tomcat-based Java application you need to deploy into development, test and production environments. After some research, you opt to use
service, as IMHO it's not ready yet. Don't autoscale Elasticsearch automatically though, it'II cause all sorts of issues. I have zero experience with CIoudSearch so I Elastic Beanstalk due to its tight integration with your developer tools and RDS due to its ease of management. Your QA team lead points out that you need to roll
can't comment on that. Regardless of which option, I'd use Cloud Formation for all of it. a sanitized set of production data into your environment on a nightly basis. Similarly, other software teams in your org want access to that same restored data via
their EC2 instances in your VPC .The
optimal setup for persistence and security that meets the above requirements would be the following.
NEW QUESTION 145
You are designing a multi-platform web application for AWS The application will run on EC2 instances and will be accessed from PCs. tablets and smart phones A. Create your RDS instance as part of your Elastic Beanstalk definition and alter its security group to allow access to it from hosts in your application subnets.
Supported accessing platforms are Windows. MACOS. IOS and Android Separate sticky session and SSL certificate setups are required for different platform B. Create your RDS instance separately and add its IP address to your appIication's DB connection strings in your code Alter its security group to allow access to it
types which of the following describes the most cost effective and performance efficient architecture setup? from hosts within your VPC's IP address block.
C. Create your RDS instance separately and pass its DNS name to your app's DB connection string as an environment variabl
A. Setup a hybrid architecture to handle session state and SSL certificates on-prem and separate EC2 Instance groups running web applications for different D. Create a security group for client machines and add it as a valid source for DB traffic to the security group of the RDS instance itself.
platform types running in a VPC E. Create your RDS instance separately and pass its DNS name to your's DB connection string as an environment variable Alter its security group to allow access
B. Set up one ELB for all platforms to distribute load among multiple instance under it Each EC2 instance implements ail functionality for a particular platform. to It from hosts In your application subnets.
C. Set up two ELBs The first ELB handles SSL certificates for all platforms and the second ELB handles session stickiness for all platforms for each ELB run
separate EC2 instance groups to handle the web application for each platform. Answer: A
D. Assign multiple ELBS to an EC2 instance or group of EC2 instances running the common components of the web application, one ELB for each platform type
Session stickiness and SSL termination are done at the ELBs.
NEW QUESTION 158
Answer: D Your customer is willing to consolidate their log streams (access logs application logs security logs etc.) in one single system. Once consolidated, the customer
wants to analyze these logs in real time based on heuristics. From time to time, the customer needs to validate heuristics, which requires going back to data
samples extracted from the last 12 hours?
NEW QUESTION 149 What is the best approach to meet your customer's requirements?
You've been hired to enhance the overall security posture for a very large e-commerce site They have a well architected multi-tier application running in a VPC that
uses ELBs in front of both the web and the app A. Send all the log events to Amazon SQ
tier with static assets served directly from 53 They are using a combination of RDS and DynamoOB for their dynamic data and then archMng nightly into 53 for B. Setup an Auto Scaling group of EC2 sewers to consume the logs and apply the heuristics.
further processing with EMR C. Send all the log events to Amazon Kinesis develop a client process to apply heuristics on the logs
They are concerned because they found QUESTION able log entries and suspect someone is attempting to gain unauthorized access. D. Configure Amazon Cloud Trail to receive custom logs, use EMR to apply heuristics the logs
Which approach provides a cost effective scalable mitigation to this kind of attack? E. Setup an Auto Scaling group of EC2 syslogd servers, store the logs on 53 use EMR to apply heuristics on the logs
A. Recommend that they lease space at a DirectConnect partner location and establish a IG DirectConnect connection to their vPC they would then establish Answer: B
Internet connectMty into their space, filter the traffic in hardware Web Application Firewall (WAF). And then pass the traffic through the DirectConnect connection
into their application running in their VPC, Explanation:
B. Add previously identified hostile source IPs as an explicit INBOUND DENY NACL to the web tier sub net. The throughput of an Amazon Kinesis stream is designed to scale without limits via increasing the number of shards within a stream. However, there are certain
C. Add a WAF tier by creating a new ELB and an AutoScaIing group of EC2 Instances running a host based WAF They would redirect Route 53 to resolve to the limits you should keep in mind while using Amazon Kinesis Streams:
new WAF tier ELB The WAF tier would thier pass the traffic to the current web tier The web tier Security Groups would be updated to only allow traffic from the By default, Records of a stream are accessible for up to 24 hours from the time they are added to the stream. You can raise this limit to up to 7 days by enabling
WAF tier Security Group extended data retention.
D. Remove all but TLS 1 2 from the web tier ELB and enable Advanced Protocol Filtering This will enable the ELB itself to perform WAF functionality. The maximum size of a data blob (the data payload before Base64-encoding) within one record is 1 megabyte (MB).
Each shard can support up to 1000 PUT records per second.
Answer: C For more information about other API level limits, see Amazon Kinesis Streams Limits.
NEW QUESTION 151 NEW QUESTION 161

You are designing a connectMty solution between on-premises infrastructure and Amazon VPC. Your server's on-premises will De communicating with your VPC What does Amazon 53 stand for?
instances. You will De establishing IPSec tunnels over the internet You will be using VPN gateways and terminating the IPsec tunnels on AWS supported
customer gateways. A. Simple Storage Solution.
Which of the following objectives would you achieve by implementing an IPSec tunnel as outlined above? (Choose 4 answers) B. Storage Storage Storage (triple redundancy Storage).
C. Storage Sewer Solution. NEW QUESTION 184

D. Simple Storage Sewic What is the maximum key length of a tag'?
Answer: D A. 512 Unicode characters

B. 64 Unicode characters
C. 256 Unicode characters
NEW QUESTION 164 D. 128 Unicode characters
If I want an instance to have a public IP address, which IP address should I use'?
Answer: D
A. Elastic I P Address
B. Class B IP Address
C. Class A IP Address NEW QUESTION 188
D. Dynamic IP Address Which is the default region in AWS?
Answer: A A. eu-west-1
B. us-east-1
C. us-east-2
NEW QUESTION 167 D. ap-southeast-1
Every user you create in the IAM system starts with _ _
Answer: B
A. Partial permissions
B. Full permissions
C. No permissions NEW QUESTION 193
Out of the stripping options available for the EBS volumes, which one has the following disadvantage : 'Doubles the amount of 1/0 required from the instance to
Answer: C EBS compared to RAID 0, because you're mirroring all writes to a pair of volumes, limiting how much you can stripe.'?
A. Raid 0
NEW QUESTION 172 B. RAID 1+0 (RAID 10)
Can you create IAM security credentials for existing users? C. Raid 1
D. Raid
A. Yes, existing users can have security credentials associated with their account.
B. No, IAM requires that all users who have credentials set up are not existing users Answer: B
C. No, security credentials are created within GROUPS, and then users are associated to GROUPS at a later time.
D. Yes, but only IAM credentials, not ordinary security credential
NEW QUESTION 195
Answer: A Can Amazon 53 uploads resume on failure or do they need to restart?
A. Restart from beginning

NEW QUESTION 173 B. You can resume them, if you flag the "resume on fai lure" option before uploading.
By default, EBS volumes that are created and attached t o an instance at launch are deleted when t hat instance is terminated. You can modify this behavior by C. Resume on failure
changing the value of the flag _ to false when you launch the instance D. Depends on the file size
A. Delete On Termination Answer: C

B. Remove On Deletion
C. Remove On Termination
D. Terminate On Deletion NEW QUESTION 199
Fill in the blanks: _ let you categorize your EC2 resources in different ways, for example, by purpose, owner, or environment.
Answer: A
A. wildcards
B. pointers
NEW QUESTION 176 C. Tags
Will my standby RDS instance be in the same Region as my primary? D. special filters
A. Only for Oracle RDS types Answer: C

B. Yes
C. Only if configured at launch
D. No NEW QUESTION 202
What is the maximum write throughput I can provision for a single Dynamic DB table?
Answer: B
A. 1,000 write capacity units
B. 100,000 write capacity units
NEW QUESTION 178 C. Dynamic DB is designed to scale without limits, but if you go beyond 10,000 you have to contact AWS first.
What does Amazon Elastic Beanstalk provide? D. 10,000 write capacity units
A. A scalable storage appliance on top of Amazon Web Services. Answer: C

B. An application container on top of Amazon Web Services.
C. A service by this name doesn't exist.
D. A scalable cluster of EC2 instance NEW QUESTION 206
What is Amazon Glacier?
Answer: B
A. You mean Amazon "Iceberg": it's a low-cost storage service.
B. A security tool that allows to "freeze" an EBS volume and perform computer forensics on it.
NEW QUESTION 179 C. A low-cost storage service that provides secure and durable storage for data archMng and backup.
Fill in the blanks: The base URI for all requests for instance metadata is _ _ D. It's a security tool that allows to "freeze" an EC2 instance and perform computer forensics on i
A. http://254.169.169.254/Iatest/ Answer: C
B. http://169.169.254.254/|atesU
C. http://127.0.0.1/|atest/
D. http://I69.254.169.254/|atest/ NEW QUESTION 209
What does specifying the mapping /dev/sdc=none when launching an instance do'?
Answer: D
A. Prevents /dev/sdc from creating the instance.
B. Prevents /dev/sdc from deleting the instance. NEW QUESTION 234

C. Set the value of /dev/sdc to 'zero'. When should I choose Provisioned IOPS over Standard RDS storage?
D. Prevents /dev/sdc from attaching to the instanc
A. If you have batch-oriented workloads
Answer: D B. If you use production online transaction processing (OLTP) workloads.
C. If you have workloads that are not sensitive to consistent performance
NEW QUESTION 211 Answer: A

A/An _ acts as a firewall that controls the traffic allowed to reach one or more instances.
A. security group NEW QUESTION 237

B. ACL Which service enables AWS customers to manage users and permissions in AWS?
C. IAM
D. Private IP Addresses A. AWS Access Control Service (ACS}
B. AWS Identity and Access Management (IAM}
Answer: A C. AWS Identity Manager (AIM}
Answer: B
NEW QUESTION 215
Will my standby RDS instance be in the same Availability Zone as my primary?
NEW QUESTION 239
A. Only for Oracle RDS types Can I use Provisioned IOPS with VPC?
B. Yes
C. Only if configured at launch A. Only Oracle based RDS
D. No B. No
C. Only with MSSQL based RDS
Answer: D D. Yes for all RDS instances
Answer: D
NEW QUESTION 220
In the Launch Db Instance Wizard, where can I select the backup and maintenance options?
NEW QUESTION 242
A. Under DB INSTANCE DETAILS Can I encrypt connections between my application and my DB Instance using SSL?
B. Under REVI EW
C. Under MANAGEMENT OPTIONS A. No
D. Under ENGINE SELECTION B. Yes
C. Only in VPC
Answer: C D. Only in certain regions
Answer: B
NEW QUESTION 222
SQL Sewer _ store log ins and passwords in the master database.
NEW QUESTION 246
A. can be configured to but by default does not What are the four levels of AWS Premium Support?
B. doesn't
C. does A. Basic, Developer, Business, Enterprise
B. Basic, Startup, Business, Enterprise
Answer: C C. Free, Bronze, Silver, Gold
D. All support is free
NEW QUESTION 225 Answer: A

Does Amazon RDS allow direct host access via Telnet, Secure Shell (SSH), or Windows Remote Desktop Connection?
A. Yes NEW QUESTION 247

B. No What can I access by visiting the URL: http:/ /status.aws.amazon.com/?
C. Depends on if it is in VPC or not
A. Amazon Cloud Watch
Answer: B B. Status of the Amazon RDS DB
C. AWS Service Health Dashboard
D. AWS Cloud Monitor
NEW QUESTION 227
What happens to the 1/0 operations while you take a database snapshot? Answer: C
A. 1/0 operations to the database are suspended for a few minutes while the backup is in progress.
B. 1/0 operations to the database are sent to a Replica (if available) for a few minutes while the backup is in progress. NEW QUESTION 252
C. 1/0 operations will be functioning normally Please select the Amazon EC2 resource which cannot be tagged.
D. 1/0 operations to the database are suspended for an hour while the backup is in progress
A. images (AM|s, kernels, RAM disks)
Answer: A B. Amazon EBS volumes
C. Elastic IP addresses
D. VPCs
NEW QUESTION 231
When running my DB Instance as a MuIti-AZ deployment, can I use the standby for read or write operations? Answer: C
A. Yes
B. Only with MSSQL based RDS NEW QUESTION 253
C. Only for Oracle RDS instances Can the string value of 'Key' be prefixed with :aws:"?
D. No
A. Only in GovC|oud
Answer: D B. Only for 53 not EC2
C. Yes
D. No
Answer: D restart the instance."
A. Both A and B
NEW QUESTION 255 B. None of these
What is the type of monitoring data (for Amazon EBS volumes) which is available automatically in 5- minute periods at no charge called? C. VPC Addresses
D. EC2 Addresses
A. Basic
B. Primary Answer: A
C. Detailed
D. Local
NEW QUESTION 273
Answer: A Is it possible to access your EBS snapshots?
A. Yes, through the Amazon 53 APIs.

NEW QUESTION 257 B. Yes, through the Amazon EC2 APIs.
What happens when you create a topic on Amazon SNS? C. No, EBS snapshots cannot be accessed; they can only be used to create a new EBS volume.
D. EBS doesn't provide snapshot
A. The topic is created, and it has the name you specified for it.
B. An ARN (Amazon Resource Name) is created. Answer: B
C. You can create a topic on Amazon SQS, not on Amazon SNS.
D. This QUESTION doesn't make sens
NEW QUESTION 274
Answer: B Does Amazon RDS for SQL Server currently support importing data into the msdb database'?
A. No
NEW QUESTION 258 B. Yes
When automatic failover occurs, Amazon RDS will emit a DB Instance event to inform you that automatic failover occurred. You can use the to ret urn information
about events related to your DB Instance Answer: A
A. FetchFai|ure
B. DescriveFai|ure NEW QUESTION 276
C. DescribeEvents Which Amazon storage do you think is the best for my database-style applications that frequently encounter many random reads and writes across the dataset?
D. FetchEvents
A. None of these.
Answer: C B. Amazon Instance Storage
C. Any of these
D. Amazon EBS
NEW QUESTION 260
D0 the Amazon EBS volumes persist independently from the running life of an Amazon EC2 instance? Answer: D
A. Only if instructed to when created

B. Yes NEW QUESTION 278
C. No Is decreasing the storage size of a DB Instance permitted?
Answer: B A. Depends on the ROMS used

B. Yes
C. No
NEW QUESTION 261
Select the correct set of options. These are the initial settings for the default security group: Answer: B
A. Allow no inbound traffic, Allow all outbound traffic and Allow instances associated with this security group to talk to each other
B. Allow all inbound traffic, Allow no outbound traffic and Allow instances associated with this security group to talk to each other NEW QUESTION 281
C. Allow no inbound traffic, Allow all outbound traffic and Does NOT allow instances associated with this security group to talk to each other In the 'Detailed ' monitoring data available for your Amazon EBS volumes, Provisioned IOPS volumes automatically send _ minute metrics to Amazon
D. AI low all inbound traffic, Allow all outbound traffic and Does NOT allow instances associated with this security group to talk to each other C|oudWatch.
Answer: A A. 5
B. 2
C. 1
NEW QUESTION 263 D. 3
Can I initiate a "forced failover" for my MySQL Multi-AZ DB Instance deployment?
Answer: C
A. Only in certain regions
B. Only in VPC
C. Yes NEW QUESTION 282
D. No It is advised that you watch the Amazon C|oudWatch " _ " metric (available via the AWS Management Console or Amazon Cloud Watch APIs) carefully and
recreate the Read Replica should it fall behind due to replication errors.
Answer: A
A. Write Lag
B. Read Replica
NEW QUESTION 265 C. Replica Lag
Is the encryption of connections between my application and my DB Instance using SSL for the MySQL server engines available? D. Single Replica
A. Yes Answer: C
B. Only in VPC
C. Only in certain regions
D. No NEW QUESTION 287
Can the string value of 'Key' be prefixed with laws'?
Answer: A
A. No
B. Only for EC2 not 53
NEW QUESTION 270 C. Yes
Which AWS instance address has the following characteristics? :" If you stop an instance, its Elastic IP address is unmapped, and you must remap it when you D. Only for 53 not EC
Answer: A A. special filters

B. functions
C. tags
NEW QUESTION 292 D. wildcards
What is the maximum response time for a Business level Premium Support case?
Answer: C
A. 30 minutes
B. You always get instant responses (within a few seconds).
C. 10 minutes NEW QUESTION 325
D. 1 hour Is there a limit to the number of groups you can have?
Answer: D A. Yes for all users

B. Yes for all users except root
C. No
NEW QUESTION 297 D. Yes unless special permission granted
Location of Insta nces are -----
Answer: A
A. Regional
B. based on Availability Zone
C. Global NEW QUESTION 328
Can I initiate a "forced failover" for my Oracle Multi-AZ DB Instance deployment?
Answer: B
A. Yes
B. Only in certain regions
NEW QUESTION 298 C. Only in VPC
Is there any way to own a direct connection to Amazon Web Services'? D. No
A. You can create an encrypted tunnel to VPC, but you don't own the connection. Answer: A
B. Yes, it's called Amazon Dedicated Connection.
C. No, AWS only allows access from the public Internet.
D. Yes, it's called Direct Connec NEW QUESTION 332
In the Amazon RDS Oracle DB engine, the Database Diagnostic Pack and the Database Tuning Pack are only available with _ _
Answer: D
A. Oracle Standard Edition
B. Oracle Express Edition
NEW QUESTION 303 C. Oracle Enterprise Edition
Can I detach the primary (ethO) network interface when the instance is running or stopped? D. None of these
A. Yes, You can. Answer: C

B. N
C. You cannot
D. Depends on the state of the interface at the time NEW QUESTION 333
Without -' you must either create multiple AWS accounts-each with its own billing and subscriptions to AWS products-or your employees must share the security
Answer: B credentials of a single AWS account.
A. Amazon RDS
NEW QUESTION 308 B. Amazon Glacier
REST or Query requests are HTIP or HTIPS requests that use an HTIP verb (such as GET or POST) and a parameter named Action or Operation that specifies C. Amazon EMR
the API you are calling. D. Amazon IAM
A. FALSE Answer: D
B. TRUE
Answer: A NEW QUESTION 336

Amazon RDS supports SOAP only through _ _
NEW QUESTION 313 A. HTTP or HTTPS

Does AWS Direct Connect allow you access to all Availabilities Zones within a Region? B. TCP/IP
C. HTIP
A. Depends on the type of connection D. HTIPS
B. No
C. Yes Answer: D
D. Only when there's just one availability zone in a regio
E. If there are more than one, only one availability zone can be accessed directly.
NEW QUESTION 341
Answer: A The Amazon EC2 web service can be accessed using the _ web services messaging protocol. This interface is described by a Web Services Description
Language (WSDL) document.
NEW QUESTION 318 A. SOAP

What does Amazon EBS stand for? B. DCOM
C. CORBA
A. Elastic Block Storage D. XML-RPC
B. Elastic Business Server
C. Elastic Blade Server Answer: A
D. Elastic Block Store
Answer: D NEW QUESTION 343

What happens to the 1/0 operations while you take a database snapshot?
NEW QUESTION 322 A. 1/0 operations to the database are suspended for an hour while the backup is in progress.
To help you manage your Amazon EC2 instances, images, and other Amazon EC2 resources, you can assign your own metadata to each resource in the form of B. 1/0 operations to the database are sent to a Replica (if available) for a few minutes while the backup is in progress.
__ C. 1/0 operations will be functioning normally
D. 1/0 operations to the database are suspended for a few minutes while the backup is in progres Explanation:
Reference: http://aws.amazon.com/eIasticIoadba|ancing/
Answer: D
NEW QUESTION 364

NEW QUESTION 344 After launching an instance that you intend to serve as a NAT (Network Address Translation) device in a public subnet you modify your route tables to have the
What is the name of licensing model in which I can use your existing Oracle Database licenses to run Oracle deployments on Amazon RDS? NAT device be the target of internet bound traffic of your private subnet. When you try and make an outbound connection to the internet from an instance in
the private subnet, you are not successful. Which of the following steps could resolve the issue?
A. Bring Your Own License
B. Role Bases License A. Disabling the Source/Destination Check attribute on the NAT instance
C. Enterprise License B. Attaching an Elastic IP address to the instance in the private subnet
D. License Included C. Attaching a second Elastic Network Interface (EN I) to the NAT instance, and placing it in the private sub net
D. Attaching a second Elastic Network Interface (ENI) to the instance in the private subnet, and placing it in the public subnet
Answer: A
Answer: A

When you resize the Amazon RDS DB instance, Amazon RDS will perform the upgrade during the next maintenance window. If you want the upgrade to be Reference:http://docs.aws.amazon.com/workspaces/latest/adminguide/gsg_create_vpc.html
performed now, rather than waiting for the maintenance window, specify the _ option.
A. Apply Now NEW QUESTION 369

B. Apply Soon You have decided to change the instance type for instances running in your application tier that is using Auto Scaling. In which area below would you change the
C. Apply This instance type definition?
D. Apply Immediately
A. Auto Scaling policy
Answer: D B. Auto Scaling group
C. Auto Scaling tags
D. Auto Scaling launch configuration
NEW QUESTION 349
Does Amazon Route 53 support NS Records? Answer: D
A. Yes, it supports Name Service records.

B. No NEW QUESTION 374
C. It supports only MX records. How can the domain's zone apex, for example, "myzoneapexdomain.com", be pointed towards an Elastic Load Balancer?
D. Yes, it supports Name Sewer record
A. By using an Amazon Route 53 Alias record
Answer: D B. By using an AAAA record
C. By using an Amazon Route 53 CNAME record
D. By using an A record
NEW QUESTION 350
When using consolidated billing there are two account types. What are they? Answer: A
A. Paying account and Linked account

B. Parent account and Child account NEW QUESTION 376
C. Main account and Sub account. A company has a workflow that sends video files from their on-premise system to AWS for transcoding. They use EC2 worker instances that pull transcoding jobs
D. Main account and Secondary accoun from SQS. Why is SQS an appropriate service for this scenario?
Answer: A A. SQS guarantees the order of the messages.

B. SQS synchronously provides transcoding output.
C. SQS checks the health of the worker instances.
NEW QUESTION 354 D. SQS helps to facilitate horizontal scaling of encoding task
A Provisioned IOPS volume must be at |east_ GB in size
Answer: D
A. 1
B. 50
C. 20 NEW QUESTION 381
D. 10 What are characteristics of Amazon 53? Choose 2 answers
Answer: D A. 53 allows you to store objects of virtually unlimited size.

B. 53 offers Provisioned IOPS.
C. 53 allows you to store unlimited amounts of data.
NEW QUESTION 356 D. 53 should be used to host a relational database.
How can an EBS volume that is currently attached to an EC2 instance be migrated from one Availability Zone to another? E. Objects are directly accessible via a UR
A. Detach the volume and attach it to another EC2 instance in the other AZ. Answer: CE
B. Simply create a new volume in the other AZ and specify the original volume as the source.
C. Create a snapshot of the volume, and create a new volume from the snapshot in the other AZ. Explanation:
D. Detach the volume, then use the ec2-migrate-voiume command to move it to another A Reference:
http://docs.aws.amazon.com/AmazonCioudFront/latest/DeveIoperGuide/private-contentrestricting-access
Answer: C -to-s3.htmI
NEW QUESTION 360 NEW QUESTION 384

Which of the following features ensures even distribution of traffic to Amazon EC2 instances in multiple Availability Zones registered with a load balancer? After creating a new IAM user which of the following must be done before they can successfully make API calls?
A. Elastic Load Balancing request routing A. Add a password to the user.

B. An Amazon Route 53 weighted routing policy B. Enable Multi-Factor Authentication for the user.
C. Elastic Load Balancing cross-zone load balancing C. Assign a Password Policy to the user.
D. An Amazon Route 53 latency routing pol icy D. Create a set of Access Keys for the use
Answer: A Answer: D
Explanation: Answer: D
Reference: http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_SettingUpUser.htmI
NEW QUESTION 402

NEW QUESTION 389 A company is deploying a two-tier, highly available web application to AWS. Which service provides
You run an ad-supported photo sharing website using 53 to serve photos to visitors of your site. At some point you find out that other sites have been linking to the durable storage for static content while utilizing lower Overall CPU resources for the web tier?
photos on your site, causing loss to your business. What is an effective method to mitigate this?
A. Amazon EBS volume
A. Remove public read access and use signed URLs with expiry dates. B. Amazon 53
B. Use Cloud Front distributions for static content. C. Amazon EC2 instance store
C. Block the IPs of the offending websites in Security Groups. D. Amazon RD5 instance
D. Store photos on an EBS volume of the web serve
Answer: B
Answer: A
NEW QUESTION 405

NEW QUESTION 393 You need to pass a custom script to new Amazon Linux instances created in your Auto Scaling group. Which feature allows you to accomplish this?
Which of the following are t rue regarding AWS CIoudTraiI? Choose 3 answers
A. User data
A. CIoudTraiI is enabled globally B. EC2Config service
B. CIoudTraiI is enabled by default C. IAM roles
C. CIoudTraiI is enabled on a per-region basis D. AWS Config
D. CIoudTraiI is enabled on a per-service basis.
E. Logs can be delivered to a single Amazon 53 bucket for aggregation. Answer: B
F. CIoudTraiI is enabled for all available services within a region.
G. Logs can only be processed and delivered to the region in which they are generate
NEW QUESTION 408
Answer: CDE A company is building software on AWS that requires access to various AWS services. Which configuration should be used to ensure mat AWS credentials (i.e .,
Access Key ID/Secret Access Key combination) are not compromised?
Explanation:
Reference: http://aws.amazon.com/c|oudtraiI/faqs/ A. Enable Multi-Factor Authentication for your AWS root account.
B. Assign an IAM role to the Amazon EC2 instance.
C. Store the AWS Access Key ID/Secret Access Key combination in software comments.
NEW QUESTION 394 D. Assign an IAM user to the Amazon EC2 Instanc
Which set of Amazon 53 features helps to prevent and recoverfrom accidental data loss?
Answer: A
A. Object lifecycle and service access logging
B. Object versioning and Multi-factor authentication Explanation:
C. Access controls and server-side encryption Reference: http://docs.aws.amazon.com/IAM/Iatest/UserGuide/IAMBestPractices.htm|
D. Website hosting and Amazon 53 policies
Answer: B NEW QUESTION 411

Which of the following are true regarding encrypted Amazon Elastic Block Store (EBS) volumes? Choose 2 answers
Explanation:
Reference: http://media.amazonwebservices.com/AWS Security_Best_Practices.pdf A. Supported on all Amazon EBS volume types
B. Snapshots are automatically encrypted
C. Available to all instance types
NEW QUESTION 396 D. Existing volumes can be encrypted
A company needs to monitor the read and write IOPs metrics for their AWS MySQL RDS instance and send real-time alerts to their operations team. Which AWS E. shared volumes can be encrypted
services can accomplish this? Choose 2 answers
Answer: AB
A. Amazon Simple Email Service
B. Amazon CIoudWatch Explanation:
C. Amazon Simple Queue Service Reference: http://docs.aws.a mazon.com/kms/latest/developerguide/services-ebs.htmI
D. Amazon Route 53
E. Amazon Simple Notification Service
NEW QUESTION 414
Answer: BE A company is deploying a new two-tier web application in AWS. The company has limited staff and requires high availability, and the application requires complex
queries and table joins. Which configuration provides the solution for the company's requirements?
NEW QUESTION 398 A. MySQL Installed on two Amazon EC2 Instances in a single Availability Zone
You are deploying an application to track GPS coordinates of delivery trucks in the United States. Coordinates are transmitted from each delivery t ruck once every B. Amazon RDS for MySQL with Multi-AZ
three seconds. You need to design an architecture that will enable real-time processing of these coordinates from multiple consumers. Which service should you C. Amazon EIastiCache
use to implement data ingestion? D. Amazon DynamoDB
A. Amazon Kinesis Answer: D

B. AWS Data Pipeline
C. Amazon AppStream Explanation:
D. Amazon Simple Queue Sen/ice Reference: http://www.aIithingsdistributed.com/2013/03/dyna mod b-one-year-Iater.htmI
Answer: A
NEW QUESTION 415
A t2.medium EC2 instance type must be launched with what type of Amazon Machine Image (AMI)?
NEW QUESTION 401
A photo-sharing service stores pictures in Amazon Simple Storage Service (53) and allows application sign-in using an OpenID Connect-compatible identity A. An Instance store Hardware Virtual Machine AMI
provider. Which AWS Security Token Service approach to temporary access should you use for the Amazon 53 operations? B. An Instance store Paravirtual AMI
C. An Amazon EBS-backed Hardware Virtual Machine AMI
A. SANIL-based Identity Federation D. An Amazon EBS-backed Paravirtual AMI
B. Cross-Account Access
C. AWS Identity and Access Management roles Answer: A
D. Web Identity Federation
Explanation:
100% Valid and Newest Version AWS-Solution-Architect-Associate Questions & Answers shared by Certleader
https://www.certleader.com/AWS-Solution-Architect-Associate-dumps.html (315 Q&As)
Reference: http://docs.aws.amazon.com/AWSEC2/Iatest/UserGuide/ec2-instanee-resize.htmI
NEW QUESTION 417

An existing application stores sensitive information on a non-boot Amazon EBS data volume attached to an Amazon Elastic Compute Cloud instance. Which of the
following approaches would protect the sensitive data on an Amazon EBS volume?
A. Upload your customer keys to AWS CIoudHS

B. Associate the Amazon EBS volume with AWS C|oudHS
C. Re-mount the Amazon EBS volume.
D. Create and mount a new, encrypted Amazon EBS volum
E. Move the data to the new volum
F. Delete the old Amazon EBS volume.
G. Unmount the EBS volum
H. Toggle the encryption attribute to Tru
I. Re-mount the Amazon EBS volume.
J. Snapshot the current Amazon EBS volum
K. Restore the snapshot to a new, encrypted Amazon EBS volum
L. Mount the Amazon EBS volume
Answer: D
NEW QUESTION 420

A customer implemented AWS Storage Gateway with a gateway-cached volume at their main office.
An event takes the link between the main and branch office offline. Which methods will enable the branch office to access their data? Choose 3 answers
A. Use a HTTPS GET to the Amazon 53 bucket where the files are located.
B. Restore by implementing a lifecycle policy on the Amazon 53 bucket.
C. IV|ake an Amazon Glacier Restore API ca II to load the files into another Amazon 53 bucket within four to six hours.
D. Launch a new AWS Storage Gateway instance AM in Amazon EC2, and restore from a gateway snapshot
E. Create an Amazon EBS volume from a gateway snapshot, and mount it to an Amazon EC2 instance.
F. Launch an AWS Storage Gateway virtual iSCSI device at the branch office, and restore from a gateway snapshot
Answer: ADF
NEW QUESTION 423

......
The Leader of IT Certification visit - https://www.certleader.com

AWS Solution Architect Associate Dump1

Uploaded by

Copyright:

Available Formats

AWS Solution Architect Associate Dump1

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

AWS Solution Architect Associate Dump1

Uploaded by

Copyright:

Available Formats

100% Valid and Newest Version AWS-Solution-Architect-Associate Questions & Answers shared by Certleader 100% Valid and Newest

A. Use the indexing feature of S3.

A. An edge location is refered to the network configured within a Zone or Region

Explanation: NEW QUESTION 27

A. For security reasons.

Answer: B NEW QUESTION 58

A. Amazon Route 53, Amazon CIoudFront and Amazon VPC. Explanation:

A. automatically NEW QUESTION 99

Explanation: A. A security group

NEW QUESTION 101 Explanation:

NEW QUESTION 103 Explanation:

A. By adding more security groups

that a user can launch. }

NEW QUESTION 151 NEW QUESTION 161

C. Storage Sewer Solution. NEW QUESTION 184

Answer: D A. 512 Unicode characters

A. Restart from beginning

A. Delete On Termination Answer: C

A. Only for Oracle RDS types Answer: C

A. A scalable storage appliance on top of Amazon Web Services. Answer: C

B. Prevents /dev/sdc from deleting the instance. NEW QUESTION 234

NEW QUESTION 211 Answer: A

A. security group NEW QUESTION 237

NEW QUESTION 225 Answer: A

A. Yes NEW QUESTION 247

Answer: D restart the instance."

A. Yes, through the Amazon 53 APIs.

A. Only if instructed to when created

Answer: B A. Depends on the ROMS used

Answer: A A. special filters

Answer: D A. Yes for all users

A. Yes, You can. Answer: C

Answer: A NEW QUESTION 336

NEW QUESTION 313 A. HTTP or HTTPS

NEW QUESTION 318 A. SOAP

Answer: D NEW QUESTION 343

NEW QUESTION 364

NEW QUESTION 348 Explanation:

A. Apply Now NEW QUESTION 369

A. Yes, it supports Name Service records.

A. Paying account and Linked account

Answer: A A. SQS guarantees the order of the messages.

Answer: D A. 53 allows you to store objects of virtually unlimited size.

NEW QUESTION 360 NEW QUESTION 384

A. Elastic Load Balancing request routing A. Add a password to the user.

NEW QUESTION 402

NEW QUESTION 405

Answer: B NEW QUESTION 411

A. Amazon Kinesis Answer: D

NEW QUESTION 417

A. Upload your customer keys to AWS CIoudHS

NEW QUESTION 420

NEW QUESTION 423

The Leader of IT Certification visit - https://www.certleader.com

You might also like