Simulado CLF C02

Amazon.Premium.AWS Certified Cloud Practitioner (CLF-C02).
475q
Number: CLF-C02
Passing Score: 800.0
Time Limit: 120.0
File Version: 2.5
Exam Code: CLF-C02
Exam Name: AWS Certified Cloud Practitioner
Website: www.VCEplus.io
IT Certification Exams - Questions & Answers | VCEplus.io

Exam A
QUESTION 1
According to the AWS shared responsibility model, which of the following are AWS responsibilities?
(Select TWO.)
A. Network infrastructure and virtualization of infrastructure

B. Security of application data
C. Guest operating systems
D. Physical security of hardware
E. Credentials and policies
Correct Answer: A, D
Section:
Explanation:
The correct answers are A and D because network infrastructure and virtualization of infrastructure and physical security of hardware are AWS responsibilities according to the AWS shared responsibility model. The
AWS shared responsibility model is a framework that defines the division of responsibilities between AWS and the customer for security and compliance. AWS is responsible for the security of the cloud, which
includes the global infrastructure, such as the regions, availability zones, and edge locations; the hardware, software, networking, and facilities that run the AWS services; and the virtualization layer that separates
the customer instances and storage. The customer is responsible for the security in the cloud, which includes the customer data, the guest operating systems, the applications, the identity and access management,
the firewall configuration, and the encryption. The other options are incorrect because they are not AWS responsibilities according to the AWS shared responsibility model. Security of application data, guest
QUESTION 2
www.VCEplus.io
operating systems, and credentials and policies are customer responsibilities according to the AWS shared responsibility model. Reference: [AWS Shared Responsibility Model]
Which options does AWS make available for customers who want to learn about security in the cloud in an instructor-led setting? (Select TWO.)
A. AWS Trusted Advisor

B. AWS Online Tech Talks
C. AWS Blog
D. AWS Forums
E. AWS Classroom Training
Correct Answer: B, E
Section:
Explanation:
The correct answers are B and E because AWS Online Tech Talks and AWS Classroom Training are options that AWS makes available for customers who want to learn about security in the cloud in an instructor-led
setting. AWS Online Tech Talks are live, online presentations that cover a broad range of topics at varying technical levels. AWS Online Tech Talks are delivered by AWS experts and feature live Q&A sessions with the
audience. AWS Classroom Training are in-person or virtual courses that are led by accredited AWS instructors. AWS Classroom Training offer hands-on labs, exercises, and best practices to help customers gain
confidence and skills on AWS. The other options are incorrect because they are not options that AWS makes available for customers who want to learn about security in the cloud in an instructor-led setting. AWS
Trusted Advisor is an AWS service that provides real-time guidance to help customers follow AWS best practices for security, performance, cost optimization, and fault tolerance. AWS Blog is an AWS resource that
provides news, announcements, and insights from AWS experts and customers. AWS Forums are AWS resources that enable customers to interact with other AWS users and get feedback and support. Reference:
AWS Online Tech Talks, AWS Classroom Training
QUESTION 3

A company is using a third-party service to back up 10 TB of data to a tape library. The on-premises backup server is running out of space. The company wants to use AWS services for the backups without changing
its existing backup workflows.
Which AWS service should the company use to meet these requirements?
A. Amazon Elastic Block Store (Amazon EBS)

B. AWS Storage Gateway
C. Amazon Elastic Container Service (Amazon ECS)
D. AWS Lambda
Correct Answer: B
Section:
Explanation:
The correct answer is B because AWS Storage Gateway is a service that should be used by the company to meet the requirements. AWS Storage Gateway is a service that connects on-premises software
applications with cloud-based storage. AWS Storage Gateway supports three types of gateways: file gateway, volume gateway, and tape gateway. The tape gateway type enables users to back up and archive data to
virtual tapes in AWS without changing their existing backup workflows.
Users can use their existing backup applications and tape libraries to store data on virtual tapes in Amazon S3 or Amazon S3 Glacier. The other options are incorrect because they are not services that should be
used by the company to meet the requirements. Amazon Elastic Block Store (Amazon EBS) is a service that provides block-level storage volumes for Amazon EC2 instances. Amazon Elastic Container Service
(Amazon ECS) is a service that enables users to run, scale, and secure containerized applications on AWS. AWS Lambda is a service that enables users to run code without provisioning or managing servers.
Reference: AWS Storage Gateway FAQs
QUESTION 4
Which AWS Support plan provides customers with access to an AWS technical account manager (TAM)?
A.
B.
C.
AWS Basic Support
AWS Developer Support
AWS Business Support
www.VCEplus.io
D. AWS Enterprise Support
Correct Answer: D
Section:
Explanation:
The correct answer is D because AWS Enterprise Support is the support plan that provides customers with access to an AWS technical account manager (TAM). AWS Enterprise Support is the highest level of
support plan offered by AWS, and it provides customers with the most comprehensive and personalized support experience. An AWS TAM is a dedicated technical resource who works closely with customers to
understand their business and technical needs, provide proactive guidance, and coordinate support across AWS teams. The other options are incorrect because they are not support plans that provide customers
with access to an AWS TAM. AWS Basic Support is the default and free support plan that provides customers with access to online documentation, forums, and account information. AWS Developer Support is the
lowest level of paid support plan that provides customers with access to technical support during business hours, general guidance, and best practice recommendations. AWS Business Support is the intermediate
level of paid support plan that provides customers with access to technical support 24/7, system health checks, architectural guidance, and case management. Reference: AWS Support Plans
QUESTION 5
A company is designing a web application that will run on Amazon EC2 instances.
Which AWS services and features will improve availability and reduce the impact of failures for this application?
(Select TWO.)
A. Amazon EC2 Auto Scaling for the EC2 instances

B. VPC subnet ACLs to check the health of a service
C. Resources that are distributed across multiple Availability Zones

D. Configuration of AWS Server Migration Service (AWS SMS) to move the EC2 instances to a different AWS Region
E. Resources that are distributed across multiple AWS points of presence
Correct Answer: A, C
Section:
Explanation:
The correct answers are A and C because Amazon EC2 Auto Scaling and resources that are distributed across multiple Availability Zones are AWS services and features that will improve availability and reduce the
impact of failures for the web application. Amazon EC2 Auto Scaling is a service that enables users to automatically adjust the number of Amazon EC2 instances in response to changes in demand or performance.
Amazon EC2 Auto Scaling helps users to maintain optimal availability and performance of their applications by adding or removing instances as needed.
Resources that are distributed across multiple Availability Zones are AWS features that enable users to increase the fault tolerance and resilience of their applications. Availability Zones are isolated locations within
an AWS Region that have independent power, cooling, and networking. Users can launch their resources, such as Amazon EC2 instances, in multiple Availability Zones to protect their applications from the failure of
a single location. The other options are incorrect because they are not AWS services and features that will improve availability and reduce the impact of failures for the web application. VPC subnet ACLs are AWS
features that enable users to control the inbound and outbound traffic to and from their subnets within a VPC. VPC subnet ACLs do not check the health of a service, but rather filter the network traffic based on
rules. Configuration of AWS Server Migration Service (AWS SMS) is an AWS service that enables users to migrate their on-premises servers to AWS.
Configuration of AWS SMS does not help to move the Amazon EC2 instances to a different AWS Region, but rather to migrate the servers from the source environment to AWS. Resources that are distributed across
multiple AWS points of presence are AWS features that enable users to deliver content to their end users with low latency and high performance. AWS points of presence are edge locations that are part of the AWS
Global Infrastructure. Users can use services such as Amazon CloudFront and AWS Global Accelerator to distribute their content across multiple AWS points of presence. Reference: Amazon EC2 Auto Scaling,
[Regions, Availability Zones, and Local Zones]
QUESTION 6
An Availability Zone consists of:
A. one or more data centers in a single location.

B.
C.
D.
two or more data centers in multiple locations.
one or more physical hosts in a single data center.
two or more physical hosts in multiple data centers.
www.VCEplus.io
Correct Answer: A
Section:
Explanation:
The correct answer is A because an Availability Zone consists of one or more data centers in a single location. An Availability Zone is an isolated location within an AWS Region that has independent power, cooling,
and networking. Each Availability Zone has one or more data centers that host the physical servers and storage devices that run the AWS services. The other options are incorrect because they are not accurate
descriptions of an Availability Zone. Two or more data centers in multiple locations are not an Availability Zone, but rather multiple Availability Zones within an AWS Region. One or more physical hosts in a single
data center are not an Availability Zone, but rather the components of a data center within an Availability Zone. Two or more physical hosts in multiple data centers are not an Availability Zone, but rather the
components of multiple data centers within one or more Availability Zones. Reference: [Regions, Availability Zones, and Local Zones]
QUESTION 7
A company wants to ensure that two Amazon EC2 instances are in separate data centers with minimal communication latency between the data centers.
How can the company meet this requirement?
A. Place the EC2 instances in two separate AWS Regions connected with a VPC peering connection.
B. Place the EC2 instances in two separate Availability Zones within the same AWS Region.
C. Place one EC2 instance on premises and the other in an AWS Region. Then connect them by using an AWS VPN connection.
D. Place both EC2 instances in a placement group for dedicated bandwidth.
Correct Answer: B
Section:

Explanation:
The correct answer is B because placing the EC2 instances in two separate Availability Zones within the same AWS Region is the best way to meet the requirement. Availability Zones are isolated locations within an
AWS Region that have independent power, cooling, and networking. Users can launch their resources, such as Amazon EC2 instances, in multiple Availability Zones to increase the fault tolerance and resilience of
their applications. Availability Zones within the same AWS Region are connected with low-latency, high-throughput, and highly redundant networking. The other options are incorrect because they are not the best
ways to meet the requirement. Placing the EC2 instances in two separate AWS Regions connected with a VPC peering connection is not the best way to meet the requirement because AWS Regions are
geographically dispersed and may have higher communication latency between them than Availability Zones within the same AWS Region. VPC peering connection is a networking connection between two VPCs
that enables users to route traffic between them using private IP addresses. Placing one EC2 instance on premises and the other in an AWS Region, and then connecting them by using an AWS VPN connection is
not the best way to meet the requirement because on-premises and AWS Region are geographically dispersed and may have higher communication latency between them than Availability Zones within the same
AWS Region.
AWS VPN connection is a secure and encrypted connection between a user's network and their VPC.
Placing both EC2 instances in a placement group for dedicated bandwidth is not the best way to meet the requirement because a placement group is a logical grouping of instances within a single Availability Zone
that enables users to launch instances with specific performance characteristics. A placement group does not ensure that the instances are in separate data centers, and it does not provide low-latency
communication between instances in different Availability Zones. Reference:
[Regions, Availability Zones, and Local Zones], [VPC Peering], [AWS VPN], [Placement Groups]
QUESTION 8
A company wants to host its relational databases on AWS. The databases have predefined schemas that the company needs to replicate on AWS.
Which AWS services could the company use for the databases? (Select TWO.)
A. Amazon Aurora
B. Amazon RDS
C. Amazon DocumentDB (with MongoDB compatibility)
D. Amazon Neptune
E. Amazon DynamoDB
Correct Answer: A, B
Section:
www.VCEplus.io
Explanation:
: The correct answers are A and B because Amazon Aurora and Amazon RDS are AWS services that the company could use for the relational databases. Amazon Aurora is a relational database that is compatible
with MySQL and PostgreSQL. Amazon Aurora is a fully managed, scalable, and highperformance service that offers up to five times the throughput of standard MySQL and up to three times the throughput of
standard PostgreSQL. Amazon RDS is a service that enables users to set up, operate, and scale relational databases in the cloud. Amazon RDS supports six popular database engines: MySQL, PostgreSQL, Oracle, SQL
Server, MariaDB, and Amazon Aurora. The other options are incorrect because they are not AWS services that the company could use for the relational databases. Amazon DocumentDB (with MongoDB
compatibility) is a document database that is compatible with MongoDB. Amazon Neptune is a graph database that supports property graph and RDF models. Amazon DynamoDB is a key-value and document
database. Reference: Amazon Aurora, Amazon RDS
QUESTION 9
Which of the following are benefits that a company receives when it moves an on-premises production workload to AWS? (Select TWO.)
A. AWS trains the company's staff on the use of all the AWS services.
B. AWS manages all security in the cloud.
C. AWS offers free support from technical account managers (TAMs).
D. AWS offers high availability.
E. AWS provides economies of scale.
Correct Answer: D, E
Section:

Explanation:
The correct answers are D and E because AWS offers high availability and AWS provides economies of scale are benefits that a company receives when it moves an on-premises production workload to AWS. High
availability means that AWS has a global infrastructure that allows customers to deploy their applications and data across multiple regions and availability zones. This increases the fault tolerance and resilience of
their applications and reduces the impact of failures. Economies of scale means that AWS can achieve lower variable costs than customers can get on their own. This allows customers to pay only for the resources
they use and scale up or down as needed. The other options are incorrect because they are not benefits that a company receives when it moves an on-premises production workload to AWS. AWS trains the
company's staff on the use of all the AWS services is not a benefit that a company receives when it moves an on-premises production workload to AWS. AWS does provide various learning resources and training
courses for customers, but it does not train the company's staff on the use of all the AWS services. AWS manages all security in the cloud is not a benefit that a company receives when it moves an on-premises
production workload to AWS. AWS is responsible for the security of the cloud, but the customer is responsible for the security in the cloud. AWS offers free support from technical account managers (TAMs) is not a
benefit that a company receives when it moves an on-premises production workload to AWS. AWS does offer support from TAMs, but only for customers who have the AWS Enterprise Support plan, which is not
free.
Reference: What is Cloud Computing?, [AWS Shared Responsibility Model], [AWS Support Plans]
QUESTION 10
A company needs a content delivery network that provides secure delivery of data, videos, applications, and APIs to users globally with low latency and high transfer speeds.
Which AWS service meets these requirements?
A. Amazon CloudFront
B. Elastic Load Balancing
C. Amazon S3
D. Amazon Elastic Transcoder
Correct Answer: A
Section:
Explanation:
www.VCEplus.io
The correct answer is A because Amazon CloudFront is an AWS service that provides secure delivery of data, videos, applications, and APIs to users globally with low latency and high transfer speeds.
Amazon CloudFront is a fast content delivery network (CDN) that integrates with other AWS services, such as Amazon S3, Amazon EC2, AWS Lambda, and AWS Shield. Amazon CloudFront delivers content through a
worldwide network of edge locations that are located close to the end users. The other options are incorrect because they are not AWS services that provide secure delivery of data, videos, applications, and APIs
to users globally with low latency and high transfer speeds. Elastic Load Balancing is an AWS service that distributes incoming traffic across multiple targets, such as Amazon EC2 instances, containers, and IP
addresses. Amazon S3 is an AWS service that provides object storage for data of any size and type. Amazon Elastic Transcoder is an AWS service that converts media files from their original source format into
different formats that will play on various devices. Reference: Amazon CloudFront FAQs
QUESTION 11
An application is running on multiple Amazon EC2 instances. The company wants to make the application highly available by configuring a load balancer with requests forwarded to the EC2 instances based on URL
paths.
Which AWS load balancer will meet these requirements and take the LEAST amount of effort to deploy?
A. Network Load Balancer

B. Application Load Balancer
C. AWS OpsWorks Load Balancer
D. Custom Load Balancer on Amazon EC2
Correct Answer: B
Section:
Explanation:
The correct answer is B because Application Load Balancer is an AWS load balancer that will meet the requirements and take the least amount of effort to deploy. Application Load Balancer is a type of Elastic Load
Balancing that operates at the application layer (layer 7) of the OSI model and routes requests to targets based on the content of the request. Application Load Balancer supports advanced features, such as path-
based routing, host-based routing, and HTTP header-based routing.

The other options are incorrect because they are not AWS load balancers that will meet the requirements and take the least amount of effort to deploy. Network Load Balancer is a type of Elastic Load Balancing
that operates at the transport layer (layer 4) of the OSI model and routes requests to targets based on the destination IP address and port. Network Load Balancer does not support path-based routing. AWS
OpsWorks Load Balancer is not an AWS load balancer, but rather a feature of AWS OpsWorks that enables users to attach an Elastic Load Balancing load balancer to a layer of their stack. Custom Load Balancer on
Amazon EC2 is not an AWS load balancer, but rather a user-defined load balancer that runs on an Amazon EC2 instance. Custom Load Balancer on Amazon EC2 requires more effort to deploy and maintain than an
AWS load balancer. Reference: Elastic Load Balancing
QUESTION 12
A large company has a workload that requires hardware to remain on premises. The company wants to use the same management and control plane services that it currently uses on AWS.
A. AWS Device Farm

B. AWS Fargate
C. AWS Outposts
D. AWS Ground Station
Correct Answer: C
Section:
Explanation:
The correct answer is C because AWS Outposts is an AWS service that enables the company to meet the requirements. AWS Outposts is a fully managed service that extends AWS infrastructure, services, APIs, and
tools to virtually any datacenter, co-location space, or on-premises facility. AWS Outposts allows customers to run their workloads on the same hardware and software that AWS uses in its cloud, while maintaining
local access and control. The other options are incorrect because they are not AWS services that enable the company to meet the requirements. AWS Device Farm is an AWS service that enables customers to test
their mobile and web applications on real devices in the AWS Cloud. AWS Fargate is an AWS service that enables customers to run containers without having to manage servers or clusters. AWS Ground Station is an
AWS service that enables customers to communicate with satellites and downlink data from orbit. Reference: AWS Outposts FAQs
QUESTION 13
www.VCEplus.io
A company needs to use dashboards and charts to analyze insights from business data.
Which AWS service will provide the dashboards and charts for these insights?
A. Amazon Macie
B. Amazon Aurora
C. Amazon QuickSight
D. AWS CloudTrail
Correct Answer: C
Section:
Explanation:
The correct answer is C because Amazon QuickSight is an AWS service that will provide the dashboards and charts for the insights from business data. Amazon QuickSight is a fully managed, scalable, and serverless
business intelligence service that enables users to create and share interactive dashboards and charts. Amazon QuickSight can connect to various data sources, such as Amazon S3, Amazon RDS, Amazon Redshift,
and more. Amazon QuickSight also provides users with machine learning insights, such as anomaly detection, forecasting, and natural language narratives.
The other options are incorrect because they are not AWS services that will provide the dashboards and charts for the insights from business data. Amazon Macie is an AWS service that helps users discover,
classify, and protect sensitive data stored in Amazon S3. Amazon Aurora is an AWS service that provides a relational database that is compatible with MySQL and PostgreSQL. AWS CloudTrail is an AWS service that
enables users to track user activity and API usage across their AWS account.
Reference: Amazon QuickSight FAQs
QUESTION 14
When a user wants to utilize their existing per-socket, per-core, or per-virtual machine software licenses for a Microsoft Windows server running on AWS, which Amazon EC2 instance type is required?

A. Spot Instances
B. Dedicated Instances
C. Dedicated Hosts
D. Reserved Instances
Correct Answer: C
Section:
Explanation:
The correct answer is C because Dedicated Hosts are Amazon EC2 instances that are required when a user wants to utilize their existing per-socket, per-core, or per-virtual machine software licenses for a Microsoft
Windows server running on AWS. Dedicated Hosts are physical servers that are dedicated to a single customer. Dedicated Hosts allow customers to use their existing server-bound software licenses, such as
Windows Server, SQL Server, and SUSE Linux Enterprise Server, subject to their license terms. The other options are incorrect because they are not Amazon EC2 instances that are required when a user wants to
utilize their existing per-socket, per-core, or per-virtual machine software licenses for a Microsoft Windows server running on AWS. Spot Instances are spare Amazon EC2 instances that are available at up to 90%
discount compared to On-Demand prices. Spot Instances are suitable for stateless, fault-tolerant, and flexible workloads that can recover from interruptions easily. Dedicated Instances are Amazon EC2 instances
that run on hardware that is dedicated to a single customer, but not to a specific physical server. Dedicated Instances do not allow customers to use their existing server-bound software licenses. Reserved Instances
are Amazon EC2 instances that are reserved for a specific period of time (one or three years) in exchange for a lower hourly rate. Reserved Instances are suitable for steady-state or predictable workloads that run
for a long duration. Reserved Instances do not allow customers to use their existing server-bound software licenses. Reference: Dedicated Hosts, Amazon EC2 Instance Purchasing Options
QUESTION 15
Which AWS service should a cloud engineer use to view API calls to AWS services?
A. Amazon CloudWatch
B. AWS CloudTrail
C. AWS Config
D. AWS Artifact
Correct Answer: B
www.VCEplus.io
Section:
Explanation:
The correct answer is B because AWS CloudTrail is an AWS service that a cloud engineer can use to view API calls to AWS services. AWS CloudTrail is a service that enables customers to track user activity and API
usage across their AWS account. AWS CloudTrail records the details of every API call made to AWS services, such as the identity of the caller, the time of the call, the source IP address of the caller, the parameters
and responses of the call, and more. Customers can use AWS CloudTrail to audit, monitor, and troubleshoot their AWS resources and actions. The other options are incorrect because they are not AWS services that
a cloud engineer can use to view API calls to AWS services.
Amazon CloudWatch is an AWS service that enables customers to collect, analyze, and visualize metrics, logs, and events from their AWS resources and applications. AWS Config is an AWS service that enables
customers to assess, audit, and evaluate the configurations of their AWS resources. AWS Artifact is an AWS service that provides customers with on-demand access to AWS compliance reports and select online
agreements. Reference: AWS CloudTrail FAQs
QUESTION 16
A company uses Amazon Workspaces. What can a user accomplish using AWS CloudTrail?
A. Generate an 1AM user credentials report.

B. Record API calls made to AWS services.
C. Assess the compliance of AWS resource configurations with policies and guidelines.
D. Ensure that Amazon EC2 instances are patched with the latest security updates.
Correct Answer: B
Section:

Explanation:
AWS CloudTrail is an AWS service that enables users to accomplish the task of recording API calls made to AWS services. AWS CloudTrail is a service that tracks user activity and API usage across the AWS account.
AWS CloudTrail records the details of every API call made to AWS services, such as the identity of the caller, the time of the call, the source IP address of the caller, the parameters and responses of the call, and
more. Users can use AWS CloudTrail to audit, monitor, and troubleshoot their AWS resources and actions. The other options are incorrect because they are not tasks that users can accomplish using AWS CloudTrail.
Generating an IAM user credentials report is a task that users can accomplish using IAM, which is an AWS service that enables users to manage access and permissions to AWS resources and services. Assessing the
compliance of AWS resource configurations with policies and guidelines is a task that users can accomplish using AWS Config, which is an AWS service that enables users to assess, audit, and evaluate the
configurations of their AWS resources. Ensuring that Amazon EC2 instances are patched with the latest security updates is a task that users can accomplish using AWS Systems Manager, which is an AWS service
that enables users to automate operational tasks, manage configuration and compliance, and monitor system health and performance. Reference: AWS CloudTrail FAQs
QUESTION 17
A company stores data in an Amazon S3 bucket. The company must control who has permission to read, write, or delete objects that the company stores in the S3 bucket. Which task is the responsibility of AWS,
according to the AWS shared responsibility model?
A. Set up multi-factor authentication (MFA) for each Workspaces user account.

B. Ensure the environmental safety and security of the AWS infrastructure that hosts Workspaces.
C. Provide security for Workspaces user accounts through AWS Identity and Access Management (1AM).
D. Configure AWS CloudTrail to log API calls and user activity.
Correct Answer: B
Section:
Explanation:
The correct answer is B because ensuring the environmental safety and security of the AWS infrastructure that hosts Workspaces is the responsibility of AWS, according to the AWS shared responsibility model. The
AWS shared responsibility model is a framework that defines the division of responsibilities between AWS and the customer for security and compliance. AWS is responsible for the security of the cloud, which
www.VCEplus.io
the firewall configuration, and the encryption. The other options are incorrect because they are the responsibility of the customer, according to the AWS shared responsibility model. Setting up multi-factor
authentication (MFA) for each Workspaces user account, providing security for Workspaces user accounts through AWS Identity and Access Management (IAM), configuring AWS CloudTrail to log API calls and user
activity, and encrypting data at rest and in transit are all tasks that the customer has to perform to secure their Workspaces environment. Reference: AWS Shared Responsibility Model, Amazon WorkSpaces
Security
QUESTION 18
Which database engine is compatible with Amazon RDS?
A. Apache Cassandra
B. MongoDB
C. Neo4j
D. PostgreSQL
Correct Answer: D
Section:
Explanation:
Amazon RDS supports six database engines: Amazon Aurora, MySQL, MariaDB, PostgreSQL, Oracle, and SQL Server. Apache Cassandra, MongoDB, and Neo4j are not compatible with Amazon RDS. Therefore, the
correct answer is D. You can learn more about Amazon RDS and its supported database engines from this page.
QUESTION 19
A company needs to run code in response to an event notification that occurs when objects are uploaded to an Amazon S3 bucket.
Which AWS service will integrate directly with the event notification?

A. AWS Lambda
B. Amazon EC2
C. Amazon Elastic Container Registry (Amazon ECR)
D. AWS Elastic Beanstalk
Correct Answer: A
Section:
Explanation:
AWS Lambda is a service that lets you run code without provisioning or managing servers. You can use Lambda to process event notifications from Amazon S3 when objects are uploaded or deleted.
Lambda integrates directly with the event notification and invokes your code automatically.
Therefore, the correct answer is A.
QUESTION 20
A company wants to centrally manage security policies and billing services within a multi-account AWS environment. Which AWS service should the company use to meet these requirements?
A. AWS Identity and Access Management (1AM)

B. AWS Organizations
C. AWS Resource Access Manager (AWS RAM)
D. AWS Config
Correct Answer: B
Section:
Explanation:
www.VCEplus.io
AWS Organizations is a service that helps you centrally manage and govern your environment as you grow and scale your AWS resources. You can use AWS Organizations to create groups of accounts and apply
policies to them. You can also use AWS Organizations to consolidate billing for multiple accounts. Therefore, the correct answer is B. You can learn more about AWS Organizations and its features from this page.
QUESTION 21
What are the characteristics of Availability Zones? (Select TWO.)
A. All Availability Zones in an AWS Region are interconnected with high-bandwidth, low-latency networking
B. Availability Zones are physically separated by a minimum of distance of 150 km (100 miles).
C. All traffic between Availability Zones is encrypted.
D. Availability Zones within an AWS Region share redundant power, networking, and connectivity.
E. Every Availability Zone contains a single data center.
Section:
Explanation:
Availability Zones are physically separate locations within an AWS Region that are engineered to be isolated from failures. Each Availability Zone has independent power, cooling, and physical security, and is
connected to other Availability Zones in the same Region by a low-latency network. Therefore, the correct answers are A and D. You can learn more about Availability Zones and their characteristics from this page.
QUESTION 22
Which AWS Well-Architected Framework concept represents a system's ability to remain functional when the system encounters operational problems?
A. Consistency

B. Elasticity
C. Durability
D. Latency
Correct Answer: B
Section:
Explanation:
The AWS Well-Architected Framework is a set of best practices and guidelines for designing and operating systems in the cloud. The framework consists of five pillars: operational excellence, security, reliability,
performance efficiency, and cost optimization. The concept of elasticity represents a system's ability to adapt to changes in demand by scaling resources up or down automatically. Therefore, the correct answer is
B. You can learn more about the AWS Well-Architected Framework and its pillars from this page.
QUESTION 23
Which AWS service or tool does AWS Control Tower use to create resources?
A. AWS CloudFormation
B. AWS Trusted Advisor
C. AWS Directory Service
D. AWS Cost Explorer
Correct Answer: A
Section:
Explanation:
AWS Control Tower uses AWS CloudFormation to create resources in your landing zone. AWS CloudFormation is a service that helps you model and set up your AWS resources using templates.
www.VCEplus.io
AWS Control Tower supports creating AWS::ControlTower::EnabledControl resources in AWS CloudFormation. Therefore, the correct answer is A. You can learn more about AWS Control Tower and AWS
CloudFormation from this page.
QUESTION 24
What are some advantages of using Amazon EC2 instances lo host applications in the AWS Cloud instead of on premises? (Select TWO.)
A. EC2 includes operating system patch management

B. EC2 integrates with Amazon VPC. AWS CloudTrail, and AWS Identity and Access Management (1AM)
C. EC2 has a 100% service level agreement (SLA).
D. EC2 has a flexible, pay-as-you-go pricing model.
E. EC2 has automatic storage cost optimization.
Correct Answer: B, D
Section:
Explanation:
Some of the advantages of using Amazon EC2 instances to host applications in the AWS Cloud instead of on premises are:
EC2 integrates with Amazon VPC, AWS CloudTrail, and AWS Identity and Access Management (IAM).
Amazon VPC lets you provision a logically isolated section of the AWS Cloud where you can launch AWS resources in a virtual network that you define. AWS CloudTrail enables governance, compliance, operational
auditing, and risk auditing of your AWS account. AWS IAM enables you to manage access to AWS services and resources securely. Therefore, the correct answer is B. You can learn more about Amazon EC2 and its
integration with other AWS services from this page.
EC2 has a flexible, pay-as-you-go pricing model. You only pay for the compute capacity you use, and you can scale up and down as needed. You can also choose from different pricing options, such as On-Demand,
Savings Plans, Reserved Instances, and Spot Instances, to optimize your costs.
Therefore, the correct answer is D. You can learn more about Amazon EC2 pricing from this page.

The other options are incorrect because:
EC2 does not include operating system patch management. You are responsible for managing and maintaining your own operating systems on EC2 instances. You can use AWS Systems Manager to automate
common maintenance tasks, such as applying patches, or use Amazon EC2 Image Builder to create and maintain secure images. Therefore, the incorrect answer is A.
EC2 does not have a 100% service level agreement (SLA). The EC2 SLA guarantees 99.99% availability for each EC2 Region, not for each individual instance. Therefore, the incorrect answer is C.
EC2 does not have automatic storage cost optimization. You are responsible for choosing the right storage option for your EC2 instances, such as Amazon Elastic Block Store (EBS) or Amazon Elastic File System (EFS),
and monitoring and optimizing your storage costs. You can use AWS Cost Explorer or
AWS Trusted Advisor to analyze and reduce your storage spending. Therefore, the incorrect answer is E.
QUESTION 25
Which option is an advantage of AWS Cloud computing that minimizes variable costs?
A. High availability
B. Economies of scale
C. Global reach
D. Agility
Correct Answer: B
Section:
Explanation:
One of the advantages of AWS Cloud computing is that it minimizes variable costs by leveraging economies of scale. This means that AWS can achieve lower costs per unit of computing resources by spreading the
fixed costs of building and maintaining data centers over a large number of customers.
As a result, AWS can offer lower and more predictable prices to its customers, who only pay for the resources they consume. Therefore, the correct answer is B. You can learn more about AWS pricing and
economies of scale from this page.
QUESTION 26
www.VCEplus.io
Which pillar of the AWS Well-Architected Framework focuses on the ability to run workloads effectively, gain insight into operations, and continuously improve supporting processes and procedures?
A. Cost optimization
B. Reliability
C. Operational excellence
D. Performance efficiency
Correct Answer: C
Section:
Explanation:
The AWS Well-Architected Framework is a set of best practices and guidelines for designing and operating systems in the cloud. The framework consists of five pillars: operational excellence, security, reliability,
performance efficiency, and cost optimization. The operational excellence pillar focuses on the ability to run workloads effectively, gain insight into operations, and continuously improve supporting processes and
procedures. Therefore, the correct answer is C. You can learn more about the AWS Well-Architected Framework and its pillars from this page.
QUESTION 27
Which benefit is included with an AWS Enterprise Support plan?
A. AWS Partner Network (APN) support at no cost

B. Designated support from an AWS technical account manager (TAM)
C. On-site support from AWS engineers
D. AWS managed compliance as code with AWS Config

Correct Answer: B
Section:
Explanation:
AWS offers different support plans to meet the needs of different customers. The AWS Enterprise Support plan is the highest level of support that provides customers with concierge-like service, where the main
focus is helping them achieve their outcomes and find success in the cloud. One of the benefits of the AWS Enterprise Support plan is that customers get designated support from an AWS technical account
manager (TAM), who provides consultative architectural and operational guidance based on their applications and use cases. Therefore, the correct answer is B. You can learn more about AWS support plans and
their benefits from this page.
QUESTION 28
A company plans to migrate to AWS and wants to create cost estimates for its AWS use cases.
Which AWS service or tool can the company use to meet these requirements?
A. AWS Pricing Calculator

B. Amazon CloudWatch
C. AWS Cost Explorer
D. AWS Budgets
Correct Answer: A
Section:
Explanation:
AWS Pricing Calculator is a web-based planning tool that customers can use to create estimates for their AWS use cases. They can use it to model their solutions before building them, explore the AWS service price
points, and review the calculations behind their estimates. Therefore, the correct answer is A. You can learn more about AWS Pricing Calculator and how it works from this page.
QUESTION 29
www.VCEplus.io
A developer needs to build an application for a retail company. The application must provide realtime product recommendations that are based on machine learning.
Which AWS service should the developer use to meet this requirement?
A. AWS Health Dashboard

B. Amazon Personalize
C. Amazon Forecast
D. Amazon Transcribe
Correct Answer: B
Section:
Explanation:
Amazon Personalize is a fully managed machine learning service that customers can use to generate personalized recommendations for their users. It can also generate user segments based on the users' affinity for
certain items or item metadata. Amazon Personalize uses the customers' data to train and deploy custom recommendation models that can be integrated into their applications.
Therefore, the correct answer is B. You can learn more about Amazon Personalize and its use cases from this page.
QUESTION 30
A company deploys its application on Amazon EC2 instances. The application occasionally experiences sudden increases in demand. The company wants to ensure that its application can respond to changes in
demand at the lowest possible cost.
Which AWS service or tool will meet these requirements?
A. AWS Auto Scaling

B. AWS Compute Optimizer

D. AWS Well-Architected Framework
Correct Answer: A
Section:
Explanation:
AWS Auto Scaling is the AWS service or tool that will meet the requirements of ensuring that the application can respond to changes in demand at the lowest possible cost. AWS Auto Scaling allows users to
automatically adjust the number of Amazon EC2 instances based on the application's performance and availability needs. AWS Auto Scaling can also optimize costs by helping users select the most cost-effective
EC2 instances for their application1
QUESTION 31
Which AWS service or tool provides recommendations to help users get rightsized Amazon EC2 instances based on historical workload usage data?

C. AWS App Runner
D. AWS Systems Manager
Correct Answer: B
Section:
Explanation:
AWS Compute Optimizer is the AWS service or tool that provides recommendations to help users get rightsized Amazon EC2 instances based on historical workload usage data. AWS Compute Optimizer analyzes
the configuration and performance characteristics of the EC2 instances and delivers recommendations for optimal instance types, sizes, and configurations. AWS Compute Optimizer helps users improve
www.VCEplus.io
performance, reduce costs, and eliminate underutilized resources
QUESTION 32
A company wants to use a managed service to simplify the setup, operation, and scaling of its MySQL database in the AWS Cloud.
Which AWS service will meet these requirements?
A. Amazon EMR
B. Amazon RDS
C. Amazon Redshift
D. Amazon DynamoDB
Correct Answer: B
Section:
Explanation:
Amazon RDS is the AWS service that will meet the requirements of using a managed service to simplify the setup, operation, and scaling of a MySQL database in the AWS Cloud. Amazon RDS is a relational database
service that supports MySQL and other popular database engines. Amazon RDS handles routine database tasks such as provisioning, patching, backup, recovery, and scaling. Amazon RDS also offers high availability,
security, and compatibility features3
QUESTION 33
A company deploys its application to multiple AWS Regions and configures automatic failover between those Regions.
Which cloud concept does this architecture represent?
A. Security

B. Reliability
C. Scalability
D. Cost optimization
Correct Answer: B
Section:
Explanation:
Reliability is the cloud concept that this architecture represents. Reliability is the ability of a system to recover from infrastructure or service disruptions, dynamically acquire computing resources to meet demand,
and mitigate disruptions such as misconfigurations or transient network issues. Deploying an application to multiple AWS Regions and configuring automatic failover between those Regions enhances the reliability
of the application by reducing the impact of regional failures and increasing the availability of the application4
QUESTION 34
A company's IT team is managing MySQL database server clusters. The IT team has to patch the database and take backup snapshots of the data in the clusters. The company wants to move this workload to AWS
so that these tasks will be completed automatically.
What should the company do to meet these requirements?
A. Deploy MySQL database server clusters on Amazon EC2 instances.

B. Use Amazon RDS with a MySQL database.
C. Use an AWS Cloud Form at ion template to deploy MySQL database servers on Amazon EC2 instances.
D. Migrate all the MySQL database data to Amazon S3.
Correct Answer: B
Section:
Explanation:
www.VCEplus.io
The company should use Amazon RDS with a MySQL database to meet the requirements of moving its workload to AWS so that the tasks of patching the database and taking backup snapshots of the data in the
clusters will be completed automatically. Amazon RDS is a managed service that simplifies the setup, operation, and scaling of relational databases in the AWS Cloud. Amazon RDS automates common database
administration tasks such as patching, backup, and recovery. Amazon RDS also supports MySQL and other popular database engines5
QUESTION 35
A company recently migrated to the AWS Cloud. The company needs to determine whether its newly imported Amazon EC2 instances are the appropriate size and type.
Which AWS services can provide this information to the company? {Select TWO.)
A. AWS Auto Scaling

B. AWS Control Tower
C. AWS Trusted Advisor
D. AWS Compute Optimizer
E. Amazon Forecast
Correct Answer: C, D
Section:
Explanation:
AWS Trusted Advisor and AWS Compute Optimizer are the AWS services that can provide information to the company about whether its newly imported Amazon EC2 instances are the appropriate size and type.
AWS Trusted Advisor is an online tool that provides best practices recommendations in five categories: cost optimization, performance, security, fault tolerance, and service limits. AWS Trusted Advisor can help
users identify underutilized or idle EC2 instances, and suggest ways to reduce costs and improve performance. AWS Compute Optimizer is a service that analyzes the configuration and utilization metrics of EC2
instances and delivers recommendations for optimal instance types, sizes, and configurations. AWS Compute Optimizer helps users improve performance, reduce costs, and eliminate underutilized resources

QUESTION 36
A company has a social media platform in which users upload and share photos with other users. The company wants to identify and remove inappropriate photos. The company has no machine learning (ML)
scientists and must build this detection capability with no ML expertise.
Which AWS service should the company use to build this capability?
A. Amazon SageMaker
B. Amazon Textract
C. Amazon Rekognition
D. Amazon Comprehend
Correct Answer: C
Section:
Explanation:
Amazon Rekognition is the AWS service that the company should use to build the capability of identifying and removing inappropriate photos. Amazon Rekognition is a service that uses deep learning technology to
analyze images and videos for various purposes, such as face detection, object recognition, text extraction, and content moderation. Amazon Rekognition can help users detect unsafe or inappropriate content in
images and videos, such as nudity, violence, or drugs, and provide confidence scores for each label. Amazon Rekognition does not require any machine learning expertise, and users can easily integrate it with other
AWS services
QUESTION 37
A company's user base needs to remotely access virtual desktop computers from the internet Which AWS service provides this functionality?
A. Amazon Connect
B. Amazon Cognito
C.
D.
Amazon Workspaces
Amazon Upstream 2.0 www.VCEplus.io
Correct Answer: C
Section:
Explanation:
Amazon Workspaces is the AWS service that provides the functionality of remotely accessing virtual desktop computers from the internet. Amazon Workspaces is a fully managed, secure desktop-as-aservice (DaaS)
solution that allows users to provision cloud-based virtual desktops and access them from anywhere, using any supported device. Amazon Workspaces helps users reduce the complexity and cost of managing and
maintaining physical desktops, and provides a consistent and secure user experience
QUESTION 38
Amazon Elastic File System (Amazon EFS) and Amazon FSx offer which type of storage?
A. File storage
B. Object storage
C. Block storage
D. Instance store
Correct Answer: A
Section:
Explanation:
Amazon Elastic File System (Amazon EFS) and Amazon FSx offer file storage. File storage is a type of storage that organizes data into files and folders, and allows multiple users or applications to access and share the
same files over a network. Amazon EFS is a fully managed, scalable, and elastic file system that supports the Network File System (NFS) protocol and can be used with Amazon EC2 instances and AWS Lambda

functions. Amazon FSx is a fully managed service that provides two file system options: Amazon FSx for Windows File Server, which supports the Server Message Block (SMB) protocol and is compatible with
Microsoft Windows applications; and Amazon FSx for Lustre, which is a high-performance file system that is optimized for compute-intensive workloads
QUESTION 39
Which AWS service or feature is used to Troubleshoot network connectivity issues between Amazon EC2 instances?
A. AWS Certificate Manager (ACM)

B. Internet gateway
C. VPC Flow Logs
D. AWS CloudHSM
Correct Answer: C
Section:
Explanation:
VPC Flow Logs is the AWS service or feature that is used to troubleshoot network connectivity issues between Amazon EC2 instances. VPC Flow Logs is a feature that enables users to capture information about the
IP traffic going to and from network interfaces in their VPC. VPC Flow Logs can help users monitor and diagnose network-related issues, such as traffic not reaching an instance, or an instance not responding to
requests. VPC Flow Logs can be published to Amazon CloudWatch Logs, Amazon S3, or Amazon Kinesis Data Firehose for analysis and storage.
QUESTION 40
Which factors affect costs in the AWS Cloud? (Select TWO.)
A. The number of unused AWS Lambda functions

B. The number of configured Amazon S3 buckets
C.
D.
E.
Inbound data transfers without acceleration
Outbound data transfers without acceleration
Compute resources that are currently in use
www.VCEplus.io
Correct Answer: D, E
Section:
Explanation:
Outbound data transfers without acceleration and compute resources that are currently in use are the factors that affect costs in the AWS Cloud. Outbound data transfers without acceleration refer to the amount
of data that is transferred from AWS to the internet, without using any service that can optimize the speed and cost of the data transfer, such as AWS Global Accelerator or Amazon CloudFront. Outbound data
transfers are charged at different rates depending on the source and destination AWS Regions, and the volume of data transferred. Compute resources that are currently in use refer to the AWS services and
resources that provide computing capacity, such as Amazon EC2 instances, AWS Lambda functions, or Amazon ECS tasks. Compute resources are charged based on the type, size, and configuration of the resources,
and the duration and frequency of their usage.
QUESTION 41
Which design principles support the reliability pillar of the AWS Well-Architected Framework? (Select TWO.)
A. Perform operations as code.

B. Enable traceability.
C. Automatically scale to meet demand.
D. Deploy resources globally to improve response time.
E. Automatically recover from failure.
Correct Answer: C, E

Section:
Explanation:
The design principles that support the reliability pillar of the AWS Well-Architected Framework are:
automatically scale to meet demand, and automatically recover from failure. These principles help users design systems that can handle changes in load, avoid disruptions, and resume normal operations quickly.
Automatically scaling to meet demand means adjusting the capacity of the system based on the current and anticipated workload, using services such as AWS Auto Scaling, Amazon EC2, and AWS Lambda.
Automatically recovering from failure means detecting and resolving issues, using services such as Amazon CloudWatch, AWS CloudFormation, and AWS CloudTrail
QUESTION 42
Which of the following are user authentication services managed by AWS? (Select TWO.)
A. Amazon Cognito
B. AWS Lambda
C. AWS License Manager
D. AWS Identity and Access Management (1AM)
E. AWS CodeStar
Section:
Explanation:
The user authentication services managed by AWS are: Amazon Cognito and AWS Identity and Access Management (IAM). These services help users securely manage and control access to their
AWS resources and applications. Amazon Cognito is a service that provides user sign-up, sign-in, and access control for web and mobile applications. Amazon Cognito supports various identity providers, such as
Facebook, Google, and Amazon, as well as custom user pools. AWS IAM is a service that enables users to create and manage users, groups, roles, and permissions for AWS services and resources. AWS IAM
supports various authentication methods, such as passwords, access keys, and multi-factor authentication (MFA)
QUESTION 43 www.VCEplus.io
company wants to protect its AWS Cloud information, systems, and assets while performing risk assessment and mitigation tasks.
Which pillar of the AWS Well-Architected Framework is supported by these goals?
A. Reliability
B. Security
Correct Answer: B
Section:
Explanation:
The pillar of the AWS Well-Architected Framework that is supported by the goals of protecting AWS Cloud information, systems, and assets while performing risk assessment and mitigation tasks is security. Security
is the ability to protect information, systems, and assets while delivering business value through risk assessments and mitigation strategies. The security pillar covers topics such as identity and access management,
data protection, infrastructure protection, detective controls, incident response, and compliance
QUESTION 44
A company is configuring its AWS Cloud environment. The company's administrators need to group users together and apply permissions to the group.
Which AWS service or feature can the company use to meet these requirements?
A. AWS Organizations
B. Resource groups

C. Resource tagging
Correct Answer: D
Section:
Explanation:
The AWS service or feature that the company can use to group users together and apply permissions to the group is AWS Identity and Access Management (IAM). AWS IAM is a service that enables users to create
and manage users, groups, roles, and permissions for AWS services and resources. Users can use IAM groups to organize multiple users that have similar access requirements, and attach policies to the groups that
define the permissions for the users in the group. This simplifies the management and administration of user access
QUESTION 45
A company has two AWS accounts in an organization in AWS Organizations for consolidated billing.
All of the company's AWS resources are hosted in one AWS Region.
Account A has purchased five Amazon EC2 Standard Reserved Instances (RIs) and has four EC2 instances running. Account B has not purchased any RIs and also has four EC2 instances running.
Which statement is true regarding pricing for these eight instances?
A. The eight instances will be charged as regular instances.

B. Four instances will be charged as RIs, and four will be charged as regular instances.
C. Five instances will be charged as RIs, and three will be charged as regular instances.
D. The eight instances will be charged as RIs.
Correct Answer: B
Section:
Explanation:
www.VCEplus.io
The statement that is true regarding pricing for these eight instances is: four instances will be charged as RIs, and four will be charged as regular instances. Amazon EC2 Reserved Instances (RIs) are a pricing model
that allows users to reserve EC2 instances for a specific term and benefit from discounted hourly rates and capacity reservation. RIs are purchased for a specific AWS Region, and can be shared across multiple
accounts in an organization in AWS Organizations for consolidated billing. However, RIs are applied on a first-come, first-served basis, and there is no guarantee that all instances in the organization will be charged
at the RI rate. In this case, Account A has purchased five
RIs and has four instances running, so all four instances will be charged at the RI rate. Account B has not purchased any RIs and also has four instances running, so all four instances will be charged at the regular
rate. The remaining RI in Account A will not be applied to any instance in Account B, and will be wasted.
QUESTION 46
Which of the following is an advantage that users experience when they move on-premises workloads to the AWS Cloud?
A. Elimination of expenses for running and maintaining data centers

B. Price discounts that are identical to discounts from hardware providers
C. Distribution of all operational controls to AWS
D. Elimination of operational expenses
Correct Answer: A
Section:
Explanation:
The advantage that users experience when they move on-premises workloads to the AWS Cloud is:
elimination of expenses for running and maintaining data centers. By moving on-premises workloads to the AWS Cloud, users can reduce or eliminate the costs associated with owning and operating physical
servers, storage, network equipment, and facilities. These costs include hardware purchase, maintenance, repair, power, cooling, security, and staff. Users can also benefit from the pay-as-yougo pricing model of
AWS, which allows them to pay only for the resources they use, and scale up or down as needed.

QUESTION 47
Which of the following is a cost efficiency principle related to the AWS Cloud?
A. Right-size services based on capacity requirements.

B. Use the Billing Dashboard to access information about monthly bills.
C. Use AWS Organizations to combine the expenses of multiple accounts into a single bill.
D. Tag all AWS resources.
Correct Answer: A
Section:
Explanation:
One of the cost efficiency principles related to the AWS Cloud is to right-size services based on capacity requirements. This means choosing the most appropriate type and size of AWS resources to meet the
performance and scalability needs of the applications, while avoiding over-provisioning or under-provisioning. By right-sizing services, users can optimize the costs and benefits of using the AWS Cloud1
QUESTION 48
A cloud engineer needs to download AWS security and compliance documents for an upcoming audit.
Which AWS service can provide the documents?

B. AWS Artifact
C. AWS Well-Architected Tool
Correct Answer: B
Section:
Explanation:
www.VCEplus.io
AWS Artifact is the AWS service that can provide security and compliance documents for an upcoming audit. AWS Artifact is a self-service portal that allows users to access and download AWS compliance reports
and agreements. These documents provide evidence of AWS's compliance with global, regional, and industry-specific security standards and regulations
QUESTION 49
A company has been storing monthly reports in an Amazon S3 bucket. The company exports the report data into comma-separated values (.csv) files. A developer wants to write a simple query that can read all of
these files and generate a summary report.
Which AWS service or feature should the developer use to meet these requirements with the LEAST amount of operational overhead?
A. Amazon S3 Select
B. Amazon Athena
C. Amazon Redshift
D. Amazon EC2
Correct Answer: B
Section:
Explanation:
Amazon Athena is the AWS service that the developer should use to write a simple query that can read all of the .csv files stored in an Amazon S3 bucket and generate a summary report. Amazon Athena is an
interactive query service that allows users to analyze data in Amazon S3 using standard SQL. Amazon Athena does not require any server setup or management, and users only pay for the queries they run. Amazon
Athena can handle various data formats, including .csv, and can integrate with other AWS services such as Amazon QuickSight for data visualization

QUESTION 50
Which task requires the use of AWS account root user credentials?
A. The deletion of 1AM users

B. The change to a different AWS Support plan
C. The creation of an organization in AWS Organizations
D. The deletion of Amazon EC2 instances
Correct Answer: C
Section:
Explanation:
The creation of an organization in AWS Organizations requires the use of AWS account root user credentials. The AWS account root user is the email address that was used to create the AWS account. The root user
has complete access to all AWS services and resources in the account, and can perform sensitive tasks such as changing the account settings, closing the account, or creating an organization. The root user
credentials should be used sparingly and securely, and only for tasks that cannot be performed by IAM users or roles4
QUESTION 51
Which feature of the AWS Cloud gives users the ability to pay based on current needs rather than forecasted needs?
A. AWS Budgets
B. Pay-as-you-go pricing
C. Volume discounts
D. Savings Plans
Correct Answer: B
Section:
Explanation:
www.VCEplus.io
Pay-as-you-go pricing is the feature of the AWS Cloud that gives users the ability to pay based on current needs rather than forecasted needs. Pay-as-you-go pricing means that users only pay for the AWS services
and resources they use, without any upfront or long-term commitments. This allows users to scale up or down their usage depending on their changing business requirements, and avoid paying for idle or unused
capacity. Pay-as-you-go pricing also enables users to benefit from the economies of scale and lower costs of AWS as they grow their business5
QUESTION 52
What does the Amazon S3 Intelligent-Tiering storage class offer?
A. Payment flexibility by reserving storage capacity

B. Long-term retention of data by copying the data to an encrypted Amazon Elastic Block Store (Amazon EBS) volume
C. Automatic cost savings by moving objects between tiers based on access pattern changes
D. Secure, durable, and lowest cost storage for data archival
Correct Answer: C
Section:
Explanation:
The Amazon S3 Intelligent-Tiering storage class offers automatic cost savings by moving objects between tiers based on access pattern changes. This storage class is designed for data with unknown or changing
access patterns. It has two access tiers: frequent access and infrequent access. Objects are stored in the frequent access tier by default, and are moved to the infrequent access tier after 30 consecutive days of no
access. If an object in the infrequent access tier is accessed, it is moved back to the frequent access tier. There are no retrieval fees in S3 Intelligent-Tiering, and no additional tiering fees when objects are moved
between access tiers within the S3 Intelligent-Tiering storage class1.

QUESTION 53
Which AWS service gives users the ability to provision a dedicated and private network connection from their internal network to AWS?
A. AWS CloudHSM
B. AWS Direct Connect
C. AWS VPN
D. Amazon Connect
Correct Answer: B
Section:
Explanation:
AWS Direct Connect gives users the ability to provision a dedicated and private network connection from their internal network to AWS. AWS Direct Connect links the user's internal network to an AWS Direct
Connect location over a standard Ethernet fiber-optic cable. One end of the cable is connected to the user's router, the other to an AWS Direct Connect router. With this connection in place, the user can create
virtual interfaces directly to the AWS cloud and Amazon Virtual Private Cloud (Amazon VPC), bypassing internet service providers in the network path2.
QUESTION 54
A company is hosting a web application in a Docker container on Amazon EC2.
AWS is responsible for which of the following tasks?
A. Scaling the web application and services developed with Docker

B. Provisioning or scheduling containers to run on clusters and maintain their availability
C. Performing hardware maintenance in the AWS facilities that run the AWS Cloud
D. Managing the guest operating system, including updates and security patches
Correct Answer: C
Section:
www.VCEplus.io
Explanation:
AWS is responsible for performing hardware maintenance in the AWS facilities that run the AWS Cloud. This is part of the shared responsibility model, where AWS is responsible for the security of the cloud, and
the customer is responsible for security in the cloud. AWS is also responsible for the global infrastructure that runs all of the services offered in the AWS Cloud, including the hardware, software, networking, and
facilities that run AWS Cloud services3. The customer is responsible for the guest operating system, including updates and security patches, as well as the web application and services developed with Docker4.
QUESTION 55
Which design principle should be considered when architecting in the AWS Cloud?
A. Think of servers as non-disposable resources.

B. Use synchronous integration of services.
C. Design loosely coupled components.
D. Implement the least permissive rules for security groups.
Correct Answer: C
Section:
Explanation:
Designing loosely coupled components is a design principle that should be considered when architecting in the AWS Cloud. Loose coupling is a way of designing systems to reduce interdependencies and minimize
the impact of changes. Loose coupling allows components to interact with each other through well-defined interfaces, rather than direct references. This reduces the risk of failures and errors propagating across
the system, and enables greater scalability, availability, and maintainability5.

QUESTION 56
Which AWS service or tool helps to centrally manage billing and allow controlled access to resources across AWS accounts?

D. AWS Budgets
Correct Answer: B
Section:
Explanation:
AWS Organizations helps to centrally manage billing and allow controlled access to resources across AWS accounts. AWS Organizations is a service that enables the user to consolidate multiple AWS accounts into
an organization that can be managed as a single unit. AWS Organizations allows the user to create groups of accounts and apply policies to them, such as service control policies (SCPs) that specify the services and
actions that users and roles can access in the accounts. AWS Organizations also enables the user to use consolidated billing, which combines the usage and charges from all the accounts in the organization into a
single bill.
QUESTION 57
Which AWS service or feature can be used to estimate costs before deployment?
A. AWS Free Tier

B. AWS Pricing Calculator
C. AWS Billing and Cost Management
D. AWS Cost and Usage Report
Correct Answer: B
Section:
www.VCEplus.io
Explanation:
AWS Pricing Calculator can be used to estimate costs before deployment. AWS Pricing Calculator is a tool that helps the user to compare the cost of AWS services for different use cases and configurations. The user
can create estimates for various AWS services, such as Amazon EC2, Amazon S3, Amazon RDS, and more. The user can also adjust the parameters, such as region, instance type, storage size, and duration, to see
how they affect the cost. AWS Pricing Calculator provides a detailed breakdown of the estimated cost, as well as a summary of the key drivers of the cost.
QUESTION 58
Which of the following promotes AWS Cloud architectural best practices for designing and operating reliable, secure, efficient, and cost-effective systems?
A. AWS Serverless Application Model framework

B. AWS Business Support
C. Principle of least privilege
Correct Answer: D
Section:
Explanation:
AWS Well-Architected Framework promotes AWS Cloud architectural best practices for designing and operating reliable, secure, efficient, and cost-effective systems. AWS Well-Architected Framework is a set of
guidelines and best practices that help the user to evaluate and improve the architecture of their applications and workloads on AWS. AWS Well-Architected Framework consists of five pillars:
operational excellence, security, reliability, performance efficiency, and cost optimization. Each pillar provides a set of design principles, questions, and best practices that help the user to achieve the desired
outcomes for their systems.

QUESTION 59
A company has refined its workload to use specific AWS services to improve efficiency and reduce cost. Which task is a customer's responsibility, according to the AWS shared responsibility model?
A. Management of the guest operating systems

B. Maintenance of the configuration of infrastructure devices
C. Management of the host operating systems and virtualization
D. Maintenance of the software that powers Availability Zones
Correct Answer: A
Section:
Explanation:
Management of the guest operating systems is a customer's responsibility, according to the AWS shared responsibility model. The AWS shared responsibility model defines the different security and compliance
responsibilities of AWS and the customer. AWS is responsible for the security of the cloud, which includes the physical infrastructure, hardware, software, and facilities that run the AWS Cloud. The customer is
responsible for security in the cloud, which includes the configuration and management of the guest operating systems, applications, data, and network traffic protection
QUESTION 60
Which best practice for cost governance does this example show?
A. Resource controls
B. Cost allocation
C. Architecture optimization
D. Tagging enforcement
Correct Answer: C
Section:
Explanation:
www.VCEplus.io
Architecture optimization is the best practice for cost governance that this example shows.
Architecture optimization is the process of designing and implementing AWS solutions that are efficient, scalable, and cost-effective. By using specific AWS services to improve efficiency and reduce cost, the
company is following the architecture optimization best practice. Some of the techniques for architecture optimization include using the right size and type of resources, leveraging elasticity and scalability,
choosing the most suitable storage class, and using serverless and managed services2.
QUESTION 61
Which activity can companies complete by using AWS Organizations?
A. Troubleshoot the performance of applications.

B. Manage service control policies (SCPs).
C. Migrate applications to microservices.
D. Monitor the performance of applications.
Correct Answer: B
Section:
Explanation:
Managing service control policies (SCPs) is an activity that companies can complete by using AWS Organizations. AWS Organizations is a service that enables the user to consolidate multiple AWS accounts into an
organization that can be managed as a single unit. AWS Organizations allows the user to create groups of accounts and apply policies to them, such as service control policies (SCPs) that specify the services and
actions that users and roles can access in the accounts. AWS Organizations also enables the user to use consolidated billing, which combines the usage and charges from all the accounts in the organization into a
single bill3.

QUESTION 62
Which AWS service or feature is used to send both text and email messages from distributed applications?
A. Amazon Simple Notification Service (Amazon SNS)

B. Amazon Simple Email Service (Amazon SES)
C. Amazon CloudWatch alerts
D. Amazon Simple Queue Service (Amazon SQS)
Correct Answer: A
Section:
Explanation:
Amazon Simple Notification Service (Amazon SNS) is the AWS service or feature that is used to send both text and email messages from distributed applications. Amazon SNS is a fully managed pub/sub messaging
service that enables the user to send messages to multiple subscribers or endpoints, such as email addresses, phone numbers, HTTP endpoints, AWS Lambda functions, and more. Amazon SNS can be used to send
notifications, alerts, confirmations, and reminders from applications to users or other applications4.
QUESTION 63
Which of the following is a benefit of decoupling an AWS Cloud architecture?
A. Reduced latency
B. Ability to upgrade components independently
C. Decreased costs
D. Fewer components to manage
Correct Answer: B
Section:
Explanation:
www.VCEplus.io
A benefit of decoupling an AWS Cloud architecture is the ability to upgrade components independently. Decoupling is a way of designing systems to reduce interdependencies and minimize the impact of changes.
Decoupling allows components to interact with each other through welldefined interfaces, rather than direct references. This reduces the risk of failures and errors propagating across the system, and enables
greater scalability, availability, and maintainability. By decoupling an AWS Cloud architecture, the user can upgrade or modify one component without affecting the other components5.
QUESTION 64
Which of the following describes an AWS Region?
A. A specific location within a geographic area that provides high availability

B. A set of data centers spanning multiple countries
C. A global picture of a user's cloud computing environment
D. A collection of databases that can be accessed from a specific geographic area only
Correct Answer: A
Section:
Explanation:
An AWS Region is a specific location within a geographic area that provides high availability. An AWS Region consists of two or more Availability Zones, which are isolated locations within the same Region. Each
Availability Zone has independent power, cooling, and physical security, and is connected to the other Availability Zones in the same Region by low-latency, high-throughput, and highly redundant networking. AWS
services are available in multiple Regions around the world, allowing the user to choose where to run their applications and store their data1.
QUESTION 65

A retail company is building a new mobile app. The company is evaluating whether to build the app at an on-premises data center or in the AWS Cloud.
responsibility model?
A. Amazon FSx for Windows File Server

B. Amazon Workspaces virtual Windows desktop
C. AWS Directory Service for Microsoft Active Directory
D. Amazon RDS for Microsoft SQL Server
Correct Answer: C
Section:
Explanation:
AWS Directory Service for Microsoft Active Directory is the AWS service that provides a managed Microsoft Active Directory in the AWS Cloud. It enables the user to use their existing Active Directory users, groups,
and policies to access AWS resources, such as Amazon EC2 instances, Amazon S3 buckets, and AWS Single Sign-On. It also integrates with other Microsoft applications and services, such as Microsoft SQL Server,
Microsoft Office 365, and Microsoft SharePoint
QUESTION 66
Which AWS service should a cloud practitioner use to receive real-time guidance for provisioning resources, based on AWS best practices related to security, cost optimization, and service limits?

B. AWS Config
C. AWS Security Hub
Correct Answer: A
Section:
Explanation:
www.VCEplus.io
AWS Trusted Advisor is the AWS service that provides real-time guidance for provisioning resources, based on AWS best practices related to security, cost optimization, and service limits. AWS Trusted Advisor
inspects the user's AWS environment and provides recommendations for improving performance, security, and reliability, reducing costs, and following best practices. AWS Trusted Advisor also alerts the user when
they are approaching or exceeding their service limits, and helps them request limit increases3.
QUESTION 67
Which of the following are advantages of moving to the AWS Cloud? (Select TWO.)
A. The ability to turn over the responsibility for all security to AWS.
B. The ability to use the pay-as-you-go model.
C. The ability to have full control over the physical infrastructure.
D. No longer having to guess what capacity will be required.
E. No longer worrying about users access controls.
Section:
Explanation:
The advantages of moving to the AWS Cloud are the ability to use the pay-as-you-go model and no longer having to guess what capacity will be required. The pay-as-you-go model allows the user to pay only for the
resources they use, without any upfront or long-term commitments. This reduces the cost and risk of over-provisioning or under-provisioning resources. No longer having to guess what capacity will be required
means that the user can scale their resources up or down according to the demand, without wasting money on idle resources or losing customers due to insufficient capacity4.

QUESTION 68
A company is migrating a relational database server to the AWS Cloud. The company wants to minimize administrative overhead of database maintenance tasks.
A. Amazon DynamoDB
B. Amazon EC2
C. Amazon Redshift
D. Amazon RDS
Correct Answer: D
Section:
Explanation:
Amazon RDS is the AWS service that will meet the requirements of migrating a relational database server to the AWS Cloud and minimizing administrative overhead of database maintenance tasks.
Amazon RDS is a fully managed relational database service that handles routine database tasks, such as provisioning, patching, backup, recovery, failure detection, and repair. Amazon RDS supports several
database engines, such as MySQL, PostgreSQL, Oracle, SQL Server, and Amazon Aurora5.
QUESTION 69
A company is reviewing its operating policies.
Which policy complies with guidance in the security pillar of the AWS Well-Architected Framework?
A. Ensure that employees have access to all company data.

B. Expand employees' permissions as they gain more experience.
C. Grant all privileges and access to all users.
D. Apply security requirements at all layers of a process.
Correct Answer: D
www.VCEplus.io
Section:
Explanation:
Applying security requirements at all layers of a process is a policy that complies with guidance in the security pillar of the AWS Well-Architected Framework. The security pillar of the AWS Well-Architected
Framework provides best practices for securing the user's data and systems in the AWS Cloud. One of the design principles of the security pillar is to apply security at all layers, which means that the user should
implement defense-in-depth strategies and avoid relying on a single security mechanism. For example, the user should use multiple security controls, such as encryption, firewalls, identity and access management,
and logging and monitoring, to protect their data and resources at different layers.
QUESTION 70
Which task is the responsibility of a company that is using Amazon RDS?
A. Provision the underlying infrastructure.

B. Create 1AM policies to control administrative access to the service.
C. Install the cables to connect the hardware for compute and storage.
D. Install and patch the RDS operating system.
Correct Answer: B
Section:
Explanation:
The correct answer is B because AWS 1AM policies can be used to control administrative access to the Amazon RDS service. The other options are incorrect because they are the responsibilities of AWS, not the
company that is using Amazon RDS. AWS manages the provisioning, cabling, installation, and patching of the underlying infrastructure for Amazon RDS. Reference: Amazon RDS FAQs

QUESTION 71
A company is designing an identity access management solution for an application. The company wants users to be able to use their social media, email, or online shopping accounts to access the application.
Which AWS service provides this functionality?
A. AWS 1AM Identity Center (AWS Single Sign-On)

B. AWS Config
C. Amazon Cognito
Correct Answer: C
Section:
Explanation:
The correct answer is C because Amazon Cognito provides identity federation and user authentication for web and mobile applications. Amazon Cognito allows users to sign in with their social media, email, or
online shopping accounts. The other options are incorrect because they do not provide identity federation or user authentication. AWS 1AM Identity Center (AWS Single Sign-On) is a service that enables users to
access multiple AWS accounts and applications with a single sign-on experience. AWS Config is a service that enables users to assess, audit, and evaluate the configurations of their AWS resources. AWS Identity and
Access Management (1AM) is a service that enables users to manage access to AWS resources using users, groups, roles, and policies.
Reference: Amazon Cognito FAQs
QUESTION 72
Which AWS service aggregates, organizes, and prioritizes security alerts and findings from multiple AWS services?
A. Amazon Detective
B. Amazon Inspector
C.
D.
Amazon Macie
AWS Security Hub www.VCEplus.io
Correct Answer: D
Section:
Explanation:
The correct answer is D because AWS Security Hub is a service that aggregates, organizes, and prioritizes security alerts and findings from multiple AWS services, such as Amazon GuardDuty, Amazon Inspector,
Amazon Macie, AWS Firewall Manager, and AWS IAM Access Analyzer. The other options are incorrect because they are not services that aggregate security alerts and findings from multiple AWS services. Amazon
Detective is a service that helps users analyze and visualize security data to investigate and remediate potential issues. Amazon Inspector is a service that helps users find security vulnerabilities and deviations from
best practices in their Amazon EC2 instances.
Amazon Macie is a service that helps users discover, classify, and protect sensitive data stored in Amazon S3. Reference: AWS Security Hub FAQs
QUESTION 73
Which of the following are advantages of the AWS Cloud? (Select TWO.)
A. Trade variable expenses for capital expenses

B. High economies of scale
C. Launch globally in minutes
D. Focus on managing hardware infrastructure
E. Overprovision to ensure capacity
Correct Answer: B, C
Section:

Explanation:
The correct answers are B and C because they are advantages of the AWS Cloud. High economies of scale means that AWS can achieve lower variable costs than customers can get on their own. Launch globally in
minutes means that AWS has a global infrastructure that allows customers to deploy their applications and data across multiple regions and availability zones. The other options are incorrect because they are not
advantages of the AWS Cloud. Trade variable expenses for capital expenses means that customers have to invest heavily in data centers and servers before they know how they will use them. Focus on managing
hardware infrastructure means that customers have to spend time and money on maintaining and upgrading their physical resources. Overprovision to ensure capacity means that customers have to pay for more
resources than they actually need to avoid performance issues. Reference: What is Cloud Computing?
QUESTION 74
Which AWS service is a key-value database that provides sub-millisecond latency on a large scale?
A. Amazon DynamoDB
B. Amazon Aurora
C. Amazon DocumentDB (with MongoDB compatibility)
D. Amazon Neptune
Correct Answer: A
Section:
Explanation:
The correct answer is A because Amazon DynamoDB is a key-value database that provides submillisecond latency on a large scale. Amazon DynamoDB is a fully managed, serverless, and scalable NoSQL database
service that supports both key-value and document data models. The other options are incorrect because they are not key-value databases. Amazon Aurora is a relational database that is compatible with MySQL
and PostgreSQL. Amazon DocumentDB (with MongoDB compatibility) is a document database that is compatible with MongoDB. Amazon Neptune is a graph database that supports property graph and RDF
models. Reference: Amazon DynamoDB FAQs
QUESTION 75
www.VCEplus.io
Which AWS service or tool provides users with the ability to monitor AWS service quotas?
A. AWS CloudTrail
B. AWS Cost and Usage Reports
D. AWS Budgets
Correct Answer: C
Section:
Explanation:
The correct answer is C because AWS Trusted Advisor is an AWS service or tool that provides users with the ability to monitor AWS service quotas. AWS Trusted Advisor is an online tool that provides users with
real-time guidance to help them provision their resources following AWS best practices.
One of the categories of checks that AWS Trusted Advisor performs is service limits, which monitors the usage of each AWS service and alerts users when they are close to reaching the default limit. The other
options are incorrect because they are not AWS services or tools that provide users with the ability to monitor AWS service quotas. AWS CloudTrail is a service that enables users to track user activity and API usage
across their AWS account. AWS Cost and Usage Reports is a tool that enables users to access comprehensive information about their AWS costs and usage. AWS Budgets is a tool that enables users to plan their
service usage, costs, and reservations. Reference: [AWS Trusted Advisor FAQs]
QUESTION 76
Which of the following is an advantage of AWS Cloud computing?
A. Trade security for elasticity.

B. Trade operational excellence for agility.

C. Trade fixed expenses for variable expenses.
D. Trade elasticity for performance.
Correct Answer: C
Section:
Explanation:
The correct answer is C because AWS Cloud computing allows customers to trade fixed expenses for variable expenses. This means that customers only pay for the resources they use, and can scale up or down as
needed. The other options are incorrect because they are not advantages of AWS Cloud computing. Trade security for elasticity means that customers have to compromise on the protection of their data and
applications in order to adjust their capacity quickly. Trade operational excellence for agility means that customers have to sacrifice the quality and reliability of their operations in order to respond to changing
needs faster. Trade elasticity for performance means that customers have to limit their ability to scale up or down in order to achieve higher speed and efficiency.
Reference: What is Cloud Computing?
QUESTION 77
A company is running applications on Amazon EC2 instances in the same AWS account for several different projects. The company wants to track the infrastructure costs for each of the projects separately. The
company must conduct this tracking with the least possible impact to the existing infrastructure and with no additional cost.
A. Use a different EC2 instance type for each project.

B. Publish project-specific custom Amazon CloudWatch metrics for each application.
C. Deploy EC2 instances for each project in a separate AWS account.
D. Use cost allocation tags with values that are specific to each project.
Correct Answer: D
Section:
Explanation: www.VCEplus.io
The correct answer is D because cost allocation tags are a way to track the infrastructure costs for each of the projects separately. Cost allocation tags are key-value pairs that can be attached to AWS resources,
such as EC2 instances, and used to categorize and group them for billing purposes. The other options are incorrect because they do not meet the requirements of the question. Use a different EC2 instance type for
each project does not help to track the costs for each project, and may impact the performance and compatibility of the applications. Publish project-specific custom Amazon CloudWatch metrics for each
application does not help to track the costs for each project, and may incur additional charges for using CloudWatch. Deploy EC2 instances for each project in a separate AWS account does help to track the costs for
each project, but it impacts the existing infrastructure and incurs additional charges for using multiple accounts. Reference: Using Cost Allocation Tags
QUESTION 78
A company has an online shopping website and wants to store customers' credit card dat a. The company must meet Payment Card Industry (PCI) standards.
Which service can the company use to access AWS compliance documentation?
A. Amazon Cloud Directory

B. AWS Artifact
D. Amazon Inspector
Correct Answer: B
Section:
Explanation:
The correct answer is B because AWS Artifact is a service that provides access to AWS compliance documentation, such as audit reports, security certifications, and agreements. AWS Artifact allows customers to
download, review, and accept the documents that are relevant to their use of AWS services. The other options are incorrect because they are not services that provide access to AWS compliance documentation.
Amazon Cloud Directory is a service that enables customers to create flexible cloud-native directories for organizing hierarchies of data. AWS Trusted Advisor is a service that provides real-time guidance to help
customers follow AWS best practices for security, performance, cost optimization, and fault tolerance. Amazon Inspector is a service that helps customers find security vulnerabilities and deviations from best

practices in their Amazon EC2 instances. Reference: [AWS Artifact FAQs]
QUESTION 79
Which of the following are components of an AWS Site-to-Site VPN connection? (Select TWO.)
A. AWS Storage Gateway

B. Virtual private gateway
C. NAT gateway
D. Customer gateway
E. Internet gateway
Section:
Explanation:
The correct answers are B and D because a virtual private gateway and a customer gateway are components of an AWS Site-to-Site VPN connection. A virtual private gateway is the AWS side of the VPN connection
that attaches to the customer's VPC. A customer gateway is the customer side of the VPN connection that resides in the customer's network. The other options are incorrect because they are not components of an
AWS Site-to-Site VPN connection. AWS Storage Gateway is a service that connects on-premises software applications with cloud-based storage. NAT gateway is a service that enables instances in a private subnet to
connect to the internet or other AWS services, but prevents the internet from initiating a connection with those instances. Internet gateway is a service that enables communication between instances in a VPC and
the internet. Reference: [What is AWS Siteto-Site VPN?]
QUESTION 80
A company runs thousands of simultaneous simulations using AWS Batch. Each simulation is stateless, is fault tolerant, and runs for up to 3 hours.
Which pricing model enables the company to optimize costs and meet these requirements?
A.
B.
Reserved Instances
Spot Instances
www.VCEplus.io
C. On-Demand Instances
D. Dedicated Instances
Correct Answer: B
Section:
Explanation:
The correct answer is B because Spot Instances enable the company to optimize costs and meet the requirements. Spot Instances are spare EC2 instances that are available at up to 90% discount compared to On-
Demand prices. Spot Instances are suitable for stateless, fault-tolerant, and flexible applications that can run for any duration. The other options are incorrect because they do not enable the company to optimize
costs and meet the requirements. Reserved Instances are EC2 instances that are reserved for a specific period of time (one or three years) in exchange for a lower hourly rate. Reserved Instances are suitable for
steady-state or predictable workloads that run for a long duration. On-Demand Instances are EC2 instances that are launched and billed at a fixed hourly rate. On-Demand Instances are suitable for short-term,
irregular, or unpredictable workloads that cannot be interrupted. Dedicated Instances are EC2 instances that run on hardware that is dedicated to a single customer. Dedicated Instances are suitable for workloads
that require regulatory compliance or data isolation. Reference: [Amazon EC2 Instance Purchasing Options]
QUESTION 81
A company has an application with robust hardware requirements. The application must be accessed by students who are using lightweight, low-cost laptops.
Which AWS service will help the company deploy the application without investing in backend infrastructure or high end client hardware?
A. Amazon AppStream 2.0

B. AWS AppSync
C. Amazon WorkLink

Correct Answer: A
Section:
Explanation:
The correct answer is A because Amazon AppStream 2.0 is a service that will help the company deploy the application without investing in backend infrastructure or high end client hardware.
Amazon AppStream 2.0 is a fully managed, secure application streaming service that allows customers to stream desktop applications from AWS to any device running a web browser. Amazon AppStream 2.0
handles the provisioning, scaling, patching, and maintenance of the backend infrastructure, and delivers high performance and responsive user experience. The other options are incorrect because they are not
services that will help the company deploy the application without investing in backend infrastructure or high end client hardware. AWS AppSync is a service that enables customers to create flexible APIs for
synchronizing data across multiple data sources.
Amazon WorkLink is a service that enables customers to provide secure, one-click access to internal websites and web apps from mobile devices. AWS Elastic Beanstalk is a service that enables customers to deploy
and manage web applications using popular platforms such as Java, .NET, PHP, and Node.js. Reference: [Amazon AppStream 2.0 FAQs]
QUESTION 82
Which AWS service will help a company identify the user who deleted an Amazon EC2 instance yesterday?
C. AWS CloudTrail
D. Amazon Inspector
Correct Answer: C
Section:
Explanation:
www.VCEplus.io
The correct answer is C because AWS CloudTrail is a service that will help a company identify the user who deleted an Amazon EC2 instance yesterday. AWS CloudTrail is a service that enables users to track user
activity and API usage across their AWS account. AWS CloudTrail records the details of every API call made to AWS services, such as the identity of the caller, the time of the call, the source IP address of the caller,
the parameters and responses of the call, and more. Users can use AWS CloudTrail to audit, monitor, and troubleshoot their AWS resources and actions. The other options are incorrect because they are not
services that will help a company identify the user who deleted an Amazon EC2 instance yesterday. Amazon CloudWatch is a service that enables users to collect, analyze, and visualize metrics, logs, and events
from their AWS resources and applications. AWS Trusted Advisor is a service that provides real-time guidance to help users follow AWS best practices for security, performance, cost optimization, and fault
tolerance. Amazon Inspector is a service that helps users find security vulnerabilities and deviations from best practices in their Amazon EC2 instances. Reference: AWS CloudTrail FAQs
QUESTION 83
Which AWS database service provides in-memory data storage?
A. Amazon DynamoDB
B. Amazon ElastiCache
C. Amazon RDS
D. Amazon Timestream
Correct Answer: B
Section:
Explanation:
The correct answer is B because Amazon ElastiCache is a service that provides in-memory data storage. Amazon ElastiCache is a fully managed, scalable, and high-performance service that supports two popular
open-source in-memory engines: Redis and Memcached. Amazon ElastiCache allows users to store and retrieve data from fast, low-latency, and high-throughput in-memory systems. Users can use Amazon
ElastiCache to improve the performance of their applications by caching frequently accessed data, reducing database load, and enabling real-time data processing.
The other options are incorrect because they are not services that provide in-memory data storage.
Amazon DynamoDB is a service that provides key-value and document data storage. Amazon RDS is a service that provides relational data storage. Amazon Timestream is a service that provides time series data

storage. Reference: Amazon ElastiCache FAQs
QUESTION 84
Which of the following acts as an instance-level firewall to control inbound and outbound access?
A. Network access control list

B. Security groups
D. Virtual private gateways
Correct Answer: B
Section:
Explanation:
The correct answer is B because security groups are AWS features that act as instance-level firewalls to control inbound and outbound access. Security groups are virtual firewalls that can be attached to one or
more Amazon EC2 instances. Users can configure rules for security groups to allow or deny traffic based on protocols, ports, and source or destination IP addresses. The other options are incorrect because they are
not AWS features that act as instance-level firewalls to control inbound and outbound access. Network access control list is an AWS feature that acts as a subnet-level firewall to control inbound and outbound
access. AWS Trusted Advisor is an AWS service that provides real-time guidance to help users follow AWS best practices for security, performance, cost optimization, and fault tolerance. Virtual private gateways are
AWS features that enable users to create a secure and encrypted connection between their VPC and their on-premises network.
Reference: Security Groups for Your VPC
QUESTION 85
A company has an application that uses AWS services. During scaling events, the company wants to keep application usage within AWS service quotas.
Which AWS services or tools can report on the quotas so that the company can improve the reliability of the application? (Select TWO.)
A.
B.
Service Quotas console
AWS Trusted Advisor
www.VCEplus.io
C. AWS Systems Manager
D. AWS Shield
E. AWS Cost Explorer
Section:
Explanation:
The correct answers are A and B because Service Quotas console and AWS Trusted Advisor are AWS services or tools that can report on the quotas so that the company can improve the reliability of the application.
Service Quotas console is an AWS tool that enables users to view and manage their quotas for AWS services from a central location. Users can use Service Quotas console to request quota increases, track quota
usage, and set up alarms for approaching quota limits. AWS Trusted Advisor is an AWS service that provides real-time guidance to help users follow AWS best practices for security, performance, cost optimization,
and fault tolerance. One of the categories of checks that AWS Trusted Advisor performs is service limits, which monitors the usage of each AWS service and alerts users when they are close to reaching the default
limit. The other options are incorrect because they are not AWS services or tools that can report on the quotas so that the company can improve the reliability of the application. AWS Systems Manager is an AWS
service that enables users to automate operational tasks, manage configuration and compliance, and monitor system health and performance. AWS Shield is an AWS service that protects users from distributed
denial of service (DDoS) attacks. AWS Cost Explorer is an AWS tool that enables users to visualize, understand, and manage their AWS costs and usage. Reference: Service Quotas, AWS Trusted Advisor FAQs
QUESTION 86
Which of the following are AWS Cloud design principles? (Select TWO.)
A. Pay for compute resources in advance.

B. Make data-driven decisions to determine cloud architectural design.

C. Emphasize manual processes to allow for changes.
D. Test systems at production scale.
E. Refine operational procedures infrequently.
Section:
Explanation:
The correct answers are B and D because making data-driven decisions to determine cloud architectural design and testing systems at production scale are AWS Cloud design principles. Making data-driven
decisions to determine cloud architectural design means that users should collect and analyze data from their AWS resources and applications to optimize their performance, availability, security, and cost. Testing
systems at production scale means that users should simulate real-world scenarios and load conditions to validate the functionality, reliability, and scalability of their systems.
The other options are incorrect because they are not AWS Cloud design principles. Paying for compute resources in advance means that users have to invest heavily in data centers and servers before they know
how they will use them. This is not a cloud design principle, but rather a traditional IT model. Emphasizing manual processes to allow for changes means that users have to rely on human intervention and
coordination to perform operational tasks and updates. This is not a cloud design principle, but rather a source of inefficiency and error. Refining operational procedures infrequently means that users have to stick
to the same methods and practices without adapting to the changing needs and feedback. This is not a cloud design principle, but rather a hindrance to innovation and improvement. Reference: AWS Well-
Architected Framework
QUESTION 87
A company needs to migrate all of its development teams to a cloud-based integrated development environment (IDE).
Which AWS service should the company use?
A. AWS CodeBuild
B. AWS Cloud9
C. AWS OpsWorks
D. AWS Cloud Development Kit (AWS CDK)
Correct Answer: B
www.VCEplus.io
Section:
Explanation:
The correct answer is B because AWS Cloud9 is an AWS service that enables users to run their existing custom, nonproduction workloads in the AWS Cloud quickly and cost-effectively. AWS Cloud9 is a cloud-based
integrated development environment (IDE) that allows users to write, run, and debug code from a web browser. AWS Cloud9 supports multiple programming languages, such as Python, Java, Node.js, and more.
AWS Cloud9 also provides users with a terminal that can access AWS services and resources, such as Amazon EC2 instances, AWS Lambda functions, and AWS CloudFormation stacks. The other options are incorrect
because they are not AWS services that enable users to run their existing custom, nonproduction workloads in the AWS Cloud quickly and cost-effectively. AWS CodeBuild is an AWS service that enables users to
compile, test, and package their code for deployment. AWS OpsWorks is an AWS service that enables users to configure and manage their applications using Chef or Puppet. AWS Cloud Development Kit (AWS CDK)
is an AWS service that enables users to define and provision their cloud infrastructure using familiar programming languages, such as TypeScript, Python, Java, and C#. Reference: AWS Cloud9 FAQs
QUESTION 88
A company needs to run its existing custom, nonproduction workloads in the AWS Cloud quickly and cost-effectively.
The workloads can recover from interruptions easily.
Which pricing model should the company use?
A. Reserved Instances
B. On-Demand Instances
C. Spot Instances
D. Dedicated Hosts
Correct Answer: C

Section:
Explanation:
The correct answer is C because Spot Instances are the pricing model that enables the company to run its existing custom, nonproduction workloads in the AWS Cloud quickly and cost-effectively. Spot Instances are
spare Amazon EC2 instances that are available at up to 90% discount compared to On-Demand prices. Spot Instances are suitable for stateless, fault-tolerant, and flexible workloads that can recover from
interruptions easily. The other options are incorrect because they are not the pricing model that enables the company to run its existing custom, nonproduction workloads in the AWS Cloud quickly and cost-
effectively. Reserved Instances are Amazon EC2 instances that are reserved for a specific period of time (one or three years) in exchange for a lower hourly rate.
Reserved Instances are suitable for steady-state or predictable workloads that run for a long duration. On-Demand Instances are Amazon EC2 instances that are launched and billed at a fixed hourly rate. On-
Demand Instances are suitable for short-term, irregular, or unpredictable workloads that cannot be interrupted. Dedicated Hosts are physical servers that are dedicated to a single customer. Dedicated Hosts are
suitable for workloads that require regulatory compliance or data isolation. Reference: Amazon EC2 Instance Purchasing Options
QUESTION 89
Which AWS features will meet these requirements? (Select TWO.)
A. Security groups
B. Network ACLs
C. S3 bucket policies
D. 1AM user policies
E. S3 bucket versioning
Section:
Explanation:
The correct answers are C and D because S3 bucket policies and IAM user policies are AWS features that will meet the requirements. S3 bucket policies are access policies that can be attached to Amazon S3 buckets
www.VCEplus.io
to grant or deny permissions to the bucket and the objects it contains. S3 bucket policies can be used to control who has permission to read, write, or delete objects that the company stores in the S3 bucket. IAM
user policies are access policies that can be attached to IAM users to grant or deny permissions to AWS resources and actions. IAM user policies can be used to control who has permission to read, write, or delete
objects that the company stores in the S3 bucket. The other options are incorrect because they are not AWS features that will meet the requirements.
Security groups and network ACLs are AWS features that act as firewalls to control inbound and outbound traffic to and from Amazon EC2 instances and subnets. Security groups and network ACLs do not control
who has permission to read, write, or delete objects that the company stores in the S3 bucket. S3 bucket versioning is an AWS feature that enables users to keep multiple versions of the same object in the same
bucket. S3 bucket versioning can be used to recover from accidental overwrites or deletions of objects, but it does not control who has permission to read, write, or delete objects that the company stores in the S3
bucket. Reference: Using Bucket Policies and User Policies, Security Groups for Your VPC, Network ACLs, [Using Versioning]
QUESTION 90
Which of the following is a recommended design principle of the AWS Well-Architected Framework?
A. Reduce downtime by making infrastructure changes infrequently and in large increments.

B. Invest the time to configure infrastructure manually.
C. Learn to improve from operational failures.
D. Use monolithic application design for centralization.
Correct Answer: C
Section:
Explanation:
The correct answer is C because learning to improve from operational failures is a recommended design principle of the AWS Well-Architected Framework. The AWS Well-Architected Framework is a set of best
practices and guidelines for designing and operating reliable, secure, efficient, and costeffective systems in the cloud. The AWS Well-Architected Framework consists of five pillars:
operational excellence, security, reliability, performance efficiency, and cost optimization. Each pillar has a set of design principles that describe the characteristics of a well-architected system. Learning to improve
from operational failures is a design principle of the operational excellence pillar, which focuses on running and monitoring systems to deliver business value and continually improve supporting processes and
procedures. The other options are incorrect because they are not recommended design principles of the AWS Well-Architected Framework. Reducing downtime by making infrastructure changes infrequently and

in large increments is not a design principle of the AWS Well-Architected Framework, but rather a source of risk and inefficiency. A well-architected system should implement changes frequently and in small
increments to minimize the impact and scope of failures. Investing the time to configure infrastructure manually is not a design principle of the AWS Well-Architected Framework, but rather a source of human
error and inconsistency. A wellarchitected system should automate manual tasks to improve the speed and accuracy of operations.
Using monolithic application design for centralization is not a design principle of the AWS Well-Architected Framework, but rather a source of complexity and rigidity. A well-architected system should use loosely
coupled and distributed components to enable scalability and resilience.
Reference: [AWS Well-Architected Framework]
QUESTION 91
A security engineer wants a single-tenant AWS solution to create, control, and manage their own cryptographic keys to meet regulatory compliance requirements for data security.
Which AWS service should the engineer use?
A. AWS Key Management Service (AWS KMS)

B. AWS Certificate Manager (ACM)
C. AWS CloudHSM
Correct Answer: C
Section:
Explanation:
The correct answer is C because AWS CloudHSM is an AWS service that enables the security engineer to meet the requirements. AWS CloudHSM is a service that provides customers with dedicated hardware
security modules (HSMs) to create, control, and manage their own cryptographic keys in the AWS Cloud. AWS CloudHSM allows customers to meet strict regulatory compliance requirements for data security, such
as FIPS 140-2 Level 3, PCI-DSS, and HIPAA. The other options are incorrect because they are not AWS services that enable the security engineer to meet the requirements. AWS Key Management Service (AWS KMS)
is a service that provides customers with a fully managed, scalable, and integrated key management system to create and control encryption keys for AWS services and applications. AWS KMS does not provide
www.VCEplus.io
customers with single-tenant or dedicated HSMs. AWS Certificate Manager (ACM) is a service that provides customers with a simple and secure way to provision, manage, and deploy public and private Secure
Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and internal connected resources. ACM does not provide customers with HSMs or cryptographic keys. AWS Systems Manager
is a service that provides customers with a unified user interface to view operational data from multiple AWS services and automate operational tasks across their AWS resources. AWS Systems Manager does not
provide customers with HSMs or cryptographic keys.
Reference: AWS CloudHSM FAQs
QUESTION 92
Which tasks are the responsibility of AWS, according to the AWS shared responsibility model? (Select TWO.)
A. Patch AWS network devices.

B. Set user password rules.
C. Provide physical security for compute resources.
D. Configure security groups.
E. Patch the operating system of an Amazon EC2 instance.
Section:
Explanation:
The correct answers are A and C because patching AWS network devices and providing physical security for compute resources are tasks that are the responsibility of AWS, according to the AWS shared
responsibility model. The AWS shared responsibility model is a framework that defines the division of responsibilities between AWS and the customer for security and compliance. AWS is responsible for the
security of the cloud, which includes the global infrastructure, such as the regions, availability zones, and edge locations; the hardware, software, networking, and facilities that run the AWS services; and the
virtualization layer that separates the customer instances and storage.
The customer is responsible for the security in the cloud, which includes the customer data, the guest operating systems, the applications, the identity and access management, the firewall configuration, and the
encryption. The other options are incorrect because they are tasks that are the responsibility of the customer, according to the AWS shared responsibility model. Setting user password rules, configuring security

groups, and patching the operating system of an Amazon EC2 instance are all tasks that the customer has to perform to secure their AWS environment. Reference: AWS Shared Responsibility Model
QUESTION 93
Which AWS service or feature captures information about the network traffic to and from an Amazon EC2 instance?
A. VPC Reachability Analyzer

B. Amazon Athena
C. VPC Flow Logs
D. AWS X-Ray
Correct Answer: C
Section:
Explanation:
The correct answer is C because VPC Flow Logs is an AWS service or feature that captures information about the network traffic to and from an Amazon EC2 instance. VPC Flow Logs is a feature that enables
customers to capture information about the IP traffic going to and from network interfaces in their VPC. VPC Flow Logs can help customers to monitor and troubleshoot connectivity issues, such as traffic not
reaching an instance or traffic being rejected by a security group. The other options are incorrect because they are not AWS services or features that capture information about the network traffic to and from an
Amazon EC2 instance. VPC Reachability Analyzer is an AWS service or feature that enables customers to perform connectivity testing between resources in their VPC and identify configuration issues that prevent
connectivity. Amazon Athena is an AWS service that enables customers to query data stored in Amazon S3 using standard SQL. AWS X-Ray is an AWS service that enables customers to analyze and debug distributed
applications, such as those built using a microservices architecture. Reference: VPC Flow Logs
QUESTION 94
Which of the following are pillars of the AWS Well-Architected Framework? (Select TWO.)
A.
B.
C.
Availability
Reliability
Scalability
www.VCEplus.io
D. Responsive design
E. Operational excellence
Section:
Explanation:
The correct answers to the questions are B and E because reliability and operational excellence are pillars of the AWS Well-Architected Framework. The AWS Well-Architected Framework is a set of best practices
and guidelines for designing and operating reliable, secure, efficient, and cost-effective systems in the cloud. The AWS Well-Architected Framework consists of five pillars: operational excellence, security, reliability,
performance efficiency, and cost optimization. Each pillar has a set of design principles that describe the characteristics of a well-architected system. Reliability is the pillar that focuses on the ability of a system to
recover from failures and meet business and customer demand. Operational excellence is the pillar that focuses on the ability of a system to run and monitor processes that support business outcomes and
continually improve. The other options are incorrect because they are not pillars of the AWS Well-Architected Framework. Availability, scalability, and responsive design are important aspects of cloud architecture,
but they are not separate pillars in the framework. Availability and scalability are related to the reliability and performance efficiency pillars, while responsive design is related to the customer experience and user
interface. Reference: AWS Well-Architected Framework
QUESTION 95
Which tasks are customer responsibilities according to the AWS shared responsibility model? (Select TWO.)
A. Determine application dependencies with operating systems.

B. Provide user access with AWS Identity and Access Management (1AM).
C. Secure the data center in an Availability Zone.

D. Patch the hypervisor.
E. Provide network availability in Availability Zones.
Correct Answer: B
Section:
Explanation:
The correct answer to the question is B because providing user access with AWS Identity and Access Management (IAM) is a customer responsibility according to the AWS shared responsibility model.
The AWS shared responsibility model is a framework that defines the division of responsibilities between AWS and the customer for security and compliance. AWS is responsible for the security of the cloud, which
the firewall configuration, and the encryption.
IAM is an AWS service that enables customers to manage access and permissions to AWS resources and services. Customers are responsible for creating and managing IAM users, groups, roles, and policies, and
ensuring that they follow the principle of least privilege. Reference: AWS Shared Responsibility Model
QUESTION 96
A user wants to identify any security group that is allowing unrestricted incoming SSH traffic.
Which AWS service can be used to accomplish this goal?
A. Amazon Cognito
B. AWS Shield
C. Amazon Macie
D. AWS Trusted Advisor
Correct Answer: D
Section:
Explanation:
www.VCEplus.io
The correct answer to the question is D because AWS Trusted Advisor is an AWS service that can be used to accomplish the goal of identifying any security group that is allowing unrestricted incoming SSH traffic.
AWS Trusted Advisor is a service that provides customers with recommendations that help them follow AWS best practices. Trusted Advisor evaluates the customer's AWS environment and identifies ways to
optimize their AWS infrastructure, improve security and performance, reduce costs, and monitor service quotas. One of the checks that Trusted Advisor performs is the Security Groups - Specific Ports Unrestricted
check, which flags security groups that allow unrestricted access to specific ports, such as port 22 for SSH. Customers can use this check to review and modify their security group rules to restrict SSH access to only
authorized sources. Reference: Security Groups -Specific Ports Unrestricted
QUESTION 97
Which AWS feature or resource is a deployable Amazon EC2 instance template that is prepackaged with software and security requirements?
A. Amazon Elastic Block Store (Amazon EBS) volume

B. AWS CloudFormation template
C. Amazon Elastic Block Store (Amazon EBS) snapshot
D. Amazon Machine Image (AMI)
Correct Answer: D
Section:
Explanation:
: An Amazon Machine Image (AMI) is a deployable Amazon EC2 instance template that is prepackaged with software and security requirements. It provides the information required to launch an instance, which is a
virtual server in the cloud. You can use an AMI to launch as many instances as you need. You can also create your own custom AMIs or use AMIs shared by other AWS users1.
QUESTION 98

Which AWS service is a highly available and scalable DNS web service?
A. Amazon VPC
B. Amazon CloudFront
C. Amazon Route 53
D. Amazon Connect
Correct Answer: C
Section:
Explanation:
Amazon Route 53 is a highly available and scalable DNS web service. It is designed to give developers and businesses an extremely reliable and cost-effective way to route end users to Internet applications by
translating domain names into the numeric IP addresses that computers use to connect to each other2. Amazon Route 53 also offers other features such as health checks, traffic management, domain name
registration, and DNSSEC3.
QUESTION 99
Which of the following is a characteristic of the AWS account root user?
A. The root user is the only user that can be configured with multi-factor authentication (MFA).
B. The root user is the only user that can access the AWS Management Console.
C. The root user is the first sign-in identity that is available when an AWS account is created.
D. The root user has a password that cannot be changed.
Correct Answer: C
Section:
The AWS account root user is the first sign-in identity that is available when an AWS account is created. It has complete access to all AWS services and resources in the account. The root user email address and
password are the same credentials that are used to sign in to the AWS Management Console4. The root user should be used only to perform a few account and service management tasks. For day-to-day tasks, it is
recommended to use AWS Identity and Access Management (IAM) users or roles instead.
QUESTION 100
Which AWS service provides the ability to host a NoSQL database in the AWS Cloud?
A. Amazon Aurora
B. Amazon DynamoDB
C. Amazon RDS
D. Amazon Redshift
Correct Answer: B
Section:
Explanation:
Amazon DynamoDB is a fully managed NoSQL database service that provides fast and predictable performance with seamless scalability. It supports both key-value and document data models, and allows you to
create tables that can store and retrieve any amount of data, and serve any level of request traffic. You can also use DynamoDB Streams to capture data modification events in DynamoDB tables.
QUESTION 101
What is the total amount of storage offered by Amazon S3?

A. WOMB
B. 5 GB
C. 5 TB
D. Unlimited
Correct Answer: D
Section:
Explanation:
Amazon S3 offers unlimited storage for any amount of data. You can store as many objects as you want, and each object can be as large as 5 terabytes. You pay only for the storage space that you actually use, and
there are no minimum commitments or upfront fees. Amazon S3 also provides high durability, availability, scalability, and security for your data.
QUESTION 102
Which AWS network services or features allow Cl DR block notation when providing an IP address range?
(Select TWO.)
A. Security groups
B. Amazon Machine Image (AMI)
C. Network access control list (network ACL)
D. AWS Budgets
E. Amazon Elastic Block Store (Amazon EBS)
Section:
Explanation:
www.VCEplus.io
Security groups and network access control lists (network ACLs) are two AWS network services or features that allow CIDR block notation when providing an IP address range. Security groups act as a firewall for
associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level. Network ACLs act as a firewall for associated subnets, controlling both inbound and outbound traffic at the
subnet level. Both security groups and network ACLs use CIDR block notation to specify the IP address ranges that are allowed or denied
QUESTION 103
A company has a workload that requires data to be collected, analyzed, and stored on premises. The company wants to extend the use of AWS services to run on premises with access to the company network and
the company's VPC.
Which AWS service meets this requirement?
A. AWS Outposts
C. AWS Direct Connect
D. AWS Snowball
Correct Answer: A
Section:
Explanation:
AWS Outposts is an AWS service that meets the requirement of running AWS services on premises with access to the company network and the company's VPC. AWS Outposts is a fully managed service that
extends AWS infrastructure, AWS services, APIs, and tools to virtually any datacenter, colocation space, or on-premises facility for a truly consistent hybrid experience. AWS Outposts is ideal for workloads that
require low latency access to on-premises systems, local data processing, or local data storage2.
QUESTION 104

A company wants to deploy and manage a Docker-based application on AWS.
Which solution meets these requirements with the LEAST amount of operational overhead?
A. An open-source Docker orchestrator on Amazon EC2 instances

B. AWS AppSync
C. Amazon Elastic Container Registry (Amazon ECR)
D. Amazon Elastic Container Service (Amazon ECS)
Correct Answer: D
Section:
Explanation:
Amazon Elastic Container Service (Amazon ECS) is a solution that meets the requirements of deploying and managing a Docker-based application on AWS with the least amount of operational overhead. Amazon
ECS is a fully managed container orchestration service that makes it easy to run, scale, and secure Docker container applications on AWS. Amazon ECS eliminates the need for you to install, operate, and scale your
own cluster management infrastructure. With simple API calls, you can launch and stop container-enabled applications, query the complete state of your cluster, and access many familiar features like security
groups, Elastic Load Balancing, EBS volumes, and IAM roles3.
QUESTION 105
When designing AWS workloads to be operational even when there are component failures, what is an AWS best practice?
A. Perform quarterly disaster recovery tests.

B. Place the main component on the us-east-1 Region.
C. Design for automatic failover to healthy resources.
D. Design workloads to fit on a single Amazon EC2 instance.
Correct Answer: C
Section:
www.VCEplus.io
Explanation:
Designing for automatic failover to healthy resources is an AWS best practice when designing AWS workloads to be operational even when there are component failures. This means that you should architect your
system to handle the loss of one or more components without impacting the availability or performance of your application. You can use various AWS services and features to achieve this, such as Auto Scaling,
Elastic Load Balancing, Amazon Route 53, Amazon CloudFormation, and AWS CloudFormation4.
QUESTION 106
Which AWS service provides highly durable object storage?
A. Amazon S3
B. Amazon Elastic File System (Amazon EFS)
C. Amazon Elastic Block Store (Amazon EBS)
D. Amazon FSx
Correct Answer: A
Section:
Explanation:
Amazon S3 is the AWS service that provides highly durable object storage. Amazon S3 is designed to provide 99.999999999% durability of objects over a given year. This means that you can store your data with
high confidence that it will not be lost. Amazon S3 also provides high availability, scalability, security, and performance for your data. You can use Amazon S3 to store and retrieve any amount of data, at any time,
from anywhere on the web5.

QUESTION 107
Which pillar of the AWS Well-Architected Framework includes a design principle about measuring the overall efficiency of workloads in terms of business value?
A. Operational excellence
B. Security
C. Reliability
Correct Answer: A
Section:
Explanation:
The operational excellence pillar of the AWS Well-Architected Framework includes a design principle about measuring the overall efficiency of workloads in terms of business value. This principle states that you
should monitor and measure key performance indicators (KPIs) and set targets and thresholds that align with your business goals. You should also use feedback loops to continuously improve your processes and
procedures1.
QUESTION 108
Who enables encryption of data at rest for Amazon Elastic Block Store (Amazon EBS)?
A. AWS Support
B. AWS customers
C. AWS Key Management Service (AWS KMS)
Correct Answer: B
Section:
Explanation:
www.VCEplus.io
AWS customers are responsible for enabling encryption of data at rest for Amazon Elastic Block Store (Amazon EBS). Amazon EBS encryption offers a simple encryption solution for your EBS volumes that does not
require you to build, maintain, and secure your own key management infrastructure. You can encrypt both the boot and data volumes of your EC2 instances. You can use AWS Key Management Service (AWS KMS)
customer master keys (CMKs) or your own CMKs to encrypt your volumes2.
QUESTION 109
Who is responsible for decommissioning end-of-life underlying storage devices that are used to host data on AWS?
A. Customer
B. AWS
C. Account creator
D. Auditing team
Correct Answer: B
Section:
Explanation:
AWS is responsible for decommissioning end-of-life underlying storage devices that are used to host data on AWS. AWS follows strict and audited data destruction processes to ensure that customer data is not
exposed to unauthorized individuals or devices when an AWS storage device reaches the end of its useful life. AWS uses techniques detailed in DoD 5220.22-M ("National Industrial Security Program Operating
Manual") or NIST 800-88 ("Guidelines for Media Sanitization") to destroy data as part of the decommissioning process3.
QUESTION 110

A company wants to manage access and permissions for its third-party software as a service (SaaS) applications. The company wants to use a portal where end users can access assigned AWS accounts and AWS
Cloud applications.
A. Amazon Cognito
B. AWS 1AM Identity Center (AWS Single Sign-On)
C. AWS Identity and Access Management (1AM)
D. AWS Directory Service for Microsoft Active Directory
Correct Answer: B
Section:
Explanation:
AWS IAM Identity Center (AWS Single Sign-On) is the AWS service that the company should use to meet the requirements of managing access and permissions for its third-party SaaS applications.
AWS Single Sign-On is a cloud-based service that makes it easy to centrally manage single sign-on (SSO) access to multiple AWS accounts and business applications. You can use AWS Single Sign-On to enable your
users to sign in to a user portal with their existing corporate credentials and access all of their assigned accounts and applications from one place4.
QUESTION 111
A large company wants to track the combined AWS usage costs of all of its linked accounts.
How can this be accomplished?
A. Use AWS Trusted Advisor to generate customized summary reports.

B. Use AWS Organizations to generate consolidated billing reports.
C. Use AWS Budgets to set utilization targets and receive summary reports.
D.
www.VCEplus.io
Use the AWS Control Tower dashboard to get a summary report of all linked account costs.
Correct Answer: B
Section:
Explanation:
The company can use AWS Organizations to track the combined AWS usage costs of all of its linked accounts. AWS Organizations is a service that enables you to consolidate multiple AWS accounts into an
organization that you can manage centrally. You can use AWS Organizations to create a consolidated billing report that shows the charges incurred by each account in your organization as well as the total charges
across all accounts. You can also use AWS Organizations to apply policies and controls to your accounts to help you manage costs and security5.
QUESTION 112
A company wants its Amazon EC2 instances to operate in a highly available environment, even if there is a natural disaster in a particular geographic area.
Which solution achieves this goal?
A. Use EC2 instances in a single Availability Zone.

B. Use EC2 instances in multiple AWS Regions.
C. Use EC2 instances in multiple edge locations.
D. Use Amazon CloudFront with the EC2 instances configured as the source.
Correct Answer: B
Section:
Explanation:
To achieve high availability in the event of a natural disaster, the company should use EC2 instances in multiple AWS Regions. AWS Regions are geographically isolated areas that consist of multiple Availability
Zones. Availability Zones are physically separate locations within an AWS Region that are engineered to be isolated from failures. By using EC2 instances in multiple AWS Regions, the company can ensure that its

applications can continue to run even if one Region is affected by a disaster. AWS Global InfrastructureAWS Well-Architected Framework
QUESTION 113
Using Amazon Elastic Container Service (Amazon ECS) to break down a monolithic architecture into microservices is an example of:
A. a loosely coupled architecture.

B. a tightly coupled architecture.
C. a stateless architecture.
D. a stateful architecture.
Correct Answer: A
Section:
Explanation:
Using Amazon Elastic Container Service (Amazon ECS) to break down a monolithic architecture into microservices is an example of a loosely coupled architecture. A loosely coupled architecture is one where the
components are independent and can communicate with each other through well-defined interfaces. This allows for greater scalability, flexibility, and resilience. A tightly coupled architecture is one where the
components are interdependent and rely on each other for functionality. This can lead to increased complexity, fragility, and difficulty in changing or scaling the system. Amazon ECS OverviewAWS Well-Architected
Framework
QUESTION 114
Which of the following are design principles for reliability in the AWS Cloud? (Select TWO.)
A. Build architectures with tightly coupled resources.

B. Use AWS Trusted Advisor to meet security best practices.
C.
D.
E.
Use automation to recover immediately from failure.
www.VCEplus.io
Rightsize Amazon EC2 instances to ensure optimal performance.
Simulate failures to test recovery processes.
Section:
Explanation:
The design principles for reliability in the AWS Cloud are:
Test recovery procedures. The best way to ensure that systems can recover from failures is to regularly test them using simulated scenarios. This can help identify gaps and improve the recovery process.
Automatically recover from failure. By using automation, systems can detect and correct failures without human intervention. This can reduce the impact and duration of failures and improve the availability of the
system.
Scale horizontally to increase aggregate system availability. By adding more redundant resources to the system, the impact of individual resource failures can be reduced. This can also improve the performance and
scalability of the system.
Stop guessing capacity. By using monitoring and automation, systems can adjust the capacity based on the demand and performance metrics. This can prevent failures due to insufficient or excessive capacity and
optimize the cost and efficiency of the system.
Manage change in automation. By using automation, changes to the system can be applied in a consistent and controlled manner. This can reduce the risk of human errors and configuration drifts that can cause
failures. AWS Well-Architected Framework
QUESTION 115
Which statements represent the cost-effectiveness of the AWS Cloud? (Select TWO.)
A. Users can trade fixed expenses for variable expenses.

B. Users can deploy all over the world in minutes.

C. AWS offers increased speed and agility.
D. AWS is responsible for patching the infrastructure.
E. Users benefit from economies of scale.
Correct Answer: A, E
Section:
Explanation:
The statements that represent the cost-effectiveness of the AWS Cloud are:
Users can trade fixed expenses for variable expenses. By using the AWS Cloud, users can pay only for the resources they use, instead of investing in fixed and upfront costs for hardware and software. This can lower
the total cost of ownership and increase the return on investment.
Users benefit from economies of scale. By using the AWS Cloud, users can leverage the massive scale and efficiency of AWS to access lower prices and higher performance. AWS passes the cost savings to the users
through price reductions and innovations. AWS Cloud Value Framework
QUESTION 116
A company wants to migrate its on-premises data warehouse to AWS. The information in the data warehouse is used to populate analytics dashboards.
Which AWS service should the company use for the data warehouse?
A. Amazon ElastiCache
B. Amazon Aurora
C. Amazon RDS
D. Amazon Redshift
Correct Answer: D
Section:
The AWS service that the company should use for the data warehouse is Amazon Redshift. Amazon Redshift is a fully managed, petabyte-scale data warehouse service that is optimized for analytical queries. It can
integrate with various data sources and business intelligence tools to provide fast and cost-effective insights. Amazon Redshift also offers high availability, scalability, security, and compliance features. [Amazon
Redshift Overview]
QUESTION 117
Which benefit does Amazon Rekognition provide?
A. The ability to place watermarks on images

B. The ability to detect objects that appear in pictures
C. The ability to resize millions of images automatically
D. The ability to bid on object detection jobs
Correct Answer: B
Section:
Explanation:
Amazon Rekognition is a service that provides deep learning-based image and video analysis. One of the benefits of Amazon Rekognition is the ability to detect objects that appear in pictures, such as faces,
landmarks, animals, text, and scenes. This can enable applications to perform tasks such as face recognition, face verification, face comparison, face search, celebrity recognition, emotion detection, age range
estimation, gender identification, facial analysis, facial expression recognition, and more. Amazon Rekognition OverviewAWS Certified Cloud Practitioner - aws.amazon.com
QUESTION 118
Which AWS service uses a combination of publishers and subscribers?

A. AWS Lambda
B. Amazon Simple Notification Service (Amazon SNS)
C. Amazon CloudWatch
D. AWS CloudFormation
Correct Answer: B
Section:
Explanation:
Amazon Simple Notification Service (Amazon SNS) is a service that provides fully managed pub/sub messaging. Pub/sub messaging is a pattern that uses a combination of publishers and subscribers.
Publishers are entities that produce messages and send them to topics. Subscribers are entities that receive messages from topics. Topics are logical access points that act as communication channels between
publishers and subscribers. Amazon SNS enables applications to decouple, scale, and coordinate the delivery of messages to multiple endpoints, such as email, SMS, mobile push notifications, Lambda functions,
SQS queues, and HTTP/S endpoints. Amazon SNS OverviewAWS Certified Cloud Practitioner - aws.amazon.com
QUESTION 119
A company is developing an application that uses multiple AWS services. The application needs to use temporary, limited-privilege credentials for authentication with other AWS APIs.
Which AWS service or feature should the company use to meet these authentication requirements?
A. Amazon API Gateway

B. 1AM users
C. AWS Security Token Service (AWS STS)
D. 1AM instance profiles
Correct Answer: C
Section:
Explanation:
www.VCEplus.io
AWS Security Token Service (AWS STS) is a service that enables applications to request temporary, limited-privilege credentials for authentication with other AWS APIs. AWS STS can be used to grant access to AWS
resources to users who are federated (using IAM roles), switched (using IAM users), or cross-account (using IAM roles). AWS STS can also be used to assume a role within the same account or a different account.
The credentials issued by AWS STS are short-term and have a limited scope, which can enhance the security and compliance of the application. AWS STS OverviewAWS Certified Cloud Practitioner -
aws.amazon.com
QUESTION 120
A company is migrating an application that includes an Oracle database to AWS. The company cannot rewrite the application.
To which AWS service could the company migrate the database?
A. Amazon Athena
B. Amazon DynamoDB
C. Amazon RDS
D. Amazon DocumentDB (with MongoDB compatibility)
Correct Answer: C
Section:
Explanation:
Amazon Relational Database Service (Amazon RDS) is a service that provides fully managed relational database engines. Amazon RDS supports several database engines, including Oracle, MySQL, PostgreSQL,
MariaDB, SQL Server, and Amazon Aurora. Amazon RDS can be used to migrate an application that includes an Oracle database to AWS without rewriting the application, as long as the application is compatible
with the Oracle version and edition supported by Amazon RDS. Amazon RDS can also provide benefits such as high availability, scalability, security, backup and restore, and performance optimization. [Amazon RDS

Overview] AWS Certified Cloud Practitioner -aws.amazon.com
QUESTION 121
Which of the following is an AWS value proposition that describes a user's ability to scale infrastructure based on demand?
A. Speed of innovation
B. Resource elasticity
C. Decoupled architecture
D. Global deployment
Correct Answer: B
Section:
Explanation:
Resource elasticity is an AWS value proposition that describes a user's ability to scale infrastructure based on demand. Resource elasticity means that the user can provision or deprovision resources quickly and
easily, without any upfront commitment or long-term contract. Resource elasticity can help the user optimize the cost and performance of the application, as well as respond to changing business needs and
customer expectations. Resource elasticity can be achieved by using services such as Amazon EC2, Amazon S3, Amazon RDS, Amazon DynamoDB, Amazon ECS, and AWS Lambda.
[AWS Cloud Value Framework] AWS Certified Cloud Practitioner - aws.amazon.com
QUESTION 122
A company needs to continuously monitor its environment to analyze network and account activity and identify potential security threats.
A. AWS Artifact
B.
C.
D.
Amazon Macie
AWS Identity and Access Management (1AM)
Amazon GuardDuty
www.VCEplus.io
Correct Answer: D
Section:
Explanation:
Amazon GuardDuty is a service that provides intelligent threat detection and continuous monitoring for the AWS environment. It analyzes network and account activity using machine learning and threat
intelligence to identify potential security threats, such as unauthorized access, compromised credentials, malicious hosts, and reconnaissance activities. It also generates detailed and actionable findings that can be
viewed on the AWS Management Console or sent to other AWS services, such as Amazon CloudWatch Events and AWS Lambda, for further analysis or remediation. Amazon GuardDuty OverviewAWS Certified
Cloud Practitioner - aws.amazon.com
QUESTION 123
Which AWS service can report how AWS resource configurations have changed over time?
A. AWS CloudTrail
C. AWS Config
D. Amazon Inspector
Correct Answer: C
Section:
Explanation:

AWS Config is a service that enables users to assess, audit, and evaluate the configurations of AWS resources. It continuously monitors and records the configuration changes of the resources and evaluates them
against desired configurations and best practices. It also provides a detailed view of the resource configuration history and relationships, as well as compliance reports and notifications.
AWS Config can help users maintain consistent and secure configurations, troubleshoot issues, and simplify compliance auditing. AWS Config OverviewAWS Certified Cloud Practitioner -aws.amazon.com
QUESTION 124
Which AWS benefit is demonstrated by on-demand technology services that enable companies to replace upfront fixed expenses with variable expenses?
C. Pay-as-you-go pricing
D. Global reach
Correct Answer: C
Section:
Explanation:
Pay-as-you-go pricing is an AWS benefit that demonstrates the ability of users to replace upfront fixed expenses with variable expenses. With pay-as-you-go pricing, users only pay for the resources they consume,
without any long-term contracts or commitments. This can lower the total cost of ownership and increase the return on investment. Pay-as-you-go pricing also provides flexibility and scalability, as users can adjust
their resource usage according to their changing needs and demands. AWS Cloud Value FrameworkAWS Certified Cloud Practitioner - aws.amazon.com
QUESTION 125
A company is using AWS Lambda functions to build an application.
Which tasks are the company's responsibility, according to the AWS shared responsibility model?
(Select TWO.)
A.
B.
www.VCEplus.io
Patch the servers where the Lambda functions are deployed.
Establish the 1AM permissions that define who can run the Lambda functions.
C. Write the code for the Lambda functions to define the application logic.
D. Deploy Amazon EC2 instances to support the Lambda functions.
E. Scale out the Lambda functions when the load increases.
Section:
Explanation:
According to the AWS shared responsibility model, AWS is responsible for the security of the cloud, while the user is responsible for the security in the cloud. This means that AWS manages the security and
maintenance of the underlying infrastructure, such as the servers, networks, and operating systems, while the user manages the security and configuration of the resources and applications that run on AWS. For
AWS Lambda functions, the tasks that are the user's responsibility are:
Establish the IAM permissions that define who can run the Lambda functions. IAM is a service that enables users to manage access and permissions for AWS resources and users. Users can create IAM policies,
roles, and users to grant or deny permissions to run Lambda functions, invoke other AWS services, or access AWS resources from Lambda functions. [AWS Lambda Permissions] AWS Certified Cloud Practitioner -
aws.amazon.com
Write the code for the Lambda functions to define the application logic. Lambda functions are units of code that can be written in any supported programming language, such as Python, Node.js, Java, or Go. Users
can write the code for the Lambda functions using the AWS Management Console, the AWS Command Line Interface (AWS CLI), the AWS SDKs, or any code editor of their choice. Users can also use AWS Lambda
Layers to share and manage common code and dependencies across multiple functions. [AWS Lambda Overview] AWS Certified Cloud Practitioner - aws.amazon.com
QUESTION 126
Which services can be used to deploy applications on AWS? (Select TWO.)

A. AWS Elastic Beanstalk
B. AWS Config
C. AWS OpsWorks
D. AWS Application Discovery Service
E. Amazon Kinesis
Section:
Explanation:
The services that can be used to deploy applications on AWS are:
AWS Elastic Beanstalk. This is a service that simplifies the deployment and management of web applications on AWS. Users can upload their application code and Elastic Beanstalk automatically handles the
provisioning, scaling, load balancing, monitoring, and health checking of the resources needed to run the application. Users can also retain full control and access to the underlying resources and customize their
configuration settings. Elastic Beanstalk supports multiple platforms, such as Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker. [AWS Elastic Beanstalk Overview] AWS Certified Cloud Practitioner -
aws.amazon.com
AWS OpsWorks. This is a service that provides configuration management and automation for AWS resources. Users can define the application architecture and the configuration of each resource using Chef or
Puppet, which are popular open-source automation platforms. OpsWorks then automatically creates and configures the resources according to the user's specifications. OpsWorks also provides features such as
auto scaling, monitoring, and integration with other AWS services. OpsWorks has two offerings: OpsWorks for Chef Automate and OpsWorks for Puppet Enterprise. [AWS OpsWorks Overview] AWS Certified Cloud
Practitioner - aws.amazon.com
QUESTION 127
Which statement describes a characteristic of the AWS global infrastructure?
A. Edge locations contain multiple AWS Regions.

B.
C.
D.
AWS Regions contain multiple Regional edge caches.
Availability Zones contain multiple data centers.
Each data center contains multiple edge locations.
www.VCEplus.io
Correct Answer: C
Section:
Explanation:
Availability Zones contain multiple data centers. This is a characteristic of the AWS global infrastructure, which consists of AWS Regions, Availability Zones, and edge locations. AWS Regions are geographically
isolated areas that contain multiple Availability Zones. Availability Zones are physically separate locations within an AWS Region that are engineered to be isolated from failures and connected by low-latency, high-
throughput, and highly redundant networking. Each Availability Zone contains one or more data centers that house the servers and storage devices that run AWS services. Edge locations are sites that are located
closer to the end users and provide caching and content delivery services. AWS Global InfrastructureAWS Certified Cloud Practitioner -aws.amazon.com
QUESTION 128
Which of the following is available to a company that has an AWS Business Support plan?
A. AWS Support concierge

B. AWS DDoS Response Team (DRT)
C. AWS technical account manager (TAM)
D. AWS Health API
Correct Answer: D
Section:
Explanation:

AWS Health API is available to a company that has an AWS Business Support plan. The AWS Health API provides programmatic access to the AWS Health information that is presented in the AWS Personal Health
Dashboard. The AWS Health API can help users get timely and personalized information about events that can affect the availability and performance of their AWS resources, such as scheduled maintenance,
network issues, or service disruptions. The AWS Health API can also integrate with other AWS services, such as Amazon CloudWatch Events and AWS Lambda, to enable automated actions and notifications. AWS
Health API OverviewAWS Support Plans
QUESTION 129
Which pillar of the AWS Well-Architected Framework focuses on the return on investment of moving into the AWS Cloud?
A. Sustainability
B. Cost optimization
D. Reliability
Correct Answer: B
Section:
Explanation:
Cost optimization is the pillar of the AWS Well-Architected Framework that focuses on the return on investment of moving into the AWS Cloud. Cost optimization means that users can achieve the desired business
outcomes at the lowest possible price point, while maintaining high performance and reliability. Cost optimization can be achieved by using various AWS features and best practices, such as pay-as-you-go pricing,
right-sizing, elasticity, reserved instances, spot instances, cost allocation tags, cost and usage reports, and AWS Trusted Advisor. [AWS Well-Architected Framework] AWS Certified Cloud Practitioner -
aws.amazon.com
QUESTION 130
Which AWS service or feature offers HTTP attack protection to users running public-facing web applications?
A.
B.
Security groups
Network ACLs
www.VCEplus.io
C. AWS Shield Standard
D. AWS WAF
Correct Answer: D
Section:
Explanation:
AWS WAF is the AWS service or feature that offers HTTP attack protection to users running publicfacing web applications. AWS WAF is a web application firewall that helps users protect their web applications from
common web exploits, such as SQL injection, cross-site scripting, and bot attacks.
Users can create custom rules to define the web traffic that they want to allow, block, or count. Users can also use AWS Managed Rules, which are pre-configured rules that are curated and maintained by AWS or
AWS Marketplace Sellers. AWS WAF can be integrated with other AWS services, such as Amazon CloudFront, Amazon API Gateway, and Application Load Balancer, to provide comprehensive security for web
applications. [AWS WAF Overview] AWS Certified Cloud Practitioner -aws.amazon.com
QUESTION 131
What is an Availability Zone?
A. A location where users can deploy compute, storage, database, and other select AWS services where no AWS Region currently exists
B. One or more discrete data centers with redundant power, networking, and connectivity
C. One or more clusters of servers where new workloads can be deployed
D. A fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to users globally

Correct Answer: B
Section:
Explanation:
An Availability Zone is one or more discrete data centers with redundant power, networking, and connectivity. Availability Zones are part of the AWS global infrastructure, which consists of AWS Regions, Availability
Zones, and edge locations. Availability Zones are physically separate locations within an AWS Region that are engineered to be isolated from failures and connected by low-latency, high-throughput, and highly
redundant networking. Each Availability Zone contains one or more data centers that house the servers and storage devices that run AWS services. Availability Zones enable users to design and operate fault-
tolerant and high-availability applications on AWS. AWS Global InfrastructureAWS Certified Cloud Practitioner - aws.amazon.com
QUESTION 132
Which of the following is a cloud benefit that AWS offers to its users?
A. The ability to configure AWS data center hypervisors

B. The ability to purchase hardware in advance of increased traffic
C. The ability to deploy to AWS on a global scale
D. Compliance audits for user IT environments
Correct Answer: C
Section:
Explanation:
The ability to deploy to AWS on a global scale is a cloud benefit that AWS offers to its users. AWS has a global infrastructure that consists of AWS Regions, Availability Zones, and edge locations. Users can choose
from multiple AWS Regions around the world to deploy their applications and data closer to their end users, while also meeting their compliance and regulatory requirements. Users can also leverage AWS services,
such as Amazon CloudFront, Amazon Route 53, and AWS Global Accelerator, to improve the performance and availability of their global applications. AWS also provides tools and guidance to help users optimize
their global deployments, such as AWS Well-Architected Framework, AWS CloudFormation, and AWS Migration Hub. AWS Global Infrastructure [AWS Cloud Value Framework] AWS Certified Cloud Practitioner -
aws.amazon.com
QUESTION 133
www.VCEplus.io
A company has created an AWS Cost and Usage Report and wants to visualize the report.
Which AWS service should the company use to ingest and display this information?
A. Amazon QuickSight
B. Amazon Pinpoint
C. Amazon Neptune
D. Amazon Kinesis
Correct Answer: A
Section:
Explanation:
Amazon QuickSight is an AWS service that provides business intelligence and data visualization capabilities. Amazon QuickSight enables you to ingest, analyze, and display data from various sources, such as AWS
Cost and Usage Reports, Amazon S3, Amazon Athena, Amazon Redshift, and Amazon RDS. You can use Amazon QuickSight to create interactive dashboards and charts that show insights and trends from your data.
You can also share your dashboards and charts with other users or embed them into your applications.
QUESTION 134
A company is migrating to the AWS Cloud to meet storage needs. The company wants to optimize costs based on the amount of storage that the company uses.
Which AWS offering or benefit will meet these requirements MOST cost-effectively?
A. Pay-as-you-go pricing

B. Savings Plans
C. AWS Free Tier
D. Volume-based discounts
Correct Answer: D
Section:
Explanation:
Volume-based discounts are an AWS offering or benefit that can help the company optimize costs based on the amount of storage that the company uses. Volume-based discounts are discounts that AWS provides
for some storage services, such as Amazon S3 and Amazon EBS, when the company stores a large amount of data. The more data the company stores, the lower the price per GB. For example, Amazon S3 offers six
storage classes, each with a different price per GB. The price per GB decreases as the amount of data stored in each storage class increases
QUESTION 135
A company wants to minimize network latency between its Amazon EC2 instances. The EC2 instances do not need to be highly available.
Which solution meets these requirements?

B. Use Amazon CloudFront as the database for the EC2 instances.
C. Use EC2 instances in the same edge location and the same Availability Zone.
D. Use EC2 instances in the same edge location and the same AWS Region.
Correct Answer: A
Section:
Explanation:
www.VCEplus.io
Using EC2 instances in a single Availability Zone is a solution that meets the requirements of minimizing network latency between the EC2 instances and not needing high availability. An Availability Zone is a
physically isolated location within an AWS Region that has its own power, cooling, and network connectivity. EC2 instances within the same Availability Zone can communicate with each other using low-latency
private IP addresses. However, EC2 instances in a single Availability Zone are not highly available, because they are vulnerable to failures or disruptions that affect the Availability Zone
QUESTION 136
A company seeks cost savings in exchange for a commitment to use a specific amount of an AWS service or category ofAWS services for 1 year or 3 years.
Which AWS pricing model or offering will meet these requirements?
A. Pay-as-you-go pricing
B. Savings Plans
C. AWS Free Tier
D. Volume discounts
Correct Answer: B
Section:
Explanation:
Savings Plans are an AWS pricing model or offering that can meet the requirements of seeking cost savings in exchange for a commitment to use a specific amount of an AWS service or category of AWS services for
1 year or 3 years. Savings Plans are flexible plans that offer significant discounts on AWS compute usage, such as EC2, Lambda, and Fargate. The company can choose from two types of Savings Plans: Compute
Savings Plans and EC2 Instance Savings Plans. Compute Savings Plans provide the most flexibility and apply to any eligible compute usage, regardless of instance family, size, region, operating system, or tenancy.
EC2 Instance Savings Plans provide more savings and apply to a specific instance family within a region. The company can select the amount of compute usage per hour (e.g., $10/hour) that they want to commit to
for the duration of the plan (1 year or 3 years). The company will pay the discounted Savings Plan rate for the amount of usage that matches their commitment, and the regular on-demand rate for any usage
beyond that

QUESTION 137
Which company needs to apply security rules to a subnet for Amazon EC2 instances.
Which AWS service or feature provides this functionality?
A. Network ACLs
B. Security groups
C. AWS Certificate Manager (ACM)
D. AWS Config
Correct Answer: A
Section:
Explanation:
Network ACLs (network access control lists) are an AWS service or feature that provides the functionality of applying security rules to a subnet for EC2 instances. A subnet is a logical partition of an IP network
within a VPC (virtual private cloud). A VPC is a logically isolated section of the AWS Cloud where the company can launch AWS resources in a virtual network that they define. A network ACL is a virtual firewall that
controls the inbound and outbound traffic for one or more subnets. The company can use network ACLs to allow or deny traffic based on protocol, port, or source and destination IP address. Network ACLs are
stateless, meaning that they do not track the traffic that flows through them. Therefore, the company must create rules for both inbound and outbound traffic4
QUESTION 138
Which AWS service can a company use to perform complex analytical queries?
A. Amazon RDS
B. Amazon DynamoDB
C. Amazon Redshift
D. Amazon ElastiCache
Correct Answer: C
www.VCEplus.io
Section:
Explanation:
Amazon Redshift is a fully managed, petabyte-scale data warehouse service in the cloud. You can start with just a few hundred gigabytes of data and scale to a petabyte or more. This enables you to use your data
to acquire new insights for your business and customers. Amazon Redshift is designed for complex analytical queries that often involve aggregations and joins across very large tables. Amazon Redshift supports
standard SQL and integrates with many existing business intelligence tools1.
QUESTION 139
A company wants to track its AWS account's service costs. The company also wants to receive notifications when costs are forecasted to reach a specific level.
Which AWS service or tool provides this functionality?
A. AWS Budgets
B. AWS Cost Explorer
C. Savings Plans
D. AWS Billing Conductor
Correct Answer: A
Section:
Explanation:
AWS Budgets gives you the ability to set custom budgets that alert you when your costs or usage exceed (or are forecasted to exceed) your budgeted amount. You can also use AWS Budgets to set reservation
utilization or coverage targets and receive alerts when your utilization drops below the threshold you define2.

QUESTION 140
An ecommerce company has migrated its IT infrastructure from an on-premises data center to the AWS Cloud.
Which AWS service is used to track, record, and audit configuration changes made to AWS resources?
A. AWS Shield
B. AWS Config
C. AWS 1AM
D. Amazon Inspector
Correct Answer: B
Section:
Explanation:
AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. AWS Config continuously monitors and records your AWS resource configurations and allows you to
automate the evaluation of recorded configurations against desired configurations. With AWS Config, you can review changes in configurations and relationships between AWS resources, dive into detailed resource
configuration histories, and determine your overall compliance against the configurations specified in your internal guidelines3.
QUESTION 141
A company needs to test a new application that was written in Python. The code will activate when new images are stored in an Amazon S3 bucket. The application will put a watermark on each image and then will
store the images in a different S3 bucket.
Which AWS service should the company use to conduct the test with the LEAST amount of operational overhead?
A. Amazon EC2
B. AWS CodeDeploy
C.
D.
AWS Lambda
Amazon Lightsail www.VCEplus.io
Correct Answer: C
Section:
Explanation:
AWS Lambda is a compute service that lets you run code without provisioning or managing servers.
AWS Lambda executes your code only when needed and scales automatically, from a few requests per day to thousands per second. You pay only for the compute time you consume - there is no charge when your
code is not running. With AWS Lambda, you can run code for virtually any type of application or backend service - all with zero administration. AWS Lambda runs your code on a highavailability compute
infrastructure and performs all of the administration of the compute resources, including server and operating system maintenance, capacity provisioning and automatic scaling, code monitoring and logging
QUESTION 142
Which of the following are customer responsibilities under the AWS shared responsibility model?
(Select TWO.)
A. Physical security of AWS facilities

B. Configuration of security groups
C. Encryption of customer data on AWS
D. Management of AWS Lambda infrastructure
E. Management of network throughput of each AWS Region
Section:

Explanation:
The AWS shared responsibility model describes how AWS and the customer share responsibility for security and compliance of the AWS environment. AWS is responsible for the security of the cloud, which
includes the physical security of AWS facilities, the infrastructure, hardware, software, and networking that run AWS services. The customer is responsible for security in the cloud, which includes the configuration
of security groups, the encryption of customer data on AWS, the management of AWS Lambda infrastructure, and the management of network throughput of each AWS Region.
QUESTION 143
Which AWS service or tool can be used to consolidate payments for a company with multiple AWS accounts?
A. AWS Cost and Usage Report

C. Cost Explorer
D. AWS Budgets
Correct Answer: B
Section:
Explanation:
AWS Organizations is an account management service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage. AWS Organizations includes consolidated
billing and account management capabilities that enable you to better meet the budgetary, security, and compliance needs of your business1.
QUESTION 144
How can an AWS user conduct security assessments of Amazon EC2 instances, NAT gateways, and Elastic Load Balancers in a way that is approved by AWS?
A. Flood a target with requests.

B.
C.
D.
Use Amazon Inspector.
Perform penetration testing.
Use the AWS Service Health Dashboard.
www.VCEplus.io
Correct Answer: B
Section:
Explanation:
Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. Amazon Inspector automatically assesses applications for
exposure, vulnerabilities, and deviations from best practices. After performing an assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of severity2.
QUESTION 145
Which AWS service will help protect applications running on AWS from DDoS attacks?
A. Amazon GuardDuty
B. AWS WAF
C. AWS Shield
D. Amazon Inspector
Correct Answer: C
Section:
Explanation:
AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that
minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection3.

QUESTION 146
A cloud engineer wants to know the percentage of the allocated compute units that are in use for a specific Amazon EC2 instance.
Which AWS service can provide this information?
A. AWS CloudTrail
B. AWS Config
D. AWS Artifact
Correct Answer: C
Section:
Explanation:
Amazon CloudWatch is a monitoring and observability service built for DevOps engineers, developers, site reliability engineers (SREs), and IT managers. CloudWatch provides you with data and actionable insights
to monitor your applications, respond to system-wide performance changes, optimize resource utilization, and get a unified view of operational health. CloudWatch collects monitoring and operational data in the
form of logs, metrics, and events, providing you with a unified view of AWS resources, applications, and services that run on AWS and on-premises servers
QUESTION 147
Which activity is a customer responsibility in the AWS Cloud according to the AWS shared responsibility model?
A. Ensuring network connectivity from AWS to the internet

B. Patching and fixing flaws within the AWS Cloud infrastructure
C. Ensuring the physical security of cloud data centers
D. Ensuring Amazon EBS volumes are backed up
Correct Answer: D
Section:
www.VCEplus.io
Explanation:
The AWS shared responsibility model describes how AWS and the customer share responsibility for security and compliance of the AWS environment. AWS is responsible for the security of the cloud, which
includes the physical security of AWS facilities, the infrastructure, hardware, software, and networking that run AWS services. The customer is responsible for security in the cloud, which includes the configuration
of security groups, the encryption of customer data on AWS, the management of AWS Lambda infrastructure, and the management of network throughput of each AWS Region. One of the customer responsibilities
is to ensure that Amazon EBS volumes are backed up.
QUESTION 148
A. AWS CloudFormation
B. AWS Elastic Beanstalk
C. AWS Cloud9
D. AWS CloudShell
Correct Answer: A
Section:
Explanation:
AWS CloudFormation is a service that gives developers and businesses an easy way to create a collection of related AWS and third-party resources, and provision and manage them in an orderly and predictable
fashion. You can use AWS CloudFormation's sample templates or create your own templates to describe the AWS and third-party resources, and any associated dependencies or runtime parameters, required to
run your application.

QUESTION 149
A company wants to use the AWS Cloud as an offsite backup location for its on-premises infrastructure.
Which AWS service will meet this requirement MOST cost-effectively?
A. Amazon S3
C. Amazon FSx
D. Amazon Elastic Block Store (Amazon EBS)
Correct Answer: A
Section:
Explanation:
Amazon S3 is the most cost-effective service for storing offsite backups of on-premises infrastructure.
Amazon S3 offers low-cost, durable, and scalable storage that can be accessed from anywhere over the internet. Amazon S3 also supports lifecycle policies, versioning, encryption, and cross-region replication to
optimize the backup and recovery process. Amazon EFS, Amazon FSx, and Amazon EBS are more suitable for storing data that requires high performance, low latency, and frequent access12
QUESTION 150
A company is building a serverless architecture that connects application data from multiple data sources. The company needs a solution that does not require additional code.
A. AWS Lambda
B. Amazon Simple Queue Service (Amazon SQS)
D. Amazon EventBridge
Correct Answer: D
www.VCEplus.io
Section:
Explanation:
Amazon EventBridge is the service that meets the requirements of building a serverless architecture that connects application data from multiple data sources without requiring additional code. Amazon
EventBridge is a serverless event bus service that allows you to easily connect your applications with data from AWS services, SaaS applications, and your own applications. You can use Amazon EventBridge to
create rules that match events and route them to targets such as AWS Lambda functions, Amazon SNS topics, Amazon SQS queues, or other AWS services. Amazon EventBridge handles the event ingestion, delivery,
security, authorization, and error handling for you34
QUESTION 151
A company needs to use standard SQL to query and combine exabytes of structured and semistructured data across a data warehouse, operational database, and data lake.
A. Amazon DynamoDB
B. Amazon Aurora
C. Amazon Athena
D. Amazon Redshift
Correct Answer: D
Section:
Explanation:
Amazon Redshift is the service that meets the requirements of using standard SQL to query and combine exabytes of structured and semi-structured data across a data warehouse, operational database, and data

lake. Amazon Redshift is a fully managed, petabyte-scale data warehouse service that allows you to run complex analytic queries using standard SQL and your existing business intelligence tools. Amazon Redshift
also supports Redshift Spectrum, a feature that allows you to directly query and join data stored in Amazon S3 using the same SQL syntax. Amazon Redshift can scale up or down to handle any volume of data and
deliver fast query performance5
QUESTION 152
A company's information security manager is supervising a move to AWS and wants to ensure that AWS best practices are followed. The manager has concerns about the potential misuse of AWS account root user
credentials.
Which of the following is an AWS best practice for using the AWS account root user credentials?
A. Allow only the manager to use the account root user credentials for normal activities.
B. Use the account root user credentials only for Amazon EC2 instances from the AWS Free Tier.
C. Use the account root user credentials only when they alone must be used to perform a required function.
D. Use the account root user credentials only for the creation of private VPC subnets.
Correct Answer: C
Section:
Explanation:
The AWS best practice for using the AWS account root user credentials is to use them only when they alone must be used to perform a required function. The AWS account root user credentials have full access to
all the resources in the account, and therefore pose a security risk if compromised or misused. You should create individual IAM users with the minimum necessary permissions for everyday tasks, and use AWS
Organizations to manage multiple accounts. You should also enable multi-factor authentication (MFA) and rotate the password for the root user regularly. Some of the functions that require the root user
credentials are changing the account name, closing the account, changing the support plan, and restoring an IAM user's access.
QUESTION 153
www.VCEplus.io
A company needs to store data across multiple Availability Zones in an AWS Region. The data will not be accessed regularly but must be immediately retrievable.
Which Amazon Elastic File System (Amazon EFS) storage class meets these requirements MOST cost effectively?
A. EFS Standard
B. EFS Standard-Infrequent Access(EFS Standard-IA)
C. EFS One Zone
D. EFS One Zone-Infrequent Access (EFS One Zone-IA)
Correct Answer: B
Section:
Explanation:
EFS Standard-Infrequent Access (EFS Standard-IA) is the storage class that meets the requirements of storing data across multiple Availability Zones in an AWS Region, that will not be accessed regularly but must be
immediately retrievable, most cost-effectively. EFS Standard-IA is designed for files that are accessed less frequently, but still require the same high performance, low latency, and high availability as EFS Standard.
EFS Standard-IA has a lower storage cost than EFS Standard, but charges a small additional fee for each access. EFS One Zone and EFS One Zone-IA store data in a single Availability Zone, which reduces the
availability and durability compared to EFS Standard and EFS Standard-IA.
QUESTION 154
A company wants to establish a security layer in its VPC that will act as a firewall to control subnet traffic.
Which AWS service or feature will meet this requirement?
A. Routing tables
B. Network access control lists (network ACLs)
C. Security groups

D. Amazon GuardDuty
Correct Answer: C
Section:
Explanation:
Security groups are the service or feature that meets the requirement of establishing a security layer in a VPC that will act as a firewall to control subnet traffic. Security groups are stateful firewalls that control the
inbound and outbound traffic at the instance level. You can assign one or more security groups to each instance in a VPC, and specify the rules that allow or deny traffic based on the protocol, port, and source or
destination. Security groups are associated with network interfaces, and therefore apply to all the instances in the subnets that use those network interfaces. Routing tables are used to direct traffic between
subnets and gateways, not to filter traffic. Network ACLs are stateless firewalls that control the inbound and outbound traffic at the subnet level, but they are less granular and more cumbersome to manage than
security groups. Amazon GuardDuty is a threat detection service that monitors your AWS account and workloads for malicious or unauthorized activity, not a firewall service.
QUESTION 155
A newly created 1AM user has no 1AM policy attached.
What will happen when the user logs in and attempts to view the AWS resources in the account?
A. All AWS services will be read-only access by default.

B. Access to all AWS resources will be denied.
C. Access to the AWS billing services will be allowed.
D. Access to AWS resources will be allowed through the AWS CLL
Correct Answer: B
Section:
Explanation:
www.VCEplus.io
Access to all AWS resources will be denied if a newly created IAM user has no IAM policy attached and logs in and attempts to view the AWS resources in the account. IAM policies are the way to grant permissions
to IAM users, groups, and roles to access and manage AWS resources. By default, IAM users have no permissions, unless they are explicitly granted by an IAM policy. Therefore, a newly created IAM user without
any IAM policy attached will not be able to view or perform any actions on the AWS resources in the account. Access to the AWS billing services and AWS CLI will also be denied, unless the user has the necessary
permissions.
QUESTION 156
A cloud practitioner is analyzing Amazon EC2 instance performance and usage to provide recommendations for potential cost savings.
Which cloud concept does this analysis demonstrate?
A. Auto scaling
B. Rightsizing
C. Load balancing
D. High availability
Correct Answer: B
Section:
Explanation:
Rightsizing is the cloud concept that this analysis demonstrates. Rightsizing is the process of optimizing the performance and cost of your AWS resources by selecting the most appropriate type, size, and
configuration based on your workload requirements and usage patterns. Rightsizing can help you achieve potential cost savings by reducing the over-provisioning or under-utilization of your resources. You can use
various AWS tools and services, such as AWS Cost Explorer, AWS Compute Optimizer, and AWS Trusted Advisor, to analyze your resource utilization and performance metrics, and receive recommendations for
rightsizing.
QUESTION 157
An auditor needs to find out whether a specific AWS service is compliant with specific compliance frameworks.

Which AWS service will provide this information?
A. AWS Artifact
C. Amazon GuardDuty
D. AWS Certificate Manager (ACM)
Correct Answer: A
Section:
Explanation:
AWS Artifact is the service that will provide the information about whether a specific AWS service is compliant with specific compliance frameworks. AWS Artifact is a self-service portal that allows you to access,
review, and download AWS security and compliance reports and agreements. You can use AWS Artifact to verify the compliance status of AWS services across various regions and compliance programs, such as ISO,
PCI, SOC, FedRAMP, HIPAA, and more12
QUESTION 158
Which duties are the responsibility of a company that is using AWS Lambda? (Select TWO.)
A. Security inside of code

B. Selection of CPU resources
C. Patching of operating system
D. Writing and updating of code
E. Security of underlying infrastructure
Section:
Explanation:
www.VCEplus.io
The duties that are the responsibility of a company that is using AWS Lambda are security inside of code and writing and updating of code. AWS Lambda is a serverless compute service that allows you to run code
without provisioning or managing servers, scaling, or patching. AWS Lambda takes care of the security of the underlying infrastructure, such as the operating system, the network, and the firewall. However, the
company is still responsible for the security of the code itself, such as encrypting sensitive data, validating input, and handling errors. The company is also responsible for writing and updating the code that defines
the Lambda function, and choosing the runtime environment, such as Node.js, Python, or Java. AWS Lambda does not require the selection of CPU resources, as it automatically allocates them based on the
memory configuration34
QUESTION 159
Which AWS services and features are provided to all customers at no charge? (Select TWO.)
A. Amazon Aurora
B. VPC
C. Amazon SageMaker
E. Amazon Polly
Section:
Explanation:
The AWS services and features that are provided to all customers at no charge are VPC and AWS Identity and Access Management (IAM). VPC is a service that allows you to launch AWS resources in a logically
isolated virtual network that you define. You can create and use a VPC at no additional charge, and you only pay for the resources that you launch in the VPC, such as EC2 instances or EBS volumes. IAM is a service

that allows you to manage access and permissions to AWS resources. You can create and use IAM users, groups, roles, and policies at no additional charge, and you only pay for the AWS resources that the IAM
entities access. Amazon Aurora, Amazon SageMaker, and Amazon Polly are not free services, and they charge based on the usage and features that you choose5
QUESTION 160
Which AWS services or features can control VPC traffic? (Select TWO.)
A. Security groups
C. Amazon GuardDuty
D. Network ACLs
E. Amazon Connect
Section:
Explanation:
The AWS services or features that can control VPC traffic are security groups and network ACLs.
Security groups are stateful firewalls that control the inbound and outbound traffic at the instance level. You can assign one or more security groups to each instance in a VPC, and specify the rules that allow or
deny traffic based on the protocol, port, and source or destination. Network ACLs are stateless firewalls that control the inbound and outbound traffic at the subnet level. You can associate one network ACL with
each subnet in a VPC, and specify the rules that allow or deny traffic based on the protocol, port, and source or destination. AWS Direct Connect, Amazon GuardDuty, and Amazon Connect are not services or
features that can control VPC traffic. AWS Direct Connect is a service that establishes a dedicated network connection between your premises and AWS. Amazon GuardDuty is a service that monitors your AWS
account and workloads for malicious or unauthorized activity. Amazon Connect is a service that provides a cloud-based contact center solution.
QUESTION 161
www.VCEplus.io
A company needs to identify the last time that a specific user accessed the AWS Management Console.
A. Amazon Cognito
B. AWS CloudTrail
C. Amazon Inspector
D. Amazon GuardDuty
Correct Answer: B
Section:
Explanation:
AWS CloudTrail is the service that will provide the information about the last time that a specific user accessed the AWS Management Console. AWS CloudTrail is a service that records the API calls and events made
by or on behalf of your AWS account. You can use AWS CloudTrail to view, search, and download the history of AWS console sign-in events, which include the user name, date, time, source IP address, and other
details of the sign-in activity. Amazon Cognito, Amazon Inspector, and Amazon GuardDuty are not services that will provide this information. Amazon Cognito is a service that provides user authentication and
authorization for web and mobile applications. Amazon Inspector is a service that assesses the security and compliance of your applications running on AWS.
Amazon GuardDuty is a service that monitors your AWS account and workloads for malicious or unauthorized activity.
QUESTION 162
A company's application stores data in an Amazon S3 bucket. The company has an AWS Lambda function that processes data in the S3 bucket. The company needs to invoke the function once a day at a specific
time.
Which AWS service should the company use to meet this requirement?
A. AWS Managed Services (AMS)

B. AWS CodeStar
C. Amazon EventBridge
D. AWS Step Functions
Correct Answer: C
Section:
Explanation:
Amazon EventBridge is the service that the company should use to meet the requirement of invoking the Lambda function once a day at a specific time. Amazon EventBridge is a serverless event bus service that
allows you to easily connect your applications with data from AWS services, SaaS applications, and your own applications. You can use Amazon EventBridge to create rules that match events and route them to
targets such as AWS Lambda functions, Amazon SNS topics, Amazon SQS queues, or other AWS services. You can also use Amazon EventBridge to create scheduled rules that trigger your targets at a specific time or
interval, such as once a day. AWS Managed Services (AMS), AWS CodeStar, and AWS Step Functions are not services that the company should use to meet this requirement. AMS is a service that provides
operational management for your AWS infrastructure and applications. AWS CodeStar is a service that provides a unified user interface for managing software development projects on AWS. AWS Step Functions is
a service that coordinates multiple AWS services into serverless workflows.
QUESTION 163
A company uses Amazon Aurora as its database service. The company wants to encrypt its databases and database backups.
Which party manages the encryption of the database clusters and database snapshots, according to the AWS shared responsibility model?
A. AWS
B. The company
C. AWS Marketplace partners
D. Third-party partners
Correct Answer: A
Section:
Explanation:
www.VCEplus.io
AWS manages the encryption of the database clusters and database snapshots for Amazon Aurora, as well as the encryption keys. This is part of the AWS shared responsibility model, where AWS is responsible for
the security of the cloud, and the customer is responsible for the security in the cloud. Encryption is one of the security features that AWS provides to protect the data at rest and in transit. For more information,
see Amazon Aurora FAQs and AWS Shared Responsibility Model.
QUESTION 164
Which AWS solution gives companies the ability to use protocols such as NFS to store and retrieve objects in Amazon S3?
A. Amazon FSx for Lustre

B. AWS Storage Gateway volume gateway
C. AWS Storage Gateway file gateway
D. Amazon Elastic File System (Amazon EFS)
Correct Answer: C
Section:
Explanation:
AWS Storage Gateway file gateway allows companies to use protocols such as NFS and SMB to store and retrieve objects in Amazon S3. File gateway provides a seamless integration between onpremises
applications and Amazon S3, and enables low-latency access to data through local caching.
File gateway also supports encryption, compression, and lifecycle management of the objects in Amazon S3. For more information, see What is AWS Storage Gateway? and File Gateway.
QUESTION 165

A company is launching a new application in the AWS Cloud. The application will run on an Amazon EC2 instance. More EC2 instances will be needed when the workload increases.
Which AWS service or tool can the company use to launch the number of EC2 instances that will be needed to handle the workload?
A. Elastic Load Balancing

B. Amazon EC2 Auto Scaling
C. AWS App2Container (A2C)
Correct Answer: B
Section:
Explanation:
Amazon EC2 Auto Scaling is the AWS service or tool that can help the company launch the number of EC2 instances that will be needed to handle the workload. Amazon EC2 Auto Scaling automatically adjusts the
capacity of the EC2 instances based on the demand and the predefined scaling policies.
Amazon EC2 Auto Scaling also helps to improve availability and reduce costs by scaling in and out as needed. For more information, see What is Amazon EC2 Auto Scaling? and [Getting Started with Amazon EC2
Auto Scaling].
QUESTION 166
Which design principle is achieved by following the reliability pillar of the AWS Well-Architected Framework?
A. Vertical scaling
B. Manual failure recovery
C. Testing recovery procedures
D. Changing infrastructure manually
Correct Answer: C
Section:
www.VCEplus.io
Explanation:
: Testing recovery procedures is the design principle that is achieved by following the reliability pillar of the AWS Well-Architected Framework. The reliability pillar focuses on the ability of a system to recover from
failures and prevent disruptions. Testing recovery procedures helps to ensure that the system can handle different failure scenarios and restore normal operations as quickly as possible.
Testing recovery procedures also helps to identify and mitigate any risks or gaps in the system design and implementation. For more information, see [Reliability Pillar] and [Testing for Reliability].
QUESTION 167
What is a benefit of moving to the AWS Cloud in terms of improving time to market?
A. Decreased deployment speed

B. Increased application security
C. Increased business agility
D. Increased backup capabilities
Correct Answer: C
Section:
Explanation:
Increased business agility is a benefit of moving to the AWS Cloud in terms of improving time to market. Business agility refers to the ability of a company to adapt to changing customer needs, market conditions,
and competitive pressures. Moving to the AWS Cloud enables business agility by providing faster access to resources, lower upfront costs, and greater scalability and flexibility. By using the AWS Cloud, companies
can launch new products and services, experiment with new ideas, and respond to customer feedback more quickly and efficiently. For more information, see [Benefits of Cloud Computing] and [Business Agility].

QUESTION 168
In which of the following AWS services should database credentials be stored for maximum security?

B. AWS Secrets Manager
C. Amazon S3
D. AWS Key Management Service (AWS KMS)
Correct Answer: B
Section:
Explanation:
AWS Secrets Manager is the AWS service where database credentials should be stored for maximum security. AWS Secrets Manager helps to protect the secrets, such as database credentials, passwords, API keys,
and tokens, that are used to access applications, services, and resources. AWS Secrets Manager enables secure storage, encryption, rotation, and retrieval of the secrets. AWS Secrets Manager also integrates with
other AWS services, such as AWS Identity and Access Management (IAM), AWS Key Management Service (AWS KMS), and AWS Lambda. For more information, see [What is AWS Secrets Manager?] and [Getting
Started with AWS Secrets Manager].
QUESTION 169
A company needs to configure rules to identify threats and protect applications from malicious network access.

B. Amazon QuickSight
C. AWS WAF
D. Amazon Detective
Correct Answer: C
www.VCEplus.io
Section:
Explanation:
AWS WAF is the AWS service that the company should use to configure rules to identify threats and protect applications from malicious network access. AWS WAF is a web application firewall that helps to filter,
monitor, and block malicious web requests based on customizable rules. AWS WAF can be integrated with other AWS services, such as Amazon CloudFront, Amazon API Gateway, and Application Load Balancer. For
more information, see What is AWS WAF? and How AWS WAF Works.
QUESTION 170
Which option is an advantage of AWS Cloud computing that minimizes variable costs?
C. Global reach
D. Agility
Correct Answer: B
Section:
Explanation:
Economies of scale is the advantage of AWS Cloud computing that minimizes variable costs.
Economies of scale refers to the reduction in the cost per unit as the output increases. AWS Cloud computing leverages economies of scale by providing a large pool of shared resources that can be accessed on
demand and paid for as needed. AWS Cloud computing also passes the cost savings to the customers by offering lower prices and discounts. For more information, see Economies of Scale and AWS Pricing.

QUESTION 171
A company moves its infrastructure from on premises to the AWS Cloud. The company can now provision additional Amazon EC2 instances whenever the instances are required. With this ability, the company can
launch new marketing campaigns in 3 days instead of 3 weeks.
Which benefit of the AWS Cloud does this scenario demonstrate?
A. Cost savings
B. Improved operational resilience
C. Increased business agility
D. Enhanced security
Correct Answer: C
Section:
Explanation:
Increased business agility is the benefit of the AWS Cloud that this scenario demonstrates. Business agility refers to the ability of a company to adapt to changing customer needs, market conditions, and
competitive pressures. Moving to the AWS Cloud enables business agility by providing faster access to resources, lower upfront costs, and greater scalability and flexibility. By using the AWS Cloud, the company can
launch new marketing campaigns in 3 days instead of 3 weeks, which shows that it can respond to customer feedback more quickly and efficiently. For more information, see Benefits of Cloud Computing and
[Business Agility].
QUESTION 172
A retail company is migrating its IT infrastructure applications from on premises to the AWS Cloud.
Which costs will the company eliminate with this migration? (Select TWO.)
A. Cost of data center operations

B.
C.
D.
Cost of application licensing
Cost of marketing campaigns
Cost of physical server hardware
www.VCEplus.io
E. Cost of network management
Section:
Explanation:
The costs that the company will eliminate with this migration are the cost of application licensing and the cost of physical server hardware. The cost of application licensing is the fee that the company has to pay to
use the software applications on its on-premises servers. The cost of physical server hardware is the expense that the company has to incur to purchase, maintain, and upgrade the servers and related equipment.
By migrating to the AWS Cloud, the company can avoid these costs by using the AWS services and resources that are already licensed and managed by AWS. For more information, see [Cloud Economics] and [AWS
Total Cost of Ownership (TCO) Calculator].
QUESTION 173
Which AWS Support plan assigns an AWS concierge agent to a company's account?
A. AWS Basic Support

B. AWS Developer Support
C. AWS Business Support
D. AWS Enterprise Support
Correct Answer: D
Section:

Explanation:
AWS Enterprise Support is the AWS Support plan that assigns an AWS concierge agent to a company's account. AWS Enterprise Support is the highest level of support that AWS offers, and it provides the most
comprehensive and personalized assistance. An AWS concierge agent is a dedicated technical account manager who acts as a single point of contact for the company and helps to optimize the AWS environment,
resolve issues, and access AWS experts. For more information, see [AWS Support Plans] and [AWS Concierge Support].
QUESTION 174
A company hosts an application on an Amazon EC2 instance. The EC2 instance needs to access several AWS resources, including Amazon S3 and Amazon DynamoDB.
What is the MOST operationally efficient solution to delegate permissions?
A. Create an 1AM role with the required permissions. Attach the role to the EC2 instance.
B. Create an IAM user and use its access key and secret access key in the application.
C. Create an 1AM user and use its access key and secret access key to create a CLI profile in the EC2 instance.
D. Create an 1AM role with the required permissions. Attach the role to the administrative1AM user.
Correct Answer: A
Section:
Explanation:
Creating an IAM role with the required permissions and attaching the role to the EC2 instance is the most operationally efficient solution to delegate permissions. An IAM role is an entity that defines a set of
permissions for making AWS service requests. An IAM role can be assumed by an EC2 instance to access other AWS resources, such as Amazon S3 and Amazon DynamoDB, without having to store any credentials
on the instance. This solution is more secure and scalable than using IAM users and their access keys. For more information, see [IAM Roles for Amazon EC2] and [Using an IAM Role to Grant Permissions to
Applications Running on Amazon EC2 Instances].
QUESTION 175
A.
www.VCEplus.io
Which encryption types can be used to protect objects at rest in Amazon S3? (Select TWO.)
Server-side encryption with AmazonS3 managed encryption keys (SSE-S3)

B. Server-side encryption with AWS KMSmanaged keys (SSE-KMS)
C. TLS
D. SSL
E. Transparent Data Encryption (TDE)
Section:
Explanation:
Server-side encryption with Amazon S3 managed encryption keys (SSE-S3) and server-side encryption with AWS KMS managed keys (SSE-KMS) are the encryption types that can be used to protect objects at rest in
Amazon S3. Server-side encryption means that Amazon S3 encrypts the objects before saving them on disks and decrypts them when they are downloaded. SSE-S3 uses one master key per bucket that is managed
by Amazon S3. SSE-KMS uses a customer master key (CMK) that is stored in AWS Key Management Service (AWS KMS) and provides additional benefits, such as audit trails and key rotation. For more information,
see Protecting Data Using Server-Side Encryption and Protecting Data Using Encryption.
QUESTION 176
A company is building an application that will receive millions of database queries each second. The company needs the data store for the application to scale to meet these needs.
Which AWS service will meet this requirement?
A. Amazon DynamoDB
B. AWS Cloud9
C. Amazon ElastiCache for Memcached

D. Amazon Neptune
Correct Answer: A
Section:
Explanation:
Amazon DynamoDB is the AWS service that will meet the requirement of building an application that will receive millions of database queries each second. Amazon DynamoDB is a fully managed NoSQL database
service that provides fast and consistent performance, scalability, and durability.
Amazon DynamoDB can handle any level of request traffic and automatically scale up or down the capacity based on the demand. Amazon DynamoDB also supports in-memory caching with Amazon DynamoDB
Accelerator (DAX) to improve the response time and reduce the cost. For more information, see What is Amazon DynamoDB? and Amazon DynamoDB Features.
QUESTION 177
An application runs on multiple Amazon EC2 instances that access a shared file system simultaneously.
Which AWS storage service should be used?
A. Amazon EBS
B. Amazon EFS
C. Amazon S3
D. AWS Artifact
Correct Answer: B
Section:
Explanation:
Amazon Elastic File System (Amazon EFS) is the AWS storage service that should be used for an application that runs on multiple Amazon EC2 instances that access a shared file system simultaneously. Amazon EFS
www.VCEplus.io
is a fully managed service that provides a scalable, elastic, and highly available file system for Linux-based workloads. Amazon EFS supports the Network File System version 4 (NFSv4) protocol and allows multiple
EC2 instances to read and write data to the same file system concurrently. Amazon EFS also integrates with other AWS services, such as AWS Backup, AWS CloudFormation, and AWS CloudTrail. For more
information, see What is Amazon Elastic File System? and [Amazon EFS Use Cases].
QUESTION 178
Which of the following is entirely the responsibility of AWS, according to the AWS shared responsibility model?
A. Security awareness and training

B. Development of an 1AM password policy
C. Patching of the guest operating system
D. Physical and environmental controls
Correct Answer: D
Section:
Explanation:
Physical and environmental controls are entirely the responsibility of AWS, according to the AWS shared responsibility model. The AWS shared responsibility model defines the division of responsibilities between
AWS and the customer for security and compliance. AWS is responsible for the security of the cloud, which includes the physical and environmental controls of the AWS global infrastructure, such as power, cooling,
fire suppression, and physical access. The customer is responsible for the security in the cloud, which includes the configuration and management of the AWS resources and applications. For more information, see
[AWS Shared Responsibility Model] and [AWS Cloud Security].
QUESTION 179
A company does not want to rely on elaborate forecasting to determine its usage of compute resources. Instead, the company wants to pay only for the resources that it uses. The company also needs the ability to
increase or decrease its resource usage to meet business requirements.
Which pillar of the AWS Well-Architected Framework aligns with these requirements?

B. Security
C. Reliability
Correct Answer: D
Section:
Explanation:
Cost optimization is the pillar of the AWS Well-Architected Framework that aligns with the requirements of not relying on elaborate forecasting and paying only for the resources that are used.
The cost optimization pillar focuses on the ability of a system to deliver business value at the lowest price point. Cost optimization involves using the right AWS services and resources for the workload, measuring
and monitoring the cost and usage, and continuously improving the cost efficiency. Cost optimization also leverages the benefits of the AWS Cloud, such as pay-as-you-go pricing, elasticity, and scalability. For more
information, see [Cost Optimization Pillar] and [Cost Optimization].
QUESTION 180
A company wants to use Amazon EC2 instances to run a stateless and restartable process after business hours.
Which AWS service provides DNS resolution?
A. Amazon CloudFront
B. Amazon VPC
C. Amazon Route 53
D. AWS Direct Connect
Correct Answer: C
Section:
Explanation:
www.VCEplus.io
Amazon Route 53 is the AWS service that provides DNS resolution. DNS (Domain Name System) is a service that translates domain names into IP addresses. Amazon Route 53 is a highly available and scalable cloud
DNS service that offers domain name registration, DNS routing, and health checking.
Amazon Route 53 can route the traffic to various AWS services, such as Amazon EC2, Amazon S3, and Amazon CloudFront. Amazon Route 53 can also integrate with other AWS services, such as AWS Certificate
Manager, AWS Shield, and AWS WAF. For more information, see [What is Amazon Route 53?] and [Amazon Route 53 Features].
QUESTION 181
Which group shares responsibility with AWS for security and compliance of AWS accounts and resources?
A. Third-party vendors
B. Customers
C. Reseller partners
D. Internet providers
Correct Answer: B
Section:
Explanation:
Customers share responsibility with AWS for security and compliance of AWS accounts and resources. This is part of the AWS shared responsibility model, which defines the division of responsibilities between AWS
and the customer for security and compliance. AWS is responsible for the security of the cloud, which includes the physical and environmental controls of the AWS global infrastructure, such as power, cooling, fire
suppression, and physical access. The customer is responsible for the security in the cloud, which includes the configuration and management of the AWS resources and applications, such as identity and access
management, encryption, firewall, and backup. For more information, see AWS Shared Responsibility Model and AWS Cloud Security.

QUESTION 182
A company wants to migrate its Microsoft SQL Server database management system from on premises to the AWS Cloud.
Which AWS service should the company use to reduce management overhead for this environment?
A. Amazon Elastic Container Service (Amazon ECS)

B. Amazon SageMaker
C. Amazon RDS
D. Amazon Athena
Correct Answer: C
Section:
Explanation:
Amazon Relational Database Service (Amazon RDS) is the AWS service that the company should use to migrate its Microsoft SQL Server database management system from on premises to the AWS Cloud. Amazon
RDS is a fully managed service that provides a scalable, secure, and highperformance relational database platform. Amazon RDS supports several database engines, including Microsoft SQL Server. Amazon RDS
reduces the management overhead for the database environment by taking care of tasks such as provisioning, patching, backup, recovery, and monitoring. For more information, see What is Amazon Relational
Database Service (Amazon RDS)? and Amazon RDS for SQL Server.
QUESTION 183
A company moves a workload to AWS to run on Amazon EC2 instances. The company needs to run the workload in the most cost-effective way.
What can the company do to meet this requirement?
A. Use AWS Key Management Service (AWS KMS).

B. Use multiple AWS accounts and consolidated billing.
C.
D.
Use AWS CloudFormation to deploy the infrastructure.
www.VCEplus.io
Rightsized all the EC2 instances that are used in the deployment.
Correct Answer: D
Section:
Explanation:
Rightsizing all the EC2 instances that are used in the deployment is the best way to run the workload in the most cost-effective way. Rightsizing means choosing the optimal instance type and size for the workload
based on the performance and capacity requirements. Rightsizing helps to avoid overprovisioning or under-provisioning of the EC2 instances, which can result in wasted resources or poor performance. Rightsizing
also helps to take advantage of the different pricing models and features that AWS offers, such as On-Demand, Reserved, and Spot Instances, and Auto Scaling. For more information, see Rightsizing Your Instances
and [Cost Optimization with AWS].
QUESTION 184
A company needs to launch an Amazon EC2 instance.
Which of the following can the company use during the launch process to configure the root volume of the EC2 instance?
A. Amazon EC2 Auto Scaling

B. Amazon Data Lifecycle Manager (Amazon DLM)
C. Amazon Machine Image (AMI)
D. Amazon Elastic Block Store (Amazon EBS) volume
Correct Answer: C
Section:
Explanation:

Amazon Machine Image (AMI) is the option that the company can use during the launch process to configure the root volume of the EC2 instance. An AMI is a template that contains the software configuration,
such as the operating system, applications, and settings, required to launch an EC2 instance. An AMI also specifies the volume size and type of the root device for the instance. The company can choose an AMI
provided by AWS, the AWS Marketplace, or the AWS community, or create a custom AMI. For more information, see [Amazon Machine Images (AMI)] and [Launching an Instance Using the Launch Instance Wizard].
QUESTION 185
A company plans to migrate its on-premises workload to AWS. Before the migration, the company needs to estimate its future AWS service costs.
Which AWS service or tool should the company use to meet this requirement?

B. AWS Budgets
C. AWS Pricing Calculator
D. AWS Cost Explorer
Correct Answer: C
Section:
Explanation:
AWS Pricing Calculator is the AWS service or tool that the company should use to estimate its future AWS service costs before the migration. AWS Pricing Calculator is a web-based tool that allows the company to
create cost estimates for various AWS services and scenarios. AWS Pricing Calculator helps the company to compare the costs of running the workload on premises versus on AWS, and to optimize the costs by
choosing the best options for the workload. AWS Pricing Calculator also provides a detailed breakdown of the cost components and a downloadable report. For more information, see [AWS Pricing Calculator] and
[Getting Started with AWS Pricing Calculator].
QUESTION 186
A company suspects that its AWS resources are being used for illegal activities.
Which AWS group or team should the company notify?
A. AWS Abuse team

www.VCEplus.io
B. AWS Support team
C. AWS technical account managers
D. AWS Professional Services team
Correct Answer: A
Section:
Explanation:
AWS Abuse team is the AWS group or team that the company should notify if it suspects that its
AWS resources are being used for illegal activities. AWS Abuse team is a dedicated team that handles reports of abuse, such as spam, phishing, malware, denial-of-service attacks, and unauthorized access,
involving AWS resources. The company can contact the AWS Abuse team by filling out the [Report Abuse of AWS Resources form] or sending an email to [email protected]. The company should provide as
much information as possible, such as the source and destination IP addresses, timestamps, log files, and screenshots, to help the AWS Abuse team investigate and take appropriate actions. For more information,
see [Reporting Abuse] and [AWS Acceptable Use Policy].
QUESTION 187
A company wants an in-memory data store that is compatible with open source in the cloud.
A. Amazon DynamoDB
B. Amazon ElastiCache

D. Amazon Redshift
Correct Answer: B
Section:
Explanation:
Amazon ElastiCache is a fully managed in-memory data store service that is compatible with open source engines such as Redis and Memcached1. It provides fast and scalable performance for applications that
require high throughput and low latency1. Amazon DynamoDB is a fully managed NoSQL database service that provides consistent and single-digit millisecond latency at any scale2. Amazon EBS is a block storage
service that provides persistent and durable storage volumes for Amazon EC2 instances3. Amazon Redshift is a fully managed data warehouse service that allows users to run complex analytic queries using SQL4.
QUESTION 188
A company wants to improve its security and audit posture by limiting Amazon EC2 inbound access.
According to the AWS shared responsibility model, which task is the responsibility of the customer?
A. Protect the global infrastructure that runs all of the services offered in the AWS Cloud.
B. Configure logical access controls for resources, and protect account credentials.
C. Configure the security used by managed services.
D. Patch and back up Amazon Aurora.
Correct Answer: B
Section:
Explanation:
According to the AWS shared responsibility model, the customer is responsible for configuring logical access controls for resources, and protecting account credentials. This includes managing IAM user
permissions, security group rules, network ACLs, encryption keys, and other aspects of access management1. AWS is responsible for protecting the global infrastructure that runs all of the services offered in the
Aurora2.
QUESTION 189
www.VCEplus.io
AWS Cloud, such as the hardware, software, networking, and facilities. AWS is also responsible for configuring the security used by managed services, such as Amazon RDS, Amazon DynamoDB, and Amazon
Which task is the responsibility of AWS when using AWS services?
A. Management of 1AM user permissions

B. Creation of security group rules for outbound access
C. Maintenance of physical and environmental controls
D. Application of Amazon EC2 operating system patches
Correct Answer: C
Section:
Explanation:
AWS is responsible for maintaining the physical and environmental controls of the AWS Cloud, such as power, cooling, fire suppression, and physical security1. The customer is responsible for managing the IAM
user permissions, creating security group rules for outbound access, applying Amazon EC2 operating system patches, and other aspects of security in the cloud1.
QUESTION 190
A company wants to push VPC Flow Logs to an Amazon S3 bucket.
A company wants to optimize long-term compute costs of AWS Lambda functions and Amazon EC2 instances.
Which AWS purchasing option should the company choose to meet these requirements?
A. Dedicated Hosts

B. Compute Savings Plans
C. Reserved Instances
D. Spot Instances
Correct Answer: B
Section:
Explanation:
Compute Savings Plans are a flexible and cost-effective way to optimize long-term compute costs of AWS Lambda functions and Amazon EC2 instances. With Compute Savings Plans, customers can commit to a
consistent amount of compute usage (measured in $/hour) for a 1-year or 3-year term and receive a discount of up to 66% compared to On-Demand prices3. Dedicated Hosts are physical servers with EC2 instance
capacity fully dedicated to the customer's use. They are suitable for customers who have specific server-bound software licenses or compliance requirements4. Reserved Instances are a pricing model that provides
a significant discount (up to 75%) compared to On-Demand pricing and a capacity reservation for EC2 instances. They are available in 1-year or 3-year terms and different payment options5. Spot Instances are
spare EC2 instances that are available at up to 90% discount compared to On-Demand prices. They are suitable for customers who have flexible start and end times, can withstand interruptions, and can handle
excess capacity.
QUESTION 191
Which task can a company perform by using security groups in the AWS Cloud?
A. Allow access to an Amazon EC2 instance through only a specific port.

B. Deny access to malicious IP addresses at a subnet level.
C. Protect data that is cached by Amazon CloudFront.
D. Apply a stateless firewall to an Amazon EC2 instance.
Correct Answer: A
Section:
Security groups are virtual firewalls that control the inbound and outbound traffic for Amazon EC2 instances. They can be used to allow access to an Amazon EC2 instance through only a specific port, such as port
22 for SSH or port 80 for HTTP. Security groups cannot deny access to malicious IP addresses at a subnet level, as they only allow or deny traffic based on the rules defined by the customer. To block malicious IP
addresses, customers can use network ACLs, which are stateless firewalls that can be applied to subnets. Security groups cannot protect data that is cached by Amazon CloudFront, as they only apply to EC2
instances. To protect data that is cached by Amazon CloudFront, customers can use encryption, signed URLs, or signed cookies. Security groups are not stateless firewalls, as they track the state of the traffic and
automatically allow the response traffic to flow back to the source. Stateless firewalls do not track the state of the traffic and require rules for both inbound and outbound traffic.
QUESTION 192
A company needs to centralize its operational dat a. The company also needs to automate tasks across all of its Amazon EC2 instances.
Which AWS service can the company use to meet these requirements?

B. AWS Systems Manager
C. AWS CodeDeploy
Correct Answer: B
Section:
Explanation:
AWS Systems Manager is a service that enables users to centralize and automate the management of their AWS resources. It provides a unified user interface to view operational data, such as inventory, patch
compliance, and performance metrics. It also allows users to automate common and repetitive tasks, such as patching, backup, and configuration management, across all of their Amazon EC2 instances1. AWS
Trusted Advisor is a service that provides best practices and recommendations to optimize the performance, security, and cost of AWS resources2. AWS CodeDeploy is a service that automates the deployment of

code and applications to Amazon EC2 instances or other compute services3. AWS Elastic Beanstalk is a service that simplifies the deployment and management of web applications using popular platforms, such as
Java, PHP, and Node.js4.
QUESTION 193
A company needs Amazon EC2 instances for a workload that can tolerate interruptions.
Which EC2 instance purchasing option meets this requirement with the LARGEST discount compared to On-Demand prices?
A. Spot Instances
B. Convertible Reserved Instances
C. Standard Reserved Instances
D. Dedicated Hosts
Correct Answer: A
Section:
Explanation:
Spot Instances are spare Amazon EC2 instances that are available at up to 90% discount compared to On-Demand prices. They are suitable for workloads that can tolerate interruptions, such as batch processing,
data analysis, and testing. Spot Instances are allocated based on the current supply and demand, and can be reclaimed by AWS with a two-minute notice when the demand exceeds the supply5. Convertible
Reserved Instances are a type of Reserved Instances that provide a significant discount (up to 54%) compared to On-Demand prices and a capacity reservation for Amazon EC2 instances. They are available in 1-year
or 3-year terms and allow users to change the instance family, size, operating system, or tenancy during the term. Standard Reserved Instances are another type of Reserved Instances that provide a larger discount
(up to 75%) compared to On-Demand prices and a capacity reservation for Amazon EC2 instances. They are available in 1-year or 3-year terms and do not allow users to change the instance attributes during the
term. Dedicated Hosts are physical servers with Amazon EC2 instance capacity fully dedicated to the user's use. They are suitable for users who have specific server-bound software licenses or compliance
requirements.
QUESTION 194
Which AWS service can defend against DDoS attacks?
A. AWS Firewall Manager

www.VCEplus.io
B. AWS Shield Standard
C. AWS WAF
D. Amazon Inspector
Correct Answer: B
Section:
Explanation:
AWS Shield Standard is a service that provides protection against Distributed Denial of Service (DDoS) attacks for all AWS customers at no additional charge. It automatically detects and mitigates the most common
and frequently occurring network and transport layer DDoS attacks that target AWS resources, such as Amazon EC2 instances, Elastic Load Balancers, Amazon CloudFront distributions, and Amazon Route 53 hosted
zones. AWS Firewall Manager is a service that allows users to centrally configure and manage firewall rules across their AWS accounts and resources, such as AWS WAF web ACLs, AWS Shield Advanced protections,
and Amazon VPC security groups. AWS WAF is a web application firewall that helps protect web applications from common web exploits, such as SQL injection, cross-site scripting, and bot attacks. Amazon
Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. It analyzes the behavior of the applications and checks for vulnerabilities,
exposures, and deviations from best practices.
QUESTION 195
A company wants its Amazon EC2 instances to share the same geographic area but use redundant underlying power sources.
Which solution will meet these requirements?
A. Use EC2 instances across multiple Availability Zones in the same AWS Region.

B. Use Amazon CloudFront as the database for the EC2 instances.
C. Use EC2 instances in the same edge location and the same Availability Zone.
D. Use EC2 instances in AWS OpsWorks stacks in different AWS Regions.
Correct Answer: A
Section:
Explanation:
Using EC2 instances across multiple Availability Zones in the same AWS Region is a solution that meets the requirements of sharing the same geographic area but using redundant underlying power sources.
Availability Zones are isolated locations within an AWS Region that have independent power, cooling, and physical security. They are connected through low-latency, high-throughput, and highly redundant
networking. By launching EC2 instances in different Availability Zones, users can increase the fault tolerance and availability of their applications. Amazon CloudFront is a content delivery network (CDN) service that
speeds up the delivery of web content and media to end users by caching it at the edge locations closer to them. It is not a database service and cannot be used to store operational data for EC2 instances. Edge
locations are sites that are part of the Amazon CloudFront network and are located in many cities around the world. They are not the same as Availability Zones and do not provide redundancy for EC2 instances.
AWS OpsWorks is a configuration management service that allows users to automate the deployment and management of applications using Chef or Puppet. It can be used to create stacks that span multiple AWS
Regions, but this would not meet the requirement of sharing the same geographic area.
QUESTION 196
A company needs to design a solution for the efficient use of compute resources for an enterprise workload. The company needs to make informed decisions as its technology needs evolve.
Which pillar of the AWS Well-Architected Framework do these requirements represent?
B. Performance efficiency
C. Cost optimization
D. Reliability
Correct Answer: B
Section:
www.VCEplus.io
Explanation:
Performance efficiency is the pillar of the AWS Well-Architected Framework that represents the requirements of designing a solution for the efficient use of compute resources for an enterprise workload and
making informed decisions as the technology needs evolve. It focuses on using the right resources and services for the workload, monitoring performance, and continuously improving the efficiency of the solution.
Operational excellence is the pillar of the AWS Well-Architected Framework that represents the ability to run and monitor systems to deliver business value and to continually improve supporting processes and
procedures. Cost optimization is the pillar of the AWS Well-Architected Framework that represents the ability to run systems to deliver business value at the lowest price point. Reliability is the pillar of the AWS
Well-Architected Framework that represents the ability of a system to recover from infrastructure or service disruptions, dynamically acquire computing resources to meet demand, and mitigate disruptions such as
misconfigurations or transient network issues.
QUESTION 197
What does "security of the cloud" refer to in the AWS shared responsibility model?
A. Availability of AWS services such as Amazon EC2

B. Security of the cloud infrastructure that runs all the AWS services
C. Implementation of password policies for 1AM users
D. Security of customer environments by using AWS Network Firewall partners
Correct Answer: B
Section:
Explanation:
Security of the cloud refers to the security of the cloud infrastructure that runs all the AWS services.

This includes the hardware, software, networking, and facilities that AWS operates and manages.
AWS is responsible for protecting the security of the cloud as part of the AWS shared responsibility model. Availability of AWS services such as Amazon EC2 refers to the ability of the services to be up and running
and to meet the expected performance. Availability is part of the reliability pillar of the AWS Well-Architected Framework and is a shared responsibility between AWS and the customer .
Implementation of password policies for IAM users refers to the security of the customer data and applications in the cloud. This includes the configuration and management of IAM user permissions, encryption
keys, security group rules, network ACLs, and other aspects of access management. The customer is responsible for protecting the security in the cloud as part of the AWS shared responsibility model. Security of
customer environments by using AWS Network Firewall partners refers to the security of the customer data and applications in the cloud. AWS Network Firewall is a managed service that provides network
protection for Amazon VPCs. It allows customers to use AWS Marketplace partners to implement firewall rules and policies. The customer is responsible for protecting the security in the cloud as part of the AWS
shared responsibility model .
QUESTION 198
Which AWS service or tool should a company use to forecast AWS spending?
A. Amazon DevPay
D. Cost Explorer
Correct Answer: D
Section:
Explanation:
Cost Explorer is an AWS service or tool that can be used to forecast AWS spending. It allows users to analyze their AWS costs and usage using interactive graphs and tables. It also provides features such as filtering,
grouping, and forecasting to help users plan their future spending. Amazon DevPay is an AWS service that allows developers to sell applications that are built on AWS services. It handles the billing and metering for
the customers of the applications and collects payments from them. It is not a tool for forecasting AWS spending. AWS Organizations is an AWS service that allows users to centrally manage and govern their AWS
www.VCEplus.io
accounts. It provides features such as creating groups of accounts, applying policies, and automating account creation. It is not a tool for forecasting AWS spending. AWS Trusted Advisor is an AWS service that
provides best practices and recommendations to optimize the performance, security, and cost of AWS resources. It can help users identify opportunities to reduce their AWS costs, but it is not a tool for forecasting
AWS spending
QUESTION 199
Which AWS service is always free of charge for users?
A. Amazon S3
B. Amazon Aurora
C. Amazon EC2
Correct Answer: D
Section:
Explanation:
AWS Identity and Access Management (IAM) is a service that allows users to manage access to AWS resources and services. It enables users to create and manage users, groups, roles, and policies that control who
can do what in AWS. IAM is always free of charge for users, as there is no additional cost for using IAM with any AWS service1. Amazon S3 is a storage service that provides scalable, durable, and secure object
storage. Amazon S3 has a free tier that offers 5 GB of storage, 20,000 GET requests, and 2,000 PUT requests per month for one year. However, users are charged for any additional usage beyond the free tier limits2.
Amazon Aurora is a relational database service that is compatible with MySQL and PostgreSQL. Amazon Aurora has a free tier that offers 750 hours of Aurora Single-AZ db.t2.small database usage and 20 GB of
storage per month for one year. However, users are charged for any additional usage beyond the free tier limits3. Amazon EC2 is a compute service that provides resizable virtual servers. Amazon EC2 has a free tier
that offers 750 hours of Linux and Windows t2.micro instances per month for one year. However, users are charged for any additional usage beyond the free tier limits4.
QUESTION 200
A company has multiple AWS accounts that include compute workloads that cannot be interrupted.

The company wants to obtain billing discounts that are based on the company's use of AWS services.
Which AWS feature or purchasing option will meet these requirements?
A. Resource tagging
B. Consolidated billing
D. Spot Instances
Correct Answer: B
Section:
Explanation:
Consolidated billing is an AWS feature that allows users to combine the usage and costs of multiple
AWS accounts into a single bill. This enables users to obtain billing discounts that are based on the company's use of AWS services, such as volume pricing tiers, Reserved Instance discounts, and Savings Plans
discounts5. Resource tagging is an AWS feature that allows users to assign metadata to AWS resources, such as EC2 instances, S3 buckets, and Lambda functions. This enables users to organize, track, and manage
their AWS resources, such as filtering, grouping, and reporting. Pay-asyou-go pricing is an AWS pricing model that allows users to pay only for the resources and services they use, without any upfront or long-term
commitments. This enables users to lower their costs by scaling up or down as needed, and avoiding over-provisioning or under-utilization. Spot Instances are spare EC2 instances that are available at up to 90%
discount compared to On-Demand prices. They are suitable for workloads that can tolerate interruptions, such as batch processing, data analysis, and testing. Spot Instances are allocated based on the current
supply and demand, and can be reclaimed by AWS with a two-minute notice when the demand exceeds the supply.
QUESTION 201
A company has an environment that includes Amazon EC2 instances, Amazon Lightsail, and onpremises servers. The company wants to automate the security updates for its operating systems and applications.
Which solution will meet these requirements with the LEAST operational effort?
A.
B.
C.
Use AWS Shield to identify and manage security events.
www.VCEplus.io
Connect to each server by using a remote desktop connection. Run an update script.
Use the AWS Systems Manager Patch Manager capability.
D. Schedule Amazon GuardDuty to run on a nightly basis.
Correct Answer: C
Section:
Explanation:
AWS Systems Manager Patch Manager is a capability that allows users to automate the security updates for their operating systems and applications. It enables users to scan their instances for missing patches,
define patch baselines, schedule patching windows, and monitor patch compliance.
It supports Amazon EC2 instances, Amazon Lightsail instances, and on-premises servers. AWS Shield is a service that provides protection against Distributed Denial of Service (DDoS) attacks for AWS resources and
services. It does not automate the security updates for operating systems and applications. Connecting to each server by using a remote desktop connection and running an update script is a manual and time-
consuming solution that requires a lot of operational effort. It is not a recommended best practice for automating the security updates for operating systems and applications. Amazon GuardDuty is a service that
provides intelligent threat detection and continuous monitoring for AWS accounts and resources. It does not automate the security updates for operating systems and applications.
QUESTION 202
A company that is planning to migrate to the AWS Cloud is based in an isolated area that has limited internet connectivity. The company needs to perform local data processing on premises. The company needs a
solution that can operate without a stable internet connection.
A. Amazon S3
B. AWS Snowball Edge
C. AWS StorageGateway

D. AWS Backup
Correct Answer: B
Section:
Explanation:
AWS Snowball Edge is a service that provides a physical device that can store up to 100 TB of data and perform local data processing on premises. It enables users to transfer data to and from the AWS Cloud in
areas with limited or no internet connectivity. It also supports AWS Greengrass, which allows users to run AWS Lambda functions and other AWS services locally without a stable internet connection. Amazon S3 is a
storage service that provides scalable, durable, and secure object storage. It requires a stable internet connection to transfer data to and from the AWS Cloud. AWS Storage Gateway is a service that provides a
hybrid storage solution that connects on-premises applications to AWS Cloud storage services, such as Amazon S3, Amazon S3 Glacier, and Amazon EBS.
It requires a stable internet connection to synchronize data between the on-premises and cloud storage. AWS Backup is a service that provides a centralized and automated solution to back up data across AWS
services and on-premises resources. It requires a stable internet connection to transfer data to and from the AWS Cloud.
QUESTION 203
A company wants to migrate its applications to the AWS Cloud. The company plans to identify and prioritize any business transformation opportunities and evaluate its AWS Cloud readiness.
Which AWS service or tool should the company use to meet these requirements?
A. AWS Cloud Adoption Framework (AWS CAF)

B. AWS Managed Services (AMS)
C. AWS Well-Architected Framework
D. AWS Migration Hub
Correct Answer: A
Section:
Explanation:
www.VCEplus.io
AWS Cloud Adoption Framework (AWS CAF) is a service or tool that helps users migrate their applications to the AWS Cloud. It provides guidance and best practices to identify and prioritize any business
transformation opportunities and evaluate their AWS Cloud readiness. It also helps users align their business and technical perspectives, create an actionable roadmap, and measure their progress. AWS Managed
Services (AMS) is a service that provides operational services for AWS infrastructure and applications. It helps users reduce their operational overhead and risk, and focus on their core business. It does not help
users identify and prioritize any business transformation opportunities and evaluate their AWS Cloud readiness. AWS Well-Architected Framework is a tool that helps users design and implement secure, high-
performing, resilient, and efficient solutions on AWS. It provides a set of questions and best practices across five pillars: operational excellence, security, reliability, performance efficiency, and cost optimization. It
does not help users identify and prioritize any business transformation opportunities and evaluate their AWS Cloud readiness. AWS Migration Hub is a service that provides a single location to track and manage the
migration of applications to AWS. It helps users discover their on-premises servers, group them into applications, and choose the right migration tools. It does not help users identify and prioritize any business
transformation opportunities and evaluate their AWS Cloud readiness.
QUESTION 204
Which controls are the responsibility of both AWS and AWS customers, according to the AWS shared responsibility model? (Select TWO.)
A. Physical and environmental controls

B. Patch management
C. Configuration management
D. Account structures
E. Choice of the AWS Region where data is stored
Section:
Explanation:
Patch management and configuration management are controls that are the responsibility of both AWS and AWS customers, according to the AWS shared responsibility model. Patch management is the process of
applying updates to software and applications to fix vulnerabilities, bugs, or performance issues. Configuration management is the process of defining and maintaining the settings and parameters of systems and

applications to ensure their consistency and reliability. AWS is responsible for patching and configuring the software and services that it manages, such as the AWS global infrastructure, the hypervisor, and the AWS
managed services. The customer is responsible for patching and configuring the software and services that they manage, such as the guest operating system, the applications, and the AWS customer-managed
services. Physical and environmental controls are the responsibility of AWS, according to the AWS shared responsibility model. Physical and environmental controls are the measures that protect the physical
security and availability of the AWS global infrastructure, such as power, cooling, fire suppression, and access control. AWS is responsible for maintaining these controls and ensuring the resilience and reliability of
the AWS Cloud. Account structures are the responsibility of the customer, according to the AWS shared responsibility model. Account structures are the ways that customers organize and manage their AWS
accounts and resources, such as using AWS Organizations, IAM users and roles, resource tagging, and billing preferences. The customer is responsible for creating and configuring these structures and ensuring the
security and governance of their AWS environment. Choice of the AWS Region where data is stored is the responsibility of the customer, according to the AWS shared responsibility model. AWS Regions are
geographic areas that consist of multiple isolated Availability Zones. Customers can choose which AWS Region to store their data and run their applications, depending on their latency, compliance, and cost
requirements. The customer is responsible for selecting the appropriate AWS Region and ensuring the data sovereignty and regulatory compliance of their data.
QUESTION 205
Which AWS service can a company use to securely store and encrypt passwords for a database?
A. AWS Shield
C. AWS Identity and Access Management (1AM)
D. Amazon Cognito
Correct Answer: B
Section:
Explanation:
AWS Secrets Manager is an AWS service that can be used to securely store and encrypt passwords for a database. It allows users to manage secrets, such as database credentials, API keys, and tokens, in a
centralized and secure way. It also provides features such as automatic rotation, fine-grained access control, and auditing. AWS Shield is an AWS service that provides protection against Distributed Denial of Service
www.VCEplus.io
(DDoS) attacks for AWS resources and services. It does not store or encrypt passwords for a database. AWS Identity and Access Management (IAM) is an AWS service that allows users to manage access to AWS
resources and services. It can be used to create users, groups, roles, and policies that control who can do what in AWS. It does not store or encrypt passwords for a database. Amazon Cognito is an AWS service that
provides user identity and data synchronization for web and mobile applications. It can be used to authenticate and authorize users, manage user profiles, and sync user data across devices. It does not store or
encrypt passwords for a database.
QUESTION 206
Which of the following is the customer's responsibility, according to the AWS shared responsibility model?
A. Identity and access management

B. Hard drive initialization
C. Protection of data center hardware
D. Security of Availability Zones
Correct Answer: A
Section:
Explanation:
Identity and access management is the customer's responsibility, according to the AWS shared responsibility model. This means that the customer is responsible for managing user access to the AWS resources,
using tools such as AWS Identity and Access Management (IAM), AWS Single Sign-On (SSO), and AWS Organizations. The customer is also responsible for securing their data in transit and at rest, using encryption,
key management, and other methods. Hard drive initialization, protection of data center hardware, and security of Availability Zones are AWS's responsibility, as they are part of the infrastructure, physical security,
and network security that AWS provides to the customer12
QUESTION 207
A company wants to create multiple isolated networks in the same AWS account.
Which AWS service or component will provide this functionality?

A. AWS Transit Gateway
B. Internet gateway
C. Amazon VPC
D. Amazon EC2
Correct Answer: C
Section:
Explanation:
Amazon Virtual Private Cloud (Amazon VPC) is the AWS service that allows customers to create multiple isolated networks in the same AWS account. A VPC is a logically isolated section of the AWS Cloud where
customers can launch AWS resources in a virtual network that they define. Customers can create multiple VPCs within an AWS account, each with its own IP address range, subnets, route tables, security groups,
network access control lists, gateways, and other components. AWS Transit Gateway, Internet gateway, and Amazon EC2 are not services or components that provide the functionality of creating multiple isolated
networks in the same AWS account. AWS Transit Gateway is a service that enables customers to connect their Amazon VPCs and their on-premises networks to a single gateway. An Internet gateway is a component
that enables communication between instances in a VPC and the Internet. Amazon EC2 is a service that provides scalable compute capacity in the cloud34
QUESTION 208
Which AWS service offers a global content delivery network (CDN) that helps companies securely deliver websites, videos, applications, and APIs at high speeds with low latency?
A. Amazon EC2
B. Amazon CloudFront
Correct Answer: B
Section:
Explanation:
www.VCEplus.io
Amazon CloudFront is the AWS service that offers a global content delivery network (CDN) that helps companies securely deliver websites, videos, applications, and APIs at high speeds with low latency. Amazon
CloudFront is a web service that speeds up distribution of static and dynamic web content, such as HTML, CSS, JavaScript, and image files, to users. Amazon CloudFront uses a global network of edge locations,
located near users' geographic locations, to cache and serve content with high availability and performance. Amazon CloudFront also provides features such as AWS Shield for DDoS protection, AWS Certificate
Manager for SSL/TLS encryption, AWS WAF for web application firewall, and AWS Lambda@Edge for customizing content delivery with serverless code. Amazon EC2, Amazon CloudWatch, and AWS CloudFormation
are not services that offer a global CDN.
Amazon EC2 is a service that provides scalable compute capacity in the cloud. Amazon CloudWatch is a service that provides monitoring and observability for AWS resources and applications. AWS CloudFormation
is a service that provides a common language to model and provision AWS resources and their dependencies.
QUESTION 209
Which benefit of AWS Cloud computing provides lower latency between users and applications?
A. Agility
C. Global reach
D. Pay-as-you-go pricing
Correct Answer: C
Section:
Explanation:
Global reach is the benefit of AWS Cloud computing that provides lower latency between users and applications. Global reach means that AWS customers can deploy their applications and data in multiple regions

around the world, and deliver them to users with high performance and availability.
AWS has the largest global infrastructure of any cloud provider, with 25 geographic regions and 81 Availability Zones, as well as 216 Points of Presence in 84 cities across 42 countries. Customers can choose the
optimal locations for their applications and data based on their business requirements, such as compliance, data sovereignty, and customer proximity. Agility, economies of scale, and payas-you-go pricing are other
benefits of AWS Cloud computing, but they do not directly provide lower latency between users and applications. Agility means that AWS customers can quickly and easily provision and scale up or down AWS
resources as needed, without upfront costs or long-term commitments. Economies of scale means that AWS customers can benefit from the lower costs and higher efficiency that AWS achieves by operating at a
massive scale and passing the savings to the customers. Pay-as-you-go pricing means that AWS customers only pay for the AWS resources they use, without any upfront costs or long-term contracts.
QUESTION 210
Which design principles should a company apply to AWS Cloud workloads to maximize sustainability and minimize environmental impact? (Select TWO.)
A. Maximize utilization of Amazon EC2 instances.

B. Minimize utilization of Amazon EC2 instances.
C. Minimize usage of managed services.
D. Force frequent application reinstallations by users.
E. Reduce the need for users to reinstall applications.
Section:
Explanation:
To maximize sustainability and minimize environmental impact, a company should apply the following design principles to AWS Cloud workloads: maximize utilization of Amazon EC2 instances and reduce the need
for users to reinstall applications. Maximizing utilization of Amazon EC2 instances means that the company can optimize the performance and efficiency of their compute resources, and avoid wasting energy and
money on idle or underutilized instances. The company can use features such as Amazon EC2 Auto Scaling, Amazon EC2 Spot Instances, and AWS Compute Optimizer to automatically adjust the number and type of
instances based on demand, cost, and performance. Reducing the need for users to reinstall applications means that the company can minimize the amount of data and bandwidth required to deliver their
www.VCEplus.io
applications to users, and avoid unnecessary downloads and updates that consume energy and resources. The company can use services such as Amazon CloudFront, AWS AppStream 2.0, and AWS Amplify to
deliver their applications faster, more securely, and more efficiently to users across the globe. Minimizing utilization of Amazon EC2 instances, minimizing usage of managed services, and forcing frequent
application reinstallations by users are not design principles that would maximize sustainability and minimize environmental impact. Minimizing utilization of Amazon EC2 instances would reduce the performance
and efficiency of the compute resources, and potentially increase the costs and complexity of the cloud workloads. Minimizing usage of managed services would increase the operational overhead and
responsibility of the company, and potentially expose them to more security and reliability risks. Forcing frequent application reinstallations by users would increase the amount of data and bandwidth required to
deliver the applications to users, and potentially degrade the user experience and satisfaction.
QUESTION 211
An ecommerce company wants to design a highly available application that will be hosted on multiple Amazon EC2 instances.
How should the company deploy the EC2 instances to meet these requirements?
A. Across multiple edge locations

B. Across multiple VPCs
C. Across multiple Availability Zones
D. Across multiple AWS accounts
Correct Answer: C
Section:
Explanation:
The company should deploy the EC2 instances across multiple Availability Zones to design a highly available application. Availability Zones are isolated locations within an AWS Region that are engineered to be
fault-tolerant and operate independently of each other. By deploying the EC2 instances across multiple Availability Zones, the company can ensure that their application can withstand the failure of an entire
Availability Zone and continue to operate with minimal disruption.
Deploying the EC2 instances across multiple edge locations, VPCs, or AWS accounts will not provide the same level of availability and fault tolerance as Availability Zones. Edge locations are part of the Amazon
CloudFront service, which is a content delivery network (CDN) that caches and serves web content to users. VPCs are virtual networks that isolate the AWS resources within an AWS Region. AWS accounts are the

primary units of ownership and access control for AWS resources12
QUESTION 212
Which AWS Cloud design principle does a company follow by using AWS CloudTrail?
A. Recover automatically.
B. Perform operations as code.
C. Measure efficiency.
D. Ensure traceability.
Correct Answer: D
Section:
Explanation:
The company follows the AWS Cloud design principle of ensuring traceability by using AWS CloudTrail. AWS CloudTrail is a service that records the API calls and events made by or on behalf of the AWS account. The
company can use AWS CloudTrail to monitor, audit, and analyze the activity and changes in their AWS resources and applications. AWS CloudTrail helps the company to achieve compliance, security, governance,
and operational efficiency. Recovering automatically, performing operations as code, and measuring efficiency are other AWS Cloud design principles, but they are not directly related to using AWS CloudTrail.
Recovering automatically means that the company can design their cloud workloads to handle failures gracefully and resume normal operations without manual intervention. Performing operations as code means
that the company can automate the creation, configuration, and management of their cloud resources using scripts or templates. Measuring efficiency means that the company can monitor and optimize the
performance and utilization of their cloud resources and applications34
QUESTION 213
A company wants to move its data warehouse application to the AWS Cloud. The company wants to run and scale its analytics services without needing to provision and manage data warehouse clusters.
A.
B.
Amazon Redshift provisioned data warehouse
Amazon Redshift Serverless
www.VCEplus.io
C. Amazon Athena
D. Amazon S3
Correct Answer: B
Section:
Explanation:
Amazon Redshift Serverless is the AWS service that will meet the requirements of the company that wants to move its data warehouse application to the AWS Cloud and run and scale its analytics services without
needing to provision and manage data warehouse clusters. Amazon Redshift Serverless is a new feature of Amazon Redshift, which is a fully managed data warehouse service that allows customers to run complex
queries and analytics on large volumes of structured and semistructured data. Amazon Redshift Serverless automatically scales the compute and storage resources based on the workload demand, and customers
only pay for the resources they consume. Amazon Redshift Serverless also simplifies the management and maintenance of the data warehouse, as customers do not need to worry about choosing the right cluster
size, resizing the cluster, or distributing the data across the nodes. Amazon Redshift provisioned data warehouse, Amazon Athena, and Amazon S3 are not the best services to meet the requirements of the
company. Amazon Redshift provisioned data warehouse requires customers to choose the number and type of nodes for their cluster, and manually resize the cluster if their workload changes. Amazon Athena is a
serverless query service that allows customers to analyze data stored in Amazon S3 using standard SQL, but it is not a data warehouse service that can store and organize the data. Amazon S3 is a scalable object
storage service that can store any amount and type of data, but it is not a data warehouse service that can run complex queries and analytics on the data.
QUESTION 214
Which tasks are the responsibility of AWS according to the AWS shared responsibility model? (Select TWO.)
A. Configure AWS Identity and Access Management (1AM).

B. Configure security groups on Amazon EC2 instances.

C. Secure the access of physical AWS facilities.
D. Patch applications that run on Amazon EC2 instances.
E. Perform infrastructure patching and maintenance.
Section:
Explanation:
The tasks that are the responsibility of AWS according to the AWS shared responsibility model are securing the access of physical AWS facilities and performing infrastructure patching and maintenance. The AWS
shared responsibility model defines the division of responsibilities between AWS and the customer for security and compliance. AWS is responsible for the security of the cloud, which includes the physical security
of the hardware, software, networking, and facilities that run the AWS services. AWS is also responsible for the maintenance and patching of the infrastructure that supports the AWS services. The customer is
responsible for the security in the cloud, which includes the configuration and management of the AWS resources and applications that they use. Configuring AWS Identity and Access Management (IAM),
configuring security groups on Amazon EC2 instances, and patching applications that run on Amazon EC2 instances are tasks that are the responsibility of the customer, not AWS.
QUESTION 215
A company is running an order processing system on Amazon EC2 instances. The company wants to migrate microservices-based application.
Which combination of AWS services can the application use to meet these requirements? (Select TWO.)
A. Amazon Simple Queue Service (Amazon SQS)

B. AWS Lambda
C. AWS Migration Hub
D. AWS AppSync
E. AWS Application Migration Service
Section:
Explanation:
www.VCEplus.io
The combination of AWS services that the application can use to migrate to a microservices-based application are Amazon Simple Queue Service (Amazon SQS) and AWS Lambda. Amazon SQS is a fully managed
message queuing service that enables customers to decouple and scale microservices, distributed systems, and serverless applications. The application can use Amazon SQS to send, store, and receive messages
between the microservices, ensuring that each message is processed only once and in the right order. AWS Lambda is a serverless compute service that allows customers to run code without provisioning or
managing servers. The application can use AWS Lambda to create and deploy microservices as functions that are triggered by events, such as messages from Amazon SQS. AWS Migration Hub, AWS AppSync, and
AWS Application Migration Service are not the best services to use for migrating to a microservices-based application. AWS Migration Hub is a service that provides a single location to track the progress of
application migrations across multiple AWS and partner solutions. AWS AppSync is a service that simplifies the development of GraphQL APIs for real-time and offline data synchronization. AWS Application
Migration Service is a service that enables customers to migrate their on-premises applications to AWS without making any changes to the applications, servers, or databases.
QUESTION 216
A company wants to access a report about the estimated environmental impact of the company's AWS usage.
Which AWS service or feature should the company use to meet this requirement?
B. 1AM policy
C. AWS Billing console
D. Amazon Simple Notification Service (Amazon SNS)
Correct Answer: C
Section:
Explanation:

The company should use the AWS Billing console to access a report about the estimated environmental impact of the company's AWS usage. The AWS Billing console provides customers with various tools and
reports to manage and monitor their AWS costs and usage. One of the reports available in the AWS Billing console is the AWS Sustainability Dashboard, which shows the estimated carbon footprint and energy mix
of the customer's AWS usage. The company can use this dashboard to measure and improve the sustainability of their cloud workloads. AWS Organizations, IAM policy, and Amazon Simple Notification Service
(Amazon SNS) are not services or features that can provide a report about the estimated environmental impact of the company's AWS usage. AWS Organizations is a service that enables customers to centrally
manage and govern their AWS accounts. IAM policy is a document that defines the permissions for an IAM identity (user, group, or role) or an AWS resource. Amazon SNS is a fully managed pub/sub messaging
service that enables customers to send messages to subscribers or other AWS services.
QUESTION 217
A company has an AWS-hosted website located behind an Application Load Balancer. The company wants to safeguard the website from SQL injection or cross-site scripting.
A. Amazon GuardDuty
B. AWS WAF
D. Amazon Inspector
Correct Answer: B
Section:
Explanation:
The company should use AWS WAF to safeguard the website from SQL injection or cross-site scripting. AWS WAF is a web application firewall that helps protect web applications from common web exploits that
could affect availability, compromise security, or consume excessive resources. The company can use AWS WAF to create custom rules that block malicious requests that match certain patterns, such as SQL
injection or cross-site scripting. AWS WAF can be applied to web applications that are behind an Application Load Balancer, Amazon CloudFront, or Amazon API Gateway. Amazon GuardDuty, AWS Trusted Advisor,
and Amazon Inspector are not the best services to use for this purpose. Amazon GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior across the AWS accounts and
www.VCEplus.io
resources. AWS Trusted Advisor is a service that provides best practice recommendations for cost optimization, performance, security, and fault tolerance. Amazon Inspector is a service that assesses the security
and compliance of applications running on Amazon EC2 instances12
QUESTION 218
A company needs to host a web server on Amazon EC2 instances for at least 1 year. The web server cannot tolerate interruption.
Which EC2 instance purchasing option will meet these requirements MOST cost-effectively?
A. On-Demand Instances
B. Partial Upfront Reserved Instances
C. Spot Instances
D. No Upfront Reserved Instances
Correct Answer: B
Section:
Explanation:
The most cost-effective EC2 instance purchasing option for the company that needs to host a web server on Amazon EC2 instances for at least 1 year and cannot tolerate interruption is Partial Upfront Reserved
Instances. Reserved Instances are a pricing model that offer significant discounts compared to On-Demand Instances in exchange for a commitment to use a specific amount of compute capacity for a fixed period
of time (1 or 3 years). Partial Upfront Reserved Instances require customers to pay a portion of the total cost upfront, and the remaining cost in monthly installments over the term. This option offers a lower
effective hourly rate than No Upfront Reserved Instances, which require no upfront payment but have higher monthly payments. On-Demand Instances and Spot Instances are not the best options for the company.
On-Demand Instances are a pricing model that offer the most flexibility and no long-term commitment, but have the highest hourly rate. Spot Instances are a pricing model that offer the lowest cost, but are
subject to interruption based on supply and demand34
QUESTION 219
A company runs a database on Amazon Aurora in the us-east-1 Region. The company has a disaster recovery requirement that the database be available in another Region.

Which solution meets this requirement with minimal disruption to the database operations?
A. Perform an Aurora Multi-AZ deployment.

B. Deploy Aurora cross-Region read replicas.
C. Create Amazon Elastic Block Store (Amazon EBS) volume snapshots for Aurora and copy them to another Region.
D. Deploy Aurora Replicas.
Correct Answer: B
Section:
Explanation:
The solution that meets the requirement of the company that runs a database on Amazon Aurora in the us-east-1 Region and has a disaster recovery requirement that the database be available in another Region
with minimal disruption to the database operations is to deploy Aurora cross-Region read replicas. Aurora cross-Region read replicas are secondary Aurora clusters that are created in a different AWS Region from
the primary Aurora cluster, and are kept in sync with the primary cluster using physical replication. The company can use Aurora cross-Region read replicas to improve the availability and durability of the database,
as well as to reduce the recovery time objective (RTO) and recovery point objective (RPO) in case of a regional disaster. Performing an Aurora Multi-AZ deployment, creating Amazon EBS volume snapshots for
Aurora and copying them to another Region, and deploying Aurora Replicas are not the best solutions for this requirement. An Aurora Multi-AZ deployment is a configuration that creates one or more Aurora
Replicas within the same AWS Region as the primary Aurora cluster, and provides automatic failover in case of an Availability Zone outage. However, this does not provide cross-Region disaster recovery. Creating
Amazon EBS volume snapshots for Aurora and copying them to another Region is a manual process that requires stopping the database, creating the snapshots, copying them to the target Region, and restoring
them to a new Aurora cluster. This process can cause significant downtime and data loss. Deploying Aurora Replicas is a configuration that creates one or more secondary Aurora clusters within the same AWS
Region as the primary Aurora cluster, and provides read scaling and high availability.
However, this does not provide cross-Region disaster recovery.
QUESTION 220
Which AWS service requires the customer to patch the guest operating system?
A.
B.
AWS Lambda
Amazon OpenSearch Service
www.VCEplus.io
C. Amazon EC2
Correct Answer: C
Section:
Explanation:
The AWS service that requires the customer to patch the guest operating system is Amazon EC2.
Amazon EC2 is a service that provides scalable compute capacity in the cloud, and allows customers to launch and run virtual servers, called instances, with a variety of operating systems, configurations, and
specifications. The customer is responsible for patching and updating the guest operating system and any applications that run on the EC2 instances, as part of the security in the cloud. AWS Lambda, Amazon
OpenSearch Service, and Amazon ElastiCache are not services that require the customer to patch the guest operating system. AWS Lambda is a serverless compute service that allows customers to run code
without provisioning or managing servers. Amazon OpenSearch Service is a fully managed service that makes it easy to deploy, operate, and scale OpenSearch clusters in the AWS Cloud. Amazon ElastiCache is a
fully managed service that provides in-memory data store and cache solutions, such as Redis and Memcached. These services are managed by AWS, and AWS is responsible for patching and updating the
underlying infrastructure and software.
QUESTION 221
Which benefit of the AWS Cloud helps companies achieve lower usage costs because of the aggregate usage of all AWS users?
A. No need to guess capacity

B. Ability to go global in minutes
C. Economies of scale

D. Increased speed and agility
Correct Answer: C
Section:
Explanation:
The benefit of the AWS Cloud that helps companies achieve lower usage costs because of the aggregate usage of all AWS users is economies of scale. Economies of scale means that AWS can achieve lower costs
and higher efficiency by operating at a massive scale and passing the savings to the customers. AWS leverages the aggregate usage of all AWS users to negotiate better prices with hardware vendors, optimize
power consumption, and improve operational processes. As a result, AWS can offer lower and more flexible pricing options to the customers, such as pay-as-you-go, reserved, and spot pricing models. No need to
guess capacity, ability to go global in minutes, and increased speed and agility are other benefits of the AWS Cloud, but they are not directly related to the aggregate usage of all AWS users. No need to guess
capacity means that AWS customers can avoid the risk of over-provisioning or under-provisioning resources, and scale up or down as needed.
Ability to go global in minutes means that AWS customers can deploy their applications and data in multiple regions around the world, and deliver them to users with high performance and availability.
Increased speed and agility means that AWS customers can quickly and easily provision and access AWS resources, and accelerate their innovation and time to market.
QUESTION 222
Which options are common stakeholders for the AWS Cloud Adoption Framework (AWS CAF) platform perspective? (Select TWO.)
A. Chief financial officers (CFOs)

B. IT architects
C. Chief information officers (CIOs)
D. Chief data officers (CDOs)
E. Engineers
Section:
The common stakeholders for the AWS Cloud Adoption Framework (AWS CAF) platform perspective are IT architects and engineers. The AWS CAF is a guidance that helps organizations design and travel an
accelerated path to successful cloud adoption. The AWS CAF organizes the cloud adoption process into six areas of focus, called perspectives, which are business, people, governance, platform, security, and
operations. Each perspective is divided into capabilities, which are further divided into skills and responsibilities. The platform perspective focuses on the provisioning and management of the cloud infrastructure
and services that support the business applications. The platform perspective capabilities are design, implementation, and optimization. The stakeholders for the platform perspective are the IT architects and
engineers who are responsible for designing, implementing, and optimizing the cloud platform. Chief financial officers (CFOs), chief information officers (CIOs), and chief data officers (CDOs) are not the common
stakeholders for the AWS CAF platform perspective. CFOs are the common stakeholders for the AWS CAF business perspective, which focuses on the value realization of the cloud adoption. CIOs are the common
stakeholders for the AWS CAF governance perspective, which focuses on the alignment of the IT strategy and processes with the business strategy and goals. CDOs are the common stakeholders for the AWS CAF
security perspective, which focuses on the protection of the information assets and systems in the cloud.
QUESTION 223
A company wants to migrate to the AWS Cloud. The company needs the ability to acquire resources when the resources are necessary.
The company also needs the ability to release those resources when the resources are no longer necessary.
Which architecture concept of the AWS Cloud meets these requirements?
A. Elasticity
B. Availability
C. Reliability
D. Durability
Correct Answer: A
Section:
Explanation:

The architecture concept of the AWS Cloud that meets the requirements of the company that wants to migrate to the AWS Cloud and needs the ability to acquire and release resources as needed is elasticity.
Elasticity means that AWS customers can quickly and easily provision and scale up or down AWS resources as their demand changes, without any upfront costs or long-term commitments. AWS provides various
tools and services that enable customers to achieve elasticity, such as Amazon EC2 Auto Scaling, Amazon CloudWatch, and AWS CloudFormation. Elasticity helps customers optimize their performance, availability,
and cost efficiency. Availability, reliability, and durability are other architecture concepts of the AWS Cloud, but they are not directly related to the ability to acquire and release resources as needed. Availability
means that AWS customers can access their AWS resources and applications whenever and wherever they need them. Reliability means that AWS customers can depend on their AWS resources and applications to
function correctly and consistently. Durability means that AWS customers can preserve their data and objects for long periods of time without loss or corruption12
QUESTION 224
Which AWS service or tool provides recommendations to help users get rightsized Amazon EC2 instances based on historical workload usage data?

C. AWS App Runner
Correct Answer: B
Section:
Explanation:
The AWS service or tool that provides recommendations to help users get rightsized Amazon EC2 instances based on historical workload usage data is AWS Compute Optimizer. AWS Compute Optimizer is a service
that analyzes the configuration and performance of the AWS resources, such as Amazon EC2 instances, and provides recommendations for optimal resource types and sizes based on the workload patterns and
metrics. AWS Compute Optimizer helps users improve the performance, availability, and cost efficiency of their AWS resources. AWS Pricing Calculator, AWS App Runner, and AWS Systems Manager are not the best
services or tools to use for this purpose. AWS Pricing Calculator is a tool that helps users estimate the cost of using AWS services based on their requirements and preferences. AWS App Runner is a service that
helps users easily and quickly deploy web applications and APIs without managing any infrastructure. AWS Systems Manager is a service that helps users automate and manage the configuration and operation of
their AWS resources and applications34
QUESTION 225
www.VCEplus.io
Which AWS service is designed to help users orchestrate a workflow process for a set of AWS Lambda functions?
A. Amazon DynamoDB
B. AWS CodePipeline
C. AWS Batch
Correct Answer: D
Section:
Explanation:
The AWS service that is designed to help users orchestrate a workflow process for a set of AWS Lambda functions is AWS Step Functions. AWS Step Functions is a service that helps users coordinate multiple AWS
services into serverless workflows that can be triggered by events, such as messages, API calls, or schedules. AWS Step Functions allows users to create and visualize complex workflows that can include branching,
parallel execution, error handling, retries, and timeouts. AWS Step Functions can integrate with AWS Lambda to orchestrate a sequence of Lambda functions that perform different tasks or logic. Amazon
DynamoDB, AWS CodePipeline, and AWS Batch are not the best services to use for orchestrating a workflow process for a set of AWS Lambda functions. Amazon DynamoDB is a fully managed NoSQL database
service that provides fast and consistent performance, scalability, and flexibility. AWS CodePipeline is a fully managed continuous delivery service that helps users automate the release process of their applications.
AWS Batch is a fully managed service that helps users run batch computing workloads on the AWS Cloud.
QUESTION 226
Which options are perspectives that include foundational capabilities of the AWS Cloud Adoption Framework (AWS CAF)? (Select TWO.)
A. Sustainability

B. Security
C. Operations
E. Reliability
Section:
Explanation:
The options that are perspectives that include foundational capabilities of the AWS Cloud Adoption Framework (AWS CAF) are operations and performance efficiency. The AWS CAF is a guidance that helps
organizations design and travel an accelerated path to successful cloud adoption. The AWS CAF organizes the cloud adoption process into six areas of focus, called perspectives, which are business, people,
governance, platform, security, and operations. Each perspective is divided into capabilities, which are further divided into skills and responsibilities. The operations perspective focuses on the management and
monitoring of the cloud resources and applications, as well as the automation and optimization of the operational processes. The operations perspective capabilities are operations support, operations integration,
and service management. The performance efficiency perspective focuses on the selection and configuration of the right cloud resources and services to meet the performance requirements of the applications, as
well as the continuous improvement and innovation of the cloud solutions. The performance efficiency perspective capabilities are selection, review, and monitoring. Sustainability, security, and reliability are not
perspectives of the AWS CAF, but they are aspects of the AWS Well-Architected Framework. The AWS Well-Architected Framework is a guidance that helps users build and operate secure, reliable, efficient, and
cost-effective systems in the cloud. The AWS Well-Architected Framework consists of five pillars, which are operational excellence, security, reliability, performance efficiency, and cost optimization. Sustainability is
a cross-cutting theme that applies to all the pillars, and refers to the environmental and social impact of the cloud solutions.
QUESTION 227
Which perspective of the AWS Cloud Adoption Framework (AWS CAF) connects technology and business?
A. Operations
B. People
C.
D.
Security
Governance www.VCEplus.io
Correct Answer: D
Section:
Explanation:
The perspective of the AWS Cloud Adoption Framework (AWS CAF) that connects technology and business is governance. The governance perspective focuses on the alignment of the IT strategy and processes with
the business strategy and goals, as well as the management of the IT budget, risk, and compliance. The governance perspective capabilities are portfolio management, business performance management, and IT
governance. The governance perspective helps organizations ensure that their cloud adoption delivers the expected business value and outcomes, and that their cloud solutions are secure, reliable, and compliant.
Operations, people, and security are other perspectives of the AWS CAF, but they do not directly connect technology and business. The operations perspective focuses on the management and monitoring of the
cloud resources and applications, as well as the automation and optimization of the operational processes. The people perspective focuses on the development and empowerment of the human resources, as well
as the transformation of the organizational culture and structure. The security perspective focuses on the protection of the information assets and systems in the cloud, as well as the implementation of the
security policies and controls.
QUESTION 228
A company needs to host a highly available application in the AWS Cloud. The application runs infrequently for short periods of time.
Which AWS service will meet these requirements with the LEAST amount of operational overhead?
A. Amazon EC2
B. AWS Fargate
C. AWS Lambda
D. Amazon Aurora

Correct Answer: C
Section:
Explanation:
The AWS service that will meet the requirements of the company that needs to host a highly available application in the AWS Cloud that runs infrequently for short periods of time with the least amount of
operational overhead is AWS Lambda. AWS Lambda is a serverless compute service that allows customers to run code without provisioning or managing servers. The company can use AWS Lambda to create and
deploy their application as functions that are triggered by events, such as API calls, messages, or schedules. AWS Lambda automatically scales the compute resources based on the demand, and customers only pay
for the compute time they consume. AWS Lambda also simplifies the management and maintenance of the application, as customers do not need to worry about the underlying infrastructure, security, or
availability. Amazon EC2, AWS Fargate, and Amazon Aurora are not the best services to use for this purpose. Amazon EC2 is a service that provides scalable compute capacity in the cloud, and allows customers to
launch and run virtual servers, called instances, with a variety of operating systems, configurations, and specifications. Amazon EC2 requires customers to provision and manage the instances, and pay for the
instance hours they use, regardless of the application usage. AWS Fargate is a serverless compute engine for containers that allows customers to run containerized applications without managing servers or clusters.
AWS Fargate requires customers to specify the amount of CPU and memory resources for each container, and pay for the resources they allocate, regardless of the application usage. Amazon Aurora is a fully
managed relational database service that provides high performance, availability, and compatibility. Amazon Aurora is not a compute service, and it is not suitable for hosting an application that runs infrequently
for short periods of time12
QUESTION 229
A company is planning a migration to the AWS Cloud and wants to examine the costs that are associated with different workloads.
Which AWS tool will meet these requirements?
A. AWS Budgets
B. AWS Cost Explorer
Correct Answer: C
Section:
Explanation:
www.VCEplus.io
The AWS tool that will meet the requirements of the company that is planning a migration to the AWS Cloud and wants to examine the costs that are associated with different workloads is AWS Pricing Calculator.
AWS Pricing Calculator is a tool that helps customers estimate the cost of using AWS services based on their requirements and preferences. The company can use AWS Pricing Calculator to compare the costs of
different AWS services and configurations, such as Amazon EC2, Amazon S3, Amazon RDS, and more. AWS Pricing Calculator also provides detailed breakdowns of the cost components, such as compute, storage,
network, and data transfer. AWS Pricing Calculator helps customers plan and optimize their cloud budget and migration strategy. AWS Budgets, AWS Cost Explorer, and AWS Cost and Usage Report are not the best
tools to use for this purpose. AWS Budgets is a tool that helps customers monitor and manage their AWS spending and usage against predefined budget limits and thresholds. AWS Cost Explorer is a tool that helps
customers analyze and visualize their AWS spending and usage trends over time. AWS Cost and Usage Report is a tool that helps customers access comprehensive and granular information about their AWS costs
and usage in a CSV or Parquet file. These tools are more useful for tracking and optimizing the existing AWS costs and usage, rather than estimating the costs of different workloads34
QUESTION 230
A company is hosting a web application on Amazon EC2 instances. The company wants to implement custom conditions to filter and control inbound web traffic.
A. Amazon GuardDuty
B. AWSWAF
C. Amazon Macie
D. AWS Shield
Correct Answer: B
Section:
Explanation:
The AWS service that will meet the requirements of the company that is hosting a web application on Amazon EC2 instances and wants to implement custom conditions to filter and control inbound web traffic is

AWS WAF. AWS WAF is a web application firewall that helps protect web applications from common web exploits that could affect availability, compromise security, or consume excessive resources. The company
can use AWS WAF to create custom rules that block malicious requests that match certain patterns, such as SQL injection or cross-site scripting. AWS WAF can be applied to web applications that are behind an
Application Load Balancer, Amazon CloudFront, or Amazon API Gateway. Amazon GuardDuty, Amazon Macie, and AWS Shield are not the best services to use for this purpose. Amazon GuardDuty is a threat
detection service that monitors for malicious activity and unauthorized behavior across the AWS accounts and resources. Amazon Macie is a data security and data privacy service that uses machine learning and
pattern matching to discover, classify, and protect sensitive data stored in Amazon S3. AWS Shield is a managed distributed denial of service (DDoS) protection service that safeguards web applications running on
AWS. These services are more useful for detecting and preventing different types of threats and attacks, rather than filtering and controlling inbound web traffic based on custom conditions.
QUESTION 231
A company wants to create a chatbot and integrate the chatbot with its current web application.
A. AmazonKendra
B. Amazon Lex
C. AmazonTextract
D. AmazonPolly
Correct Answer: B
Section:
Explanation:
The AWS service that will meet the requirements of the company that wants to create a chatbot and integrate the chatbot with its current web application is Amazon Lex. Amazon Lex is a service that helps
customers build conversational interfaces using voice and text. The company can use Amazon Lex to create a chatbot that can understand natural language and respond to user requests, using the same deep
learning technologies that power Amazon Alexa. Amazon Lex also provides easy integration with other AWS services, such as Amazon Comprehend, Amazon Polly, and AWS Lambda, as well as popular platforms,
such as Facebook Messenger, Slack, and Twilio. Amazon Lex helps customers create engaging and interactive chatbots for their web applications. Amazon Kendra, Amazon Textract, and Amazon Polly are not the
www.VCEplus.io
best services to use for this purpose. Amazon Kendra is a service that helps customers provide accurate and natural answers to natural language queries using machine learning. Amazon Textract is a service that
helps customers extract text and data from scanned documents using optical character recognition (OCR) and machine learning. Amazon Polly is a service that helps customers convert text into lifelike speech using
deep learning. These services are more useful for different types of natural language processing and generation tasks, rather than creating and integrating chatbots.
QUESTION 232
Which AWS service is used to temporarily provide federated security credentials to a__________
A. Amazon GuardDuty
B. AWS Simple Token Service (AWS STS)
C. AWS Secrets Manager
D. AWS Certificate Manager
Correct Answer: B
Section:
Explanation:
The AWS service that is used to temporarily provide federated security credentials to a user is AWS Security Token Service (AWS STS). AWS STS is a service that enables customers to request temporary, limited-
privilege credentials for AWS Identity and Access Management (IAM) users or for users that they authenticate (federated users). The company can use AWS STS to grant federated users access to AWS resources
without creating permanent IAM users or sharing long-term credentials. AWS STS helps customers manage and secure access to their AWS resources for federated users. Amazon GuardDuty, AWS Secrets Manager,
and AWS Certificate Manager are not the best services to use for this purpose. Amazon GuardDuty is a threat detection service that monitors for malicious activity and unauthorized behavior across the AWS
accounts and resources. AWS Secrets Manager is a service that helps customers manage and rotate secrets, such as database credentials, API keys, and passwords. AWS Certificate Manager is a service that helps
customers provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and internal connected resources. These services are
more useful for different types of security and compliance tasks, rather than providing temporary federated security credentials to a user.
QUESTION 233

A company wants to securely store Amazon RDS database credentials and automatically rotate user passwords periodically.
Which AWS service or capability will meet these requirements?
A. Amazon S3
B. AWS Systems Manager Parameter Store
D. AWS CloudTrail
Correct Answer: C
Section:
Explanation:
AWS Secrets Manager is a service that helps you protect access to your applications, services, and IT resources. This service enables you to easily rotate, manage, and retrieve database credentials, API keys, and
other secrets throughout their lifecycle1. Amazon S3 is a storage service that does not offer automatic rotation of credentials. AWS Systems Manager Parameter Store is a service that provides secure, hierarchical
storage for configuration data management and secrets management2, but it does not offer automatic rotation of credentials. AWS CloudTrail is a service that enables governance, compliance, operational auditing,
and risk auditing of your AWS account3, but it does not store or rotate credentials.
QUESTION 234
A company has an application that runs periodically in an on-premises environment. The application runs for a few hours most days, but runs for 8 hours a day for a week at the end of each month.
Which AWS service or feature should be used to host the application in the AWS Cloud?
A. Amazon EC2 Standard Reserved Instances

B. Amazon EC2 On-Demand Instances
C. AWS Wavelength
D. Application Load Balancer
Correct Answer: B
www.VCEplus.io
Section:
Explanation:
Amazon EC2 On-Demand Instances are instances that you pay for by the second, with no long-term commitments or upfront payments4. This option is suitable for applications that have unpredictable or
intermittent workloads, such as the one described in the question. Amazon EC2 Standard Reserved Instances are instances that you purchase for a one-year or three-year term, and pay a lower hourly rate
compared to On-Demand Instances. This option is suitable for applications that have steady state or predictable usage. AWS Wavelength is a service that enables developers to build applications that deliver ultra-
low latency to mobile devices and users by deploying AWS compute and storage at the edge of the 5G network. This option is not relevant for the application described in the question. Application Load Balancer is
a type of load balancer that operates at the application layer and distributes traffic based on the content of the request. This option is not a service or feature to host the application, but rather to balance the traffic
among multiple instances.
QUESTION 235
A company is reviewing the design of an application that will be migrated from on premises to a single Amazon EC2 instance.
What should the company do to make the application highly available?
A. Provision additional EC2 instances in other Availability Zones.

B. Configure an Application Load Balancer (ALB). Assign the EC2 instance as the ALB's target.
C. Use an Amazon Machine Image (AMI) to create the EC2 instance.
D. Provision the application by using an EC2 Spot Instance.
Correct Answer: A
Section:

Explanation:
Provisioning additional EC2 instances in other Availability Zones is a way to make the application highly available, as it reduces the impact of failures and increases fault tolerance. Configuring an Application Load
Balancer and assigning the EC2 instance as the ALB's target is a way to distribute traffic among multiple instances, but it does not make the application highly available if there is only one instance. Using an Amazon
Machine Image to create the EC2 instance is a way to launch a virtual server with a preconfigured operating system and software, but it does not make the application highly available by itself. Provisioning the
application by using an EC2 Spot Instance is a way to use spare EC2 capacity at up to 90% off the On-Demand price, but it does not make the application highly available, as Spot Instances can be interrupted by EC2
with a two-minute notification.
QUESTION 236
Which AWS service provides a highly accurate and easy-to-use enterprise search service that is powered by machine learning (ML)?
A. Amazon Kendra
B. Amazon SageMaker
C. Amazon Augmented Al (Amazon A2I)
D. Amazon Polly
Correct Answer: A
Section:
Explanation:
Amazon Kendra is a service that provides a highly accurate and easy-to-use enterprise search service that is powered by machine learning. Kendra delivers powerful natural language search capabilities to your
websites and applications so your end users can more easily find the information they need within the vast amount of content spread across your company. Amazon SageMaker is a service that provides a fully
managed platform for data scientists and developers to quickly and easily build, train, and deploy machine learning models at any scale. Amazon Augmented AI (Amazon A2I) is a service that makes it easy to build
the workflows required for human review of ML predictions.
Amazon A2I brings human review to all developers, removing the undifferentiated heavy lifting associated with building human review systems or managing large numbers of human reviewers.
search service that is powered by machine learning.
QUESTION 237
www.VCEplus.io
Amazon Polly is a service that turns text into lifelike speech, allowing you to create applications that talk, and build entirely new categories of speech-enabled products. None of these services provide an enterprise
A company provides a software as a service (SaaS) application. The company has a new customer that is based in a different country.
The new customer's data needs to be hosted in that country.
Which AWS service or infrastructure component should the company use to meet this requirement?
A. AWS Shield
B. Amazon S3 Object Lock
C. AWS Regions
D. Placement groups
Correct Answer: C
Section:
Explanation:
AWS Regions are geographic areas around the world where AWS has clusters of data centers. Each AWS Region consists of multiple, isolated, and physically separate AZ's within a geographic area. By hosting the
customer's data in a specific AWS Region, the company can meet the requirement of hosting the data in the customer's country. AWS Shield is a service that provides always-on detection and automatic inline
mitigations that minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection. Amazon S3 Object Lock is a feature that allows you to store objects using a
write-once-read-many (WORM) model. You can use it to prevent an object from being deleted or overwritten for a fixed amount of time or indefinitely.
Placement groups are logical grouping of instances within a single Availability Zone. Placement groups enable applications to participate in a low-latency, 10 Gbps network. None of these services or infrastructure
components can help the company host the customer's data in a different country.
QUESTION 238

Which credential allows programmatic access to AWS resources for use from the AWS CLI or the AWS API?
A. User name and password

B. Access keys
C. SSH public keys
D. AWS Key Management Service (AWS KMS) keys
Correct Answer: B
Section:
Explanation:
Access keys are long-term credentials that consist of an access key ID and a secret access key. You use access keys to sign programmatic requests that you make to AWS using the AWS CLI or AWS API1. User name
and password are credentials that you use to sign in to the AWS Management Console or the AWS Management Console mobile app2. SSH public keys are credentials that you use to authenticate with EC2
instances that are launched from certain Linux AMIs3. AWS Key Management Service (AWS KMS) keys are customer master keys (CMKs) that you use to encrypt and decrypt your data and to control access to your
data across AWS services and in your applications4.
QUESTION 239
A company has developed a distributed application that recovers gracefully from interruptions. The application periodically processes large volumes of data by using multiple Amazon EC2 instances.
The application is sometimes idle for months.
Which EC2 instance purchasing option is MOST cost-effective for this use case?
A. Reserved Instances
B. Spot Instances
C. Dedicated Instances
D. On-Demand Instances
Correct Answer: B
www.VCEplus.io
Section:
Explanation:
Spot Instances are instances that use spare EC2 capacity that is available for up to 90% off the On-Demand price. Because Spot Instances can be interrupted by EC2 with two minutes of notification when EC2 needs
the capacity back, you can use them for applications that have flexible start and end times, or that can withstand interruptions5. This option is most cost-effective for the use case described in the question.
Reserved Instances are instances that you purchase for a one-year or three-year term, and pay a lower hourly rate compared to On-Demand Instances. This option is suitable for applications that have steady state
or predictable usage. Dedicated Instances are instances that run on hardware that's dedicated to a single customer within an Amazon VPC. This option is suitable for applications that have stringent regulatory or
compliance requirements. On-Demand Instances are instances that you pay for by the second, with no long-term commitments or upfront payments. This option is suitable for applications that have unpredictable
or intermittent workloads.
QUESTION 240
A company is running workloads for multiple departments within a single VPC. The company needs to be able to bill each department for its resource usage.
Which action should the company take to accomplish this goal with the LEAST operational overhead?
A. Add a department tag to each resource and configure cost allocation tags.
B. Move each department resource to its own VPC.
C. Move each department resource to its own AWS account.
D. Use AWS Organizations to get a billing report for each department.
Correct Answer: A
Section:

Explanation:
Adding a department tag to each resource and configuring cost allocation tags is an action that can help you accomplish the goal of billing each department for its resource usage with the least operational
overhead. Tags are simple labels consisting of a key and an optional value that you can assign to AWS resources. You can use tags to organize your resources and track your AWS costs on a detailed level. Cost
allocation tags enable you to track your AWS costs on a detailed level. After you activate cost allocation tags, AWS uses the cost allocation tags to organize your resource costs on your cost allocation report, to make
it easier for you to categorize and track your AWS costs2. Moving each department resource to its own VPC or its own AWS account is an action that can help you isolate and control the resources for each
department, but it would incur more operational overhead than using tags. Using AWS Organizations to get a billing report for each department is an action that can help you consolidate billing and payment across
multiple AWS accounts, but it would not help you bill each department for its resource usage within a single VPC.
QUESTION 241
A large company has multiple departments. Each department has its own AWS account. Each department has purchased Amazon EC2 Reserved Instances. Some departments do not use all the Reserved Instances
that they purchased, and other departments need more Reserved Instances than they purchased.
The company needs to manage the AWS accounts for all the departments so that the departments can share the Reserved Instances.
A. AWS Systems Manager

B. Cost Explorer
D. AWS Organizations
Correct Answer: D
Section:
Explanation:
AWS Organizations is a service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage. With AWS Organizations, you can apply service control policies
www.VCEplus.io
(SCPs) across multiple AWS accounts to restrict what services and actions users and roles can access. You can also use AWS Organizations to enable features such as consolidated billing, AWS Config rules and
conformance packs, and AWS CloudFormation StackSets across multiple accounts3. One of the benefits of using AWS Organizations is that you can share your Reserved Instances (RIs) with all of the accounts in
your organization. This enables you to take advantage of the billing benefits of RIs without having to specify which account will use them4. AWS Systems Manager is a service that gives you visibility and control of
your infrastructure on AWS. Cost Explorer is a tool that enables you to visualize, understand, and manage your AWS costs and usage over time. AWS Trusted Advisor is a service that provides real-time guidance to
help you provision your resources following AWS best practices. None of these services or tools can help you manage the AWS accounts for all the departments so that the departments can share the Reserved
Instances.
QUESTION 242
A manufacturing company has a critical application that runs at a remote site that has a slow internet connection. The company wants to migrate the workload to AWS. The application is sensitive to latency and
interruptions in connectivity. The company wants a solution that can host this application with minimum latency.
Which AWS service or feature should the company use to meet these requirements?
A. Availability Zones
B. AWS Local Zones
C. AWS Wavelength
D. AWS Outposts
Correct Answer: D
Section:
Explanation:
AWS Outposts is a service that offers fully managed and configurable compute and storage racks built with AWS-designed hardware that allow you to run your workloads on premises and seamlessly connect to
AWS services in the cloud. AWS Outposts is ideal for workloads that require low latency, local data processing, or local data storage. With AWS Outposts, you can use the same AWS APIs, tools, and infrastructure
across on premises and the cloud to deliver a truly consistent hybrid experience5. Availability Zones are isolated locations within each AWS Region that are engineered to be fault-tolerant and provide high
availability. AWS Local Zones are extensions of AWS Regions that are placed closer to large population, industry, and IT centers where no AWS Region exists today.

AWS Wavelength is a service that enables developers to build applications that deliver ultra-low latency to mobile devices and users by deploying AWS compute and storage at the edge of the 5G network. None of
these services or features can help you host a critical application with minimum latency at a remote site that has a slow internet connection.
QUESTION 243
Which AWS services can a company use to host and run a MySQL database? (Select TWO.)
A. Amazon RDS
B. Amazon DynamoDB
C. Amazon S3
D. Amazon EC2
E. Amazon MQ
Section:
Explanation:
Amazon RDS and Amazon EC2 are two AWS services that you can use to host and run a MySQL database. Amazon RDS is a service that makes it easy to set up, operate, and scale a relational database in the cloud.
You can use Amazon RDS to launch a MySQL database instance and let Amazon RDS manage common database tasks such as backups, patching, scaling, and replication6.
Amazon EC2 is a service that provides secure, resizable compute capacity in the cloud. You can use Amazon EC2 to launch a virtual server and install MySQL software on it. You have complete control over your
database configuration, but you are responsible for managing and maintaining the database software and the underlying infrastructure7. Amazon DynamoDB is a key-value and document database that delivers
single-digit millisecond performance at any scale. Amazon S3 is an object storage service that offers industry-leading scalability, data availability, security, and performance. Amazon MQ is a managed message
broker service for Apache ActiveMQ. None of these services can help you host and run a MySQL database.
QUESTION 244
www.VCEplus.io
A company wants its workload to perform consistently and correctly.
Which benefit of AWS Cloud computing does this goal represent?
A. Security
B. Elasticity
D. Reliability
Correct Answer: D
Section:
Explanation:
Reliability is the benefit of AWS Cloud computing that ensures the workload performs consistently and correctly. According to the AWS Cloud Practitioner Essentials course, reliability means "the ability of a system
to recover from infrastructure or service disruptions, dynamically acquire computing resources to meet demand, and mitigate disruptions such as misconfigurations or transient network issues."1 Elasticity, security,
and pay-as-you-go pricing are also benefits of AWS Cloud computing, but they do not directly relate to the goal of consistent and correct performance.
QUESTION 245
A company needs help managing multiple AWS linked accounts that are reported on a consolidated bill.
Which AWS Support plan includes an AWS concierge whom the company can ask for assistance?
A. AWS Developer Support

B. AWS Enterprise Support
D. AWS Basic Support

Correct Answer: B
Section:
Explanation:
AWS Enterprise Support is the AWS Support plan that includes an AWS concierge whom the company can ask for assistance. According to the AWS Support Plans page, AWS Enterprise Support provides "a
dedicated Technical Account Manager (TAM) who provides advocacy and guidance to help plan and build solutions using best practices, coordinate access to subject matter experts, and proactively keep your AWS
environment operationally healthy."2 AWS Business Support, AWS Developer Support, and AWS Basic Support do not include a TAM or a concierge service.
QUESTION 246
Which design principle is included in the operational excellence pillar of the AWS Well-Architected Framework?
A. Create annotated documentation.

B. Anticipate failure.
C. Ensure performance efficiency.
D. Optimize costs.
Correct Answer: A
Section:
Explanation:
Create annotated documentation is the design principle that is included in the operational excellence pillar of the AWS Well-Architected Framework. According to the AWS Well-Architected Framework whitepaper,
creating annotated documentation means "documenting your workload so that the team understands the architecture, how to operate the workload, and how the workload delivers value to customers."3
Anticipate failure, ensure performance efficiency, and optimize costs are design principles that belong to other pillars of the AWS Well-Architected Framework, such as reliability, performance efficiency, and cost
optimization.
QUESTION 247
A company is using Amazon RDS.
www.VCEplus.io
A company is launching a critical business application in an AWS Region.
How can the company increase resilience for this application?
A. Deploy a copy of the application in another AWS account.

B. Deploy the application by using multiple VPCs.
C. Deploy the application by using multiple subnets.
D. Deploy the application by using multiple Availability Zones.
Correct Answer: D
Section:
Explanation:
Deploying the application by using multiple Availability Zones is the best way to increase resilience for the application. According to the Amazon RDS User Guide, "Amazon RDS provides high availability and failover
support for DB instances using Multi-AZ deployments. In a Multi-AZ deployment, Amazon RDS automatically provisions and maintains a synchronous standby replica in a different Availability Zone. The primary DB
instance is synchronously replicated across Availability Zones to a standby replica to provide data redundancy, eliminate I/O freezes, and minimize latency spikes during system backups."4 Deploying a copy of the
application in another AWS account, using multiple VPCs, or using multiple subnets do not provide the same level of resilience as using multiple Availability Zones.
QUESTION 248
Which AWS services or tools are designed to protect a workload from SQL injections, cross-site scripting, and DDoS attacks? (Select TWO.)
A. VPC endpoint
B. Virtual private gateway

C. AWS Shield Standard
D. AWS Config
E. AWS WAF
Correct Answer: C
Section:
Explanation:
AWS Shield Standard and AWS WAF are the AWS services or tools that are designed to protect a workload from SQL injections, cross-site scripting, and DDoS attacks. According to the AWS Shield Developer Guide,
"AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that
minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection."5 According to the AWS WAF Developer Guide, "AWS WAF is a web application firewall
that helps protect your web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources. AWS WAF gives you control over how traffic
reaches your applications by enabling you to create security rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that filter out specific traffic patterns you define." VPC
endpoint, virtual private gateway, and AWS Config are not designed to protect a workload from these types of attacks.
QUESTION 249
A company wants guidance to optimize the cost and performance of its current AWS environment.
Which AWS service or tool should the company use to identify areas for optimization?
A. Amazon QuickSight
C. AWS Organizations
D. AWS Budgets
Correct Answer: B
Section:
Explanation:
www.VCEplus.io
AWS Trusted Advisor is the AWS service or tool that the company should use to identify areas for optimization. According to the AWS Trusted Advisor User Guide, "AWS Trusted Advisor is an online tool that
provides you real time guidance to help you provision your resources following AWS best practices. AWS Trusted Advisor checks help optimize your AWS infrastructure, increase security and performance, reduce
your overall costs, and monitor service limits." Amazon QuickSight, AWS Organizations, and AWS Budgets are not designed to provide optimization recommendations for the current AWS environment.
QUESTION 250
A new AWS user who has little cloud experience wants to build an application by using AWS services.
The user wants to learn how to implement specific AWS services from other customer examples. The user also wants to ask questions to AWS experts.
Which AWS service or resource will meet these requirements?
A. AWS Online Tech Talks

B. AWS documentation
C. AWS Marketplace
D. AWS Health Dashboard
Correct Answer: A
Section:
Explanation:
AWS Online Tech Talks are online presentations that cover a broad range of topics at varying technical levels and provide a live Q&A session with AWS experts. They are a great resource for new AWS users who
want to learn how to implement specific AWS services from other customer examples and ask questions to AWS experts. AWS documentation, AWS Marketplace, and AWS Health Dashboard do not offer the same
level of interactivity and guidance as AWS Online Tech Talks.

Source: AWS Online Tech Talks
QUESTION 251
A user discovered that an Amazon EC2 instance is missing an Amazon Elastic Block Store (Amazon EBS) data volume. The user wants to determine when the EBS volume was removed.
A. AWS Config
C. Amazon Timestream
D. Amazon QuickSight
Correct Answer: A
Section:
Explanation:
automate the evaluation of recorded configurations against desired configurations.
AWS Config can help you determine when an EBS volume was removed from an EC2 instance by providing a timeline of configuration changes and compliance status. AWS Trusted Advisor, Amazon Timestream, and
Amazon QuickSight do not provide the same level of configuration tracking and auditing as AWS Config. Source: AWS Config
QUESTION 252
What is an AWS responsibility under the AWS shared responsibility model?
A. Configure the security group rules that determine which ports are open on an Amazon EC2 Linux instance.
B.
C.
D.
www.VCEplus.io
Ensure the security of the internal network in the AWS data centers.
Patch the guest operating system with the latest security patches on Amazon EC2.
Turn on server-side encryption for Amazon S3 buckets.
A company wants to deploy its critical application on AWS and maintain high availability.
Correct Answer: B
Section:
Explanation:
Under the AWS shared responsibility model, AWS is responsible for ensuring the security of the internal network in the AWS data centers, as well as the physical security of the hardware and facilities that run AWS
services. AWS customers are responsible for configuring the security group rules that determine which ports are open on an EC2 Linux instance, patching the guest operating system with the latest security patches
on EC2, and turning on server-side encryption for S3 buckets.
Source: AWS Shared Responsibility Model
QUESTION 253
How should the company deploy the application to meet these requirements?
A. Ina single Availability Zone

B. On AWS Direct Connect
C. On Reserved Instances
D. In multiple Availability Zones
Correct Answer: D
Section:

Explanation:
Deploying the application in multiple Availability Zones is the best way to ensure high availability for the application. Availability Zones are isolated locations within an AWS Region that are engineered to be fault-
tolerant from failures in other Availability Zones. By deploying the application in multiple Availability Zones, the company can reduce the impact of outages and increase the resilience of the application. Deploying
the application in a single Availability Zone, on AWS Direct Connect, or on Reserved Instances does not provide the same level of high availability as deploying the application in multiple Availability Zones. Source:
Availability Zones
QUESTION 254
A company must store call recordings for 6 years. The storage system should be highly durable and cost-effective.
A. AWS Snowball
B. Amazon S3
C. AWS Storage Gateway
D. Amazon Kinesis
Correct Answer: B
Section:
Explanation:
Amazon S3 is a service that provides highly durable and cost-effective object storage for a variety of use cases, including backup and archive, big data analytics, disaster recovery, and cloud applications.
Amazon S3 offers 99.999999999% (11 9's) of durability, meaning that data is designed to withstand the loss of two facilities concurrently. Amazon S3 also offers several storage classes with different price and
performance characteristics, such as S3 Glacier and S3 Glacier Deep Archive, which are ideal for long-term archival of data that is rarely accessed. AWS Snowball, AWS Storage Gateway, and Amazon Kinesis are not
designed to provide the same level of durability and cost-effectiveness as Amazon S3 for storing call recordings for 6 years. Source: Amazon S3
QUESTION 255
www.VCEplus.io
In which categories does AWS Trusted Advisor provide recommended actions? (Select TWO.)
A. Operating system patches

C. Repetitive tasks
D. Service quotas
E. Account activity records
Section:
Explanation:
AWS Trusted Advisor is a service that provides real-time guidance to help you provision your resources following AWS best practices. AWS Trusted Advisor provides recommended actions in five categories: cost
optimization, performance, security, fault tolerance, and service quotas. Cost optimization helps you reduce your overall AWS costs by identifying idle and underutilized resources.
Service quotas helps you monitor and manage your usage of AWS service quotas and request quota increases. Operating system patches, repetitive tasks, and account activity records are not categories that AWS
Trusted Advisor provides recommended actions for. Source: [AWS Trusted Advisor]
QUESTION 256
Which actions are examples of a company's effort to right size its AWS resources to control cloud costs? (Select TWO.)
A. Switch from Amazon RDS to Amazon DynamoDB to accommodate NoSQL datasets.

B. Base the selection of Amazon EC2 instance types on past utilization patterns.
C. Use Amazon S3 Lifecycle policies to move objects that users access infrequently to lower-cost storage tiers.

D. Use Multi-AZ deployments for Amazon RDS.
E. Replace existing Amazon EC2 instances with AWS Elastic Beanstalk.
Section:
Explanation:
Basing the selection of Amazon EC2 instance types on past utilization patterns is a way to right size the AWS resources and optimize the performance and cost. Using Amazon S3 Lifecycle policies to move objects
that users access infrequently to lower-cost storage tiers is another way to reduce the storage costs and align them with the business value of the data. These two actions are recommended by the AWS Cost
Optimization Pillar1. Switching from Amazon RDS to Amazon DynamoDB is not necessarily a cost-saving action, as it depends on the use case and the data model.
Using Multi-AZ deployments for Amazon RDS is a way to improve the availability and durability of the database, but it also increases the cost. Replacing existing Amazon EC2 instances with AWS Elastic Beanstalk is
a way to simplify the deployment and management of the application, but it does not affect the cost of the underlying EC2 instances.
QUESTION 257
A company has a single Amazon EC2 instance. The company wants to adopt a highly available architecture.
What can the company do to meet this requirement?
A. Scale vertically to a larger EC2 instance size.

B. Scale horizontally across multiple Availability Zones.
C. Purchase an EC2 Dedicated Instance.
D. Change the EC2 instance family to a compute optimized instance.
Correct Answer: B
Section:
Explanation:
www.VCEplus.io
Scaling horizontally across multiple Availability Zones is a way to adopt a highly available architecture, as it increases the fault tolerance and resilience of the application. Scaling vertically to a larger EC2 instance
size is a way to improve the performance of the application, but it does not improve the availability. Purchasing an EC2 Dedicated Instance is a way to isolate the instance from other AWS customers, but it does not
improve the availability. Changing the EC2 instance family to a compute optimized instance is a way to optimize the instance type for the workload, but it does not improve the availability. These concepts are
explained in the AWS Well-Architected Framework2.
QUESTION 258
A company is running an application that is hosted on Amazon EC2 instances. The usage of the EC2 instances is higher during daytime hours than nighttime hours. The company wants to optimize the number of
EC2 instances based on this usage pattern.
Which AWS service or instance purchasing option should the company use to meet these requirements?
A. Spot Instances
B. Reserved Instances
C. AWS CloudFormation
D. AWS Auto Scaling
Correct Answer: D
Section:
Explanation:
AWS Auto Scaling is the AWS service that allows users to optimize the number of EC2 instances based on the usage pattern, as it automatically adjusts the capacity to maintain steady and predictable performance
at the lowest possible cost. Spot Instances are a way to reduce the cost of EC2 instances by bidding on unused EC2 capacity, but they are not suitable for applications that require steady and reliable performance.
Reserved Instances are a way to reduce the cost of EC2 instances by committing to a certain amount of usage for a period of time, but they are not flexible to adjust to the usage pattern. AWS CloudFormation is a
way to automate the creation and management of AWS resources, but it does not optimize the number of EC2 instances based on the usage pattern. These concepts are explained in the AWS Cloud Practitioner
Essentials course3.

QUESTION 259
Which AWS services allow users to monitor and retain records of account activities that include governance, compliance, and auditing?
(Select TWO.)
B. AWS CloudTrail
C. Amazon GuardDuty
D. AWS Shield
E. AWS WAF
Section:
Explanation:
Amazon CloudWatch and AWS CloudTrail are the AWS services that allow users to monitor and retain records of account activities that include governance, compliance, and auditing. Amazon CloudWatch is a
service that collects and tracks metrics, collects and monitors log files, and sets alarms. AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS
account. Amazon GuardDuty, AWS Shield, and AWS WAF are AWS services that provide security and protection for AWS resources, but they do not monitor and retain records of account activities. These concepts
are explained in the AWS Cloud Practitioner Essentials course3.
QUESTION 260
Which AWS service or tool provides on-demand access to AWS security and compliance reports and AWS online agreements?
A. AWS Artifact
C.
D.
Amazon Inspector
AWS Billing console
www.VCEplus.io
Correct Answer: A
Section:
Explanation:
AWS Artifact is the AWS service or tool that provides on-demand access to AWS security and compliance reports and AWS online agreements. AWS Trusted Advisor is a tool that provides realtime guidance to help
users provision their resources following AWS best practices. Amazon Inspector is a service that helps users improve the security and compliance of their applications. AWS Billing console is a tool that helps users
manage their AWS costs and usage. These concepts are explained in the AWS Cloud Practitioner Essentials course3.
QUESTION 261
A company wants to move its iOS application development and build activities to AWS.
Which AWS service or resource should the company use for these activities?
A. AWS CodeCommit
B. Amazon EC2 M1 Mac instances
C. AWS Amplify
D. AWS App Runner
Correct Answer: B
Section:
Explanation:
Amazon EC2 M1 Mac instances are the AWS service or resource that the company should use for its iOS application development and build activities, as they enable users to run macOS on AWS and access a broad

and growing set of AWS services. AWS CodeCommit is a service that provides a fully managed source control service that hosts secure Git-based repositories. AWS Amplify is a set of tools and services that enable
developers to build full-stack web and mobile applications using AWS.
AWS App Runner is a service that makes it easy for developers to quickly deploy containerized web applications and APIs. These concepts are explained in the AWS Developer Tools page4.
QUESTION 262
Which statements explain the business value of migration to the AWS Cloud? (Select TWO.)
A. The migration of enterprise applications to the AWS Cloud makes these applications automatically available on mobile devices.
B. AWS availability and security provide the ability to improve service level agreements (SLAs) while reducing risk and unplanned downtime.
C. Companies that migrate to the AWS Cloud eliminate the need to plan for high availability and disaster recovery.
D. Companies that migrate to the AWS Cloud reduce IT costs related to infrastructure, freeing budget for reinvestment in other areas.
E. Applications are modernized because migration to the AWS Cloud requires companies to rearchitect and rewrite all enterprise applications.
Section:
Explanation:
B and D are correct because AWS availability and security enable customers to improve their SLAs while reducing risk and unplanned downtime1, and AWS reduces IT costs related to infrastructure, allowing
customers to reinvest in other areas2. A is incorrect because migrating to the AWS Cloud does not automatically make applications available on mobile devices, as it depends on the application design and
compatibility. C is incorrect because companies that migrate to the AWS Cloud still need to plan for high availability and disaster recovery, as AWS is a shared responsibility model3. E is incorrect because migrating
to the AWS Cloud does not require companies to rearchitect and rewrite all enterprise applications, as AWS offers different migration strategies depending on the application complexity and business objectives4.
QUESTION 263
Which AWS service is designed to help users build conversational interfaces into applications using voice and text?
A.
B.
Amazon Lex
Amazon Transcribe
www.VCEplus.io
C. Amazon Comprehend
D. Amazon Timestream
Correct Answer: A
Section:
Explanation:
A is correct because Amazon Lex is the AWS service that helps users build conversational interfaces into applications using voice and text. B is incorrect because Amazon Transcribe is the AWS service that helps
users convert speech to text. C is incorrect because Amazon Comprehend is the AWS service that helps users analyze text using natural language processing. D is incorrect because Amazon Timestream is the AWS
service that helps users collect, store, and process time series data.
QUESTION 264
A company wants to develop a shopping application that records customer orders. The application needs to use an AWS managed database service to store data.
A. Amazon RDS
B. Amazon Redshift
C. Amazon ElastiCache
D. Amazon Neptune
Correct Answer: A

Section:
Explanation:
A is correct because Amazon RDS is the AWS service that provides a managed relational database service that supports various database engines, such as MySQL, PostgreSQL, Oracle, and SQL Server.
B is incorrect because Amazon Redshift is the AWS service that provides a managed data warehouse service that is optimized for analytical queries. C is incorrect because Amazon ElastiCache is the AWS service
that provides a managed in-memory data store service that supports Redis and Memcached.
D is incorrect because Amazon Neptune is the AWS service that provides a managed graph database service that supports property graph and RDF models.
QUESTION 265
A company wants to use Amazon EC2 instances for a stable production workload that will run for 1 year.
Which instance purchasing option meets these requirements MOST cost-effectively?
A. Dedicated Hosts
C. On-Demand Instances
D. Spot Instances
Correct Answer: B
Section:
Explanation:
B is correct because Reserved Instances are the instance purchasing option that offers the most costeffective way to use Amazon EC2 instances for a stable production workload that will run for 1 year, as they
provide significant discounts compared to On-Demand Instances in exchange for a commitment to use a specific amount of computing power for a period of time. A is incorrect because Dedicated Hosts are the
instance purchasing option that allows customers to use physical servers that are fully dedicated to their use, which is more expensive and less flexible than Reserved Instances. C is incorrect because On-Demand
Instances are the instance purchasing option that allows customers to pay for compute capacity by the hour or second with no long-term commitments, which is more suitable for short-term, variable, and
www.VCEplus.io
unpredictable workloads. D is incorrect because Spot Instances are the instance purchasing option that allows customers to bid on spare Amazon EC2 computing capacity, which is more suitable for flexible,
scalable, and fault-tolerant workloads that can tolerate interruptions.
QUESTION 266
A company needs a repository that stores source code. The company needs a way to update the running software when the code changes.
Which combination of AWS services will meet these requirements? (Select TWO.)
A. AWS CodeCommit
B. AWS CodeDeploy
C. Amazon DynamoDB
D. Amazon S3
E. Amazon Elastic Container Service (Amazon ECS)
Section:
Explanation:
A and B are correct because AWS CodeCommit is the AWS service that provides a fully managed source control service that hosts secure Git-based repositories1, and AWS CodeDeploy is the AWS service that
automates code deployments to any instance, including Amazon EC2 instances and servers running on-premises2. These two services can be used together to store source code and update the running software
when the code changes. C is incorrect because Amazon DynamoDB is the AWS service that provides a fully managed NoSQL database service that supports key-value and document data models3. It is not related to
storing source code or updating software. D is incorrect because Amazon S3 is the AWS service that provides object storage through a web service interface4.
It can be used to store source code, but it does not provide source control features or update software. E is incorrect because Amazon Elastic Container Service (Amazon ECS) is the AWS service that allows users to
run, scale, and secure Docker container applications. It can be used to deploy containerized software, but it does not store source code or update software.
QUESTION 267

A company is setting up AWS Identity and Access Management (1AM) on an AWS account.
Which recommendation complies with 1AM security best practices?
A. Use the account root user access keys for administrative tasks.
B. Grant broad permissions so that all company employees can access the resources they need.
C. Turn on multi-factor authentication (MFA) for added security during the login process.
D. Avoid rotating credentials to prevent issues in production applications.
Correct Answer: C
Section:
Explanation:
C is correct because turning on multi-factor authentication (MFA) for added security during the login process is one of the IAM security best practices recommended by AWS. MFA adds an extra layer of protection
on top of the user name and password, making it harder for attackers to access the AWS account. A is incorrect because using the account root user access keys for administrative tasks is not a good practice, as the
root user has full access to all the resources in the AWS account and can cause irreparable damage if compromised. AWS recommends creating individual IAM users with the least privilege principle and using roles
for applications that run on Amazon EC2 instances. B is incorrect because granting broad permissions so that all company employees can access the resources they need is not a good practice, as it increases the
risk of unauthorized or accidental actions on the AWS resources. AWS recommends granting only the permissions that are required to perform a task and using groups to assign permissions to IAM users. D is
incorrect because avoiding rotating credentials to prevent issues in production applications is not a good practice, as it increases the risk of credential leakage or compromise. AWS recommends rotating credentials
regularly and using temporary security credentials from AWS STS when possible.
QUESTION 268
A company wants to run its production workloads on AWS. The company needs concierge service, a designated AWS technical account manager (TAM), and technical support that is available 24 hours a day, 7 days
a week.
Which AWS Support plan will meet these requirements?
A.
B.
AWS Basic Support
AWS Enterprise Support
www.VCEplus.io
D. AWS Developer Support
Correct Answer: B
Section:
Explanation:
B is correct because AWS Enterprise Support is the AWS Support plan that provides concierge service, a designated AWS technical account manager (TAM), and technical support that is available 24 hours a day, 7
days a week. This plan is designed for customers who run mission-critical workloads on AWS and need the highest level of support. A is incorrect because AWS Basic Support is the AWS Support plan that provides
customer service and support for billing and account issues, service limit increases, and technical support for a limited set of AWS services. It does not provide concierge service, a designated TAM, or 24/7 technical
support. C is incorrect because AWS Business Support is the AWS Support plan that provides customer service and support for billing and account issues, service limit increases, and technical support for all AWS
services, as well as access to AWS Trusted Advisor and AWS Support API. It does not provide concierge service or a designated TAM. D is incorrect because AWS Developer Support is the AWS Support plan that
provides customer service and support for billing and account issues, service limit increases, and technical support for all AWS services, as well as access to AWS Trusted Advisor. It does not provide concierge
service, a designated TAM, or 24/7 technical support.
QUESTION 269
Which AWS service or feature can be used to control inbound and outbound traffic on an Amazon EC2 instance?
A. Internet gateways
B. AWS Identity and Access Management (1AM)
C. Network ACLs

D. Security groups
Correct Answer: D
Section:
Explanation:
D is correct because security groups are the AWS service or feature that can be used to control inbound and outbound traffic on an Amazon EC2 instance. Security groups act as a virtual firewall for the EC2
instance, allowing users to specify which protocols, ports, and source or destination IP addresses are allowed or denied. A is incorrect because internet gateways are the AWS service or feature that enable
communication between instances in a VPC and the internet. They do not control the traffic on an EC2 instance. B is incorrect because AWS Identity and Access Management (IAM) is the AWS service or feature
that enables users to manage access to AWS services and resources securely. It does not control the traffic on an EC2 instance. C is incorrect because network ACLs are the AWS service or feature that provide an
optional layer of security for the VPC that acts as a firewall for controlling traffic in and out of one or more subnets. They do not control the traffic on an EC2 instance.
QUESTION 270
A user is moving a workload from a local data center to an architecture that is distributed between the local data center and the AWS Cloud.
Which type of migration is this?
A. On-premises to cloud native

B. Hybrid to cloud native
C. On-premises to hybrid
D. Cloud native to hybrid
Correct Answer: C
Section:
Explanation:
www.VCEplus.io
C is correct because moving a workload from a local data center to an architecture that is distributed between the local data center and the AWS Cloud is an example of an on-premises to hybrid migration. A hybrid
cloud is a cloud computing environment that uses a mix of on-premises, private cloud, and public cloud services with orchestration between the platforms. A is incorrect because onpremises to cloud native
migration is the process of moving a workload from a local data center to an architecture that is fully hosted and managed on the AWS Cloud. B is incorrect because hybrid to cloud native migration is the process of
moving a workload from an architecture that is distributed between the local data center and the AWS Cloud to an architecture that is fully hosted and managed on the AWS Cloud. D is incorrect because cloud
native to hybrid migration is the process of moving a workload from an architecture that is fully hosted and managed on the AWS Cloud to an architecture that is distributed between the local data center and the
AWS Cloud.
QUESTION 271
Which AWS solution provides the ability for a company to run AWS services in the company's onpremises data center?
A. AWS Direct Connect

B. AWS Outposts
C. AWS Systems Manager hybrid activations
D. AWS Storage Gateway
Correct Answer: B
Section:
Explanation:
AWS Outposts is a fully managed service that extends AWS infrastructure, AWS services, APIs, and tools to virtually any datacenter, co-location space, or on-premises facility for a truly consistent hybrid experience.
AWS Outposts enables you to run AWS services in your on-premises data center1.
QUESTION 272
A company provides a web-based ecommerce service that runs in two Availability Zones within a single AWS Region. The web service distributes content that is stored in the Amazon S3 Standard storage class. The
company wants to improve the web service's performance globally.

What should the company do to meet this requirement?
A. Change the S3 storage class to S3 Intelligent-Tiering.

B. Deploy an Amazon CloudFront distribution to cache web server content in edge locations.
C. Use Amazon API Gateway for the web service.
D. Migrate the website ecommerce servers to Amazon EC2 with enhanced networking.
Correct Answer: B
Section:
Explanation:
Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds, all within a developer-
friendly environment. CloudFront can cache web server content in edge locations, which are located closer to the end users, to improve the web service's performance globally2.
QUESTION 273
What is a characteristic of Convertible Reserved Instances (RIs)?
A. Users can exchange Convertible RIs for other Convertible RIs from a different instance family.
B. Users can exchange Convertible RIs for other Convertible RIs in different AWS Regions.
C. Users can sell and buy Convertible RIs on the AWS Marketplace.
D. Users can shorten the term of their Convertible RIs by merging them with other Convertible RIs.
Correct Answer: A
Section:
Explanation:
www.VCEplus.io
Convertible Reserved Instances (RIs) are a type of Reserved Instance that allow you to change the attributes of the RI as long as the exchange results in the creation of Reserved Instances of equal or greater value.
You can exchange Convertible RIs for other Convertible RIs from a different instance family, size, platform, tenancy, or scope (Region or Availability Zone)3.
QUESTION 274
Which AWS service is always available free of charge to users?
A. Amazon Athena
B. AWS Identity and Access Management (1AM)
D. Amazon ElastiCache A company has only basic knowledge of AWS technologies.
Correct Answer: B
Section:
Explanation:
AWS Identity and Access Management (IAM) is a web service that helps you securely control access to AWS resources for your users. You use IAM to control who can use your AWS resources (authentication) and
what resources they can use and in what ways (authorization). IAM is always available free of charge to users4.
QUESTION 275
Which AWS service provides the SIMPLEST way for the company to establish a website on AWS?
A. Amazon Elastic File System (Amazon EFS)


C. AWS Lambda
D. Amazon Lightsail
Correct Answer: D
Section:
Explanation:
Amazon Lightsail is an easy-to-use cloud platform that offers you everything needed to build an application or website, plus a cost-effective, monthly plan. Whether you're new to the cloud or looking to get on the
cloud quickly with AWS infrastructure you trust, we've got you covered.
Lightsail provides the simplest way for the company to establish a website on AWS.
QUESTION 276
A company wants to migrate its application to AWS. The company wants to replace upfront expenses with variable payment that is based on usage.
A. Use pay-as-you-go pricing.

B. Purchase Reserved Instances.
C. Pay less by using more.
D. Rightsize instances.
Correct Answer: A
Section:
Explanation:
Pay-as-you-go pricing is one of the main benefits of AWS. With pay-as-you-go pricing, you pay only for what you use, when you use it. There are no long-term contracts, termination fees, or complex licensing. You
www.VCEplus.io
replace upfront expenses with lower variable costs and pay only for the resources you consume.
QUESTION 277
A company manages factory machines in real time. The company wants to use AWS technology to deploy its monitoring applications as close to the factory machines as possible.
Which AWS solution will meet these requirements with the LEAST latency?
A. AWS Outposts
B. Amazon EC2
C. AWS App Runner
D. AWS Batch
Correct Answer: A
Section:
Explanation:
AWS Outposts enables you to run AWS services in your on-premises data center1.
QUESTION 278
Which option is a pillar of the AWS Well-Architected Framework?
A. Patch management
C. Business technology strategy

D. Physical and environmental controls
Correct Answer: B
Section:
Explanation:
The AWS Well-Architected Framework helps you understand the pros and cons of decisions you make while building systems on AWS. By using the Framework, you will learn architectural best practices for
designing and operating reliable, secure, efficient, and cost-effective systems in the cloud. The Framework consists of five pillars: operational excellence, security, reliability, performance efficiency, and cost
optimization2.
QUESTION 279
A company is collecting user behavior patterns to identify how to meet goals for sustainability impact.
Which guidelines are best practices for the company to implement to meet these goals? (Select TWO.)
A. Scale infrastructure with user load.

B. Maximize the geographic distance between workloads and user locations.
C. Eliminate creation and maintenance of unused assets.
D. Scale resources with excess capacity and remove auto scaling.
E. Scale infrastructure based on the number of users.
Section:
Explanation:
To meet the goals for sustainability impact, the company should follow the best practices of scaling infrastructure with user load and eliminating creation and maintenance of unused assets. Scaling infrastructure
www.VCEplus.io
with user load means adjusting the capacity of the infrastructure to match the demand of the users, which can reduce the energy consumption and carbon footprint of the system. Eliminating creation and
maintenance of unused assets means avoiding the waste of resources and money on assets that are not needed or used, which can also improve the environmental and economic efficiency of the system3.
QUESTION 280
A company is running an application on AWS. The company wants to identify and prevent the accidental
Which AWS service or feature will meet these requirements?
A. Amazon GuardDuty
B. Network ACL
C. AWS WAF
D. AWS Network Firewall
Correct Answer: A
Section:
Explanation:
Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3.
With the cloud, the collection and aggregation of account and network activities is simplified, but it can be time consuming for security teams to continuously analyze event log data for potential threats. With
GuardDuty, you can automate anomaly detection and get actionable findings to help you protect your AWS resources4.
QUESTION 281
A company has an Amazon S3 bucket containing images of scanned financial invoices. The company is building an artificial intelligence (Al)-based application on AWS. The company wants the application to identify
and read total balance amounts on the invoices.

A. Amazon Forecast
B. Amazon Textract
C. Amazon Rekognition
D. Amazon Lex
Correct Answer: B
Section:
Explanation:
Amazon Textract is a service that automatically extracts text and data from scanned documents.
Amazon Textract goes beyond simple optical character recognition (OCR) to also identify the contents of fields in forms and information stored in tables. Amazon Textract can analyze images of scanned financial
invoices and extract the total balance amounts, as well as other relevant information, such as invoice number, date, vendor name, etc5.
QUESTION 282
A company migrated its core application onto multiple workloads in the AWS Cloud. The company wants to improve the application's reliability.
Which cloud design principle should the company implement to achieve this goal?
A. Maximize utilization.
B. Decouple the components.
C. Rightsize the resources.
D. Adopt a consumption model.
Correct Answer: B
Section:
Decoupling the components of an application means reducing the dependencies and interactions between them, which can improve the application's reliability, scalability, and performance. Decoupling can be
achieved by using services such as Amazon Simple Queue Service (Amazon SQS), Amazon Simple Notification Service (Amazon SNS), and AWS Lambda1
QUESTION 283
A company is using AWS Organizations to configure AWS accounts.
A company is planning its migration to the AWS Cloud. The company is identifying its capability gaps by using the AWS Cloud Adoption Framework (AWS CAF) perspectives.
Which phase of the cloud transformation journey includes these identification activities?
A. Envision
B. Align
C. Scale
D. Launch
Correct Answer: A
Section:
Explanation:
The Envision phase of the cloud transformation journey is where the company defines its vision, business drivers, and desired outcomes for the cloud adoption. The company also identifies its capability gaps by
using the AWS Cloud Adoption Framework (AWS CAF) perspectives, which are business, people, governance, platform, security, and operations2.
QUESTION 284
Which aspect of security is the customer's responsibility, according to the AWS shared responsibility model?

A. Patch and configuration management
B. Service and communications protection or zone security
C. Physical and environmental controls
D. Awareness and training
Correct Answer: A
Section:
Explanation:
According to the AWS shared responsibility model, AWS is responsible for the security of the cloud, while the customer is responsible for the security in the cloud. This means that AWS provides the physical and
environmental controls, the service and communications protection, and the awareness and training for its employees, while the customer provides the patch and configuration management, the identity and
access management, the data encryption, and the firewall configuration for its resources3.
QUESTION 285
A developer needs to maintain a development environment infrastructure and a production environment infrastructure in a repeatable fashion.
Which AWS service should the developer use to meet these requirements?
A. AWS Ground Station

B. AWS Shield
C. AWS loT Device Defender
Correct Answer: D
Section:
AWS CloudFormation is a service that allows you to model and provision your AWS and third-party application resources in a repeatable and predictable way. You can use AWS CloudFormation to create, update,
and delete a collection of resources as a single unit, called a stack. You can also use AWS CloudFormation to manage your development and production environments in a consistent and efficient manner4.
QUESTION 286
A company wants to migrate its on-premises application to the AWS Cloud. The company is legally obligated to retain certain data in its onpremises data center.
Which AWS service or feature will support this requirement?
A. AWS Wavelength
B. AWS Local Zones
C. VMware Cloud on AWS
D. AWS Outposts
Correct Answer: D
Section:
Explanation:
AWS Outposts enables you to run AWS services in your on-premises data center, which can support the requirement of retaining certain data on-premises due to legal obligations5.
QUESTION 287
A company has set up a VPC in its AWS account and has created a subnet in the VPC. The company wants to make the subnet public.
Which AWS features should the company use to meet this requirement? (Select TWO.)

A. Amazon VPC internet gateway
B. Amazon VPC NAT gateway
C. Amazon VPC route tables
D. Amazon VPC network ACL
E. Amazon EC2 security groups
Section:
Explanation:
To make a subnet public, the company should use an Amazon VPC internet gateway and an Amazon VPC route table. An internet gateway is a horizontally scaled, redundant, and highly available VPC component
that allows communication between your VPC and the internet. A route table contains a set of rules, called routes, that are used to determine where network traffic from your subnet or gateway is directed. To
enable internet access for a subnet, you need to attach an internet gateway to your VPC and add a route to the internet gateway in the route table associated with the subnet.
QUESTION 288
A company has a compliance requirement to record and evaluate configuration changes, as well as perform remediation actions on AWS resources.
A. AWS Config
C. AWS CloudTrail
Correct Answer: A
Section:
Explanation:
www.VCEplus.io
With AWS Config, you can review changes in configurations and relationships between AWS resources, dive into detailed resource configuration histories, and determine your overall compliance against the
configurations specified in your internal guidelines. This can help you simplify compliance auditing, security analysis, change management, and operational troubleshooting1.
QUESTION 289
A retail company has recently migrated its website to AWS. The company wants to ensure that it is protected from SQL injection attacks. The website uses an Application Load Balancer to distribute traffic to
multiple Amazon EC2 instances.
Which AWS service or feature can be used to create a custom rule that blocks SQL injection attacks?
A. Security groups
B. AWS WAF
C. Network ACLs
D. AWS Shield
Correct Answer: B
Section:
Explanation:
AWS WAF is a web application firewall that helps protect your web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources. AWS WAF
gives you control over how traffic reaches your applications by enabling you to create security rules that block common attack patterns, such as SQL injection or cross-site scripting, and rules that filter out specific

traffic patterns you define2. You can use AWS WAF to create a custom rule that blocks SQL injection attacks on your website.
QUESTION 290
A company has an application workload that is stateless by design and can sustain occasional downtime. The application performs massively parallel computations.
Which Amazon EC2 pricing model should the company choose for its application to reduce cost?
B. Spot Instances
D. Dedicated Instances
Correct Answer: B
Section:
Explanation:
Amazon EC2 Spot Instances let you take advantage of unused EC2 capacity in the AWS cloud. Spot Instances are available at up to a 90% discount compared to On-Demand prices. You can use Spot Instances for
various stateless, fault-tolerant, or flexible applications such as big data, containerized workloads, CI/CD, web servers, high-performance computing (HPC), and other test & development workloads. Spot Instances
are well-suited for massively parallel computations, as they can provide large amounts of compute capacity at a low cost, and can be interrupted with a two-minute notice3
QUESTION 291
A company wants to store data with high availability, encrypt the data at rest, and have direct access to the data over the internet.
Which AWS service will meet these requirements MOST cost-effectively?
A. Amazon Elastic Block Store (AmazonEBS)

B.
C.
D.
Amazon S3
Amazon Elastic File System (Amazon EFS)
AWS Storage Gateway
www.VCEplus.io
Correct Answer: C
Section:
Explanation:
Amazon Elastic File System (Amazon EFS) provides a simple, scalable, fully managed elastic NFS file system for use with AWS Cloud services and on-premises resources. It is built to scale on demand to petabytes
without disrupting applications, growing and shrinking automatically as you add and remove files, eliminating the need to provision and manage capacity to accommodate growth.
Amazon EFS offers two storage classes: the Standard storage class, and the Infrequent Access storage class (EFS IA). EFS IA provides price/performance that is cost-optimized for files not accessed every day. Amazon
EFS encrypts data at rest and in transit, and supports direct access over the internet4.
QUESTION 292
Which AWS service or feature enables users to encrypt data at rest in Amazon S3?
A. 1AM policies
B. Server-side encryption
C. Amazon GuardDuty
D. Client-side encryption
Correct Answer: B
Section:
Explanation:

Server-side encryption is an encryption option that Amazon S3 provides to encrypt data at rest in Amazon S3. With server-side encryption, Amazon S3 encrypts an object before saving it to disk in its data centers
and decrypts it when you download the objects. You have three server-side encryption options to choose from: SSE-S3, SSE-C, and SSE-KMS. SSE-S3 uses keys that are managed by Amazon S3. SSE-C allows you to
manage your own encryption keys. SSE-KMS uses keys that are managed by AWS Key Management Service (AWS KMS)5.
QUESTION 293
An auditor is preparing for an annual security audit. The auditor requests certification details for a company's AWS hosted resources across multiple Availability Zones in the us-east-1 Region.
How should the company respond to the auditor's request?
A. Open an AWS Support ticket to request that the AWS technical account manager (TAM) respond and help the auditor.
B. Open an AWS Support ticket to request that the auditor receive approval to conduct an onsite assessment of the AWS data centers in which the company operates.
C. Explain to the auditor that AWS does not need to be audited because the company's application is hosted in multiple Availability Zones.
D. Use AWS Artifact to download the applicable report for AWS security controls. Provide the report to the auditor.
Correct Answer: D
Section:
Explanation:
AWS Artifact is your go-to, central resource for compliance-related information that matters to you. It provides on-demand access to AWS' security and compliance reports and select online agreements.
Reports available in AWS Artifact include our Service Organization Control (SOC) reports, Payment Card Industry (PCI) reports, and certifications from accreditation bodies across geographies and compliance
verticals that validate the implementation and operating effectiveness of AWS security controls. Agreements available in AWS Artifact include the Business Associate Addendum (BAA) and the Nondisclosure
Agreement (NDA). You can use AWS Artifact to download the applicable report for AWS security controls and provide it to the auditor.
QUESTION 294
Which benefits can customers gain by using AWS Marketplace? (Select TWO.)
A.
B.
Speed of business
Fewer legal objections
www.VCEplus.io
C. Ability to pay with credit cards
D. No requirement for product licenses for any products
E. Free use of all services for the first hour
Section:
Explanation:
AWS Marketplace is a digital catalog that offers thousands of software products and solutions from independent software vendors (ISVs) and AWS partners. Customers can use AWS Marketplace to find, buy, and
deploy software on AWS. Some of the benefits of using AWS Marketplace are:
Speed of business: You can quickly and easily discover and deploy software that meets your business needs, without having to go through lengthy procurement processes. You can also use AWS Marketplace to test
and compare different solutions before making a purchase decision.
Fewer legal objections: You can benefit from standardized contract terms and conditions that are pre-negotiated between AWS and the ISVs. This reduces the time and effort required to review and approve legal
agreements.
QUESTION 295
A company wants to receive alerts to monitor its overall operating costs for its AWS public cloud infrastructure.
Which AWS offering will meet these requirements?
A. Amazon EventBridge
B. Compute Savings Plans

C. AWS Budgets
D. Migration Evaluator
Correct Answer: C
Section:
Explanation:
AWS Budgets is a service that enables you to plan your service usage, service costs, and instance reservations. You can use AWS Budgets to create custom budgets that alert you when your costs or usage exceed (or
are forecasted to exceed) your budgeted amount. You can also use AWS Budgets to monitor how close your usage and costs are to meeting your reservation purchases1
QUESTION 296
According to the AWS shared responsibility model, which task is the customer's responsibility?
A. Maintaining the infrastructure needed to run AWS Lambda

B. Updating the operating system of Amazon DynamoDB instances
C. Maintaining Amazon S3 infrastructure
D. Updating the guest operating system on Amazon EC2 instances
Correct Answer: D
Section:
Explanation:
The AWS shared responsibility model describes the division of responsibilities between AWS and the customer for security and compliance. AWS is responsible for the security of the cloud, which includes the
hardware, software, networking, and facilities that run AWS services. The customer is responsible for security in the cloud, which includes the customer data, applications, operating systems, and network and
firewall configurations. Therefore, updating the guest operating system on Amazon EC2 instances is the customer's responsibility2

Which of the following actions are controlled with AWS Identity and Access Management (1AM)?
(Select TWO.)
A. Control access to AWS service APIs and to other specific resources.

B. Provide intelligent threat detection and continuous monitoring.
C. Protect the AWS environment using multi-factor authentication (MFA).
D. Grant users access to AWS data centers.
E. Provide firewall protection for applications from common web attacks.
Section:
Explanation:
AWS Identity and Access Management (IAM) is a service that enables you to manage access to AWS services and resources securely. You can use IAM to perform the following actions:
Control access to AWS service APIs and to other specific resources: You can create users, groups, roles, and policies that define who can access which AWS resources and how. You can also use IAM to grant
temporary access to users or applications that need to perform certain tasks on your behalf3 Protect the AWS environment using multi-factor authentication (MFA): You can enable MFA for your IAM users and root
user to add an extra layer of security to your AWS account. MFA requires users to provide a unique authentication code from an approved device or SMS text message, in addition to their user name and password,
when they sign in to AWS4
QUESTION 298
A company needs to securely store important credentials that an application uses to connect users to a database.
Which AWS service can meet this requirement with the MINIMAL amount of operational overhead?

B. AWS Config
D. Amazon GuardDuty
Correct Answer: C
Section:
Explanation:
AWS Secrets Manager is a service that helps you protect secrets needed to access your applications, services, and IT resources. You can use AWS Secrets Manager to store, rotate, and retrieve database credentials,
API keys, and other secrets throughout their lifecycle. AWS Secrets Manager eliminates the need to hardcode sensitive information in plain text, and reduces the risk of unauthorized access or leakage. AWS Secrets
Manager also integrates with other AWS services, such as AWS Lambda, Amazon RDS, and AWS CloudFormation, to simplify the management of secrets across your environment5
QUESTION 299
Which AWS service or feature is associated with a subnet in a VPC and is used to control inbound and outbound traffic?
A. Amazon Inspector
B. Network ACLs
C. AWS Shield
D. VPC Flow Logs
Correct Answer: B
Section:
Explanation:
www.VCEplus.io
Network ACLs (network access control lists) are an optional layer of security for your VPC that act as a firewall for controlling traffic in and out of one or more subnets. You can use network ACLs to allow or deny
traffic based on protocol, port, or source and destination IP address. Network ACLs are stateless, meaning that they do not track the traffic that flows through them. Therefore, you must create rules for both
inbound and outbound traffic.
QUESTION 300
Which task does AWS perform automatically?
A. Encrypt data that is stored in Amazon DynamoDB.

B. Patch Amazon EC2 instances.
C. Encrypt user network traffic.
D. Create TLS certificates for users' websites.
Correct Answer: B
Section:
Explanation:
AWS performs some tasks automatically to help you manage and secure your AWS resources. One of these tasks is patching Amazon EC2 instances. AWS provides two options for patching your EC2 instances:
managed instances and patch baselines. Managed instances are a group of EC2 instances or on-premises servers that you can manage using AWS Systems Manager. Patch baselines define the patches that AWS
Systems Manager applies to your instances. You can use AWS Systems Manager to automate the process of patching your instances based on a schedule or a maintenance window.
QUESTION 301
A company is migrating its data center to AWS. The company needs an AWS Support plan that provides chat access to a cloud sup engineer 24 hours a day, 7 days a week. The company does not require access to
infrastructure event management.

What is the MOST cost-effective AWS Support plan that meets these requirements?
A. AWS Enterprise Support

C. AWS Developer Support
Correct Answer: B
Section:
Explanation:
AWS Business Support is the most cost-effective AWS Support plan that provides chat access to a cloud support engineer 24/7. AWS Business Support also offers phone and email support, as well as a response
time of less than one hour for urgent issues. AWS Business Support does not include access to infrastructure event management, which is a feature of AWS Enterprise Support. AWS Enterprise Support is more
expensive and provides additional benefits, such as a technical account manager, a support concierge, and a response time of less than 15 minutes for critical issues. AWS Developer Support and AWS Basic Support
do not provide chat access to a cloud support engineer. AWS Developer Support provides email support and a response time of less than 12 hours for general guidance issues. AWS Basic Support provides customer
service and account support, as well as access to forums and documentation1
QUESTION 302
In the AWS shared responsibility model, which tasks are the responsibility of AWS? (Select TWO.)
A. Patch an Amazon EC2 instance operating system.

B. Configure a security group.
C. Monitor the health of an Availability Zone.
D. Protect the infrastructure that runs Amazon EC2 instances.
E. Manage access to the data in an Amazon S3 bucket
www.VCEplus.io
Section:
Explanation:
According to the AWS shared responsibility model, AWS is responsible for the security of the cloud, which includes the tasks of monitoring the health of an Availability Zone and protecting the infrastructure that
runs Amazon EC2 instances. An Availability Zone is a physically isolated location within an AWS Region that has its own power, cooling, and network connectivity. AWS monitors the health and performance of each
Availability Zone and notifies customers of any issues or disruptions.
AWS also protects the infrastructure that runs AWS services, such as Amazon EC2, by implementing physical, environmental, and operational security measures. AWS is not responsible for patching an Amazon EC2
instance operating system, configuring a security group, or managing access to the data in an Amazon S3 bucket. These are the customer's responsibilities for security in the cloud. The customer must ensure that
the operating system and applications on their EC2 instances are up to date and secure. The customer must also configure the security group rules that control the inbound and outbound traffic for their EC2
instances. The customer must also manage the access permissions and encryption settings for their S3 buckets and objects2
QUESTION 303
A company's IT team is managing MySQL database server clusters. The IT team has to patch the database and take backup snapshots of the data in the clusters. The company wants to move this workload to AWS
so that these tasks will be completed automatically.
A. Deploy MySQL database server clusters on Amazon EC2 instances.

B. Use Amazon RDS with a MySQL database.
C. Use an AWS CloudFormation template to deploy MySQL database servers on Amazon EC2 instances.
D. Migrate all the MySQL database data to Amazon S3.

Correct Answer: B
Section:
Explanation:
Amazon RDS is a service that makes it easy to set up, operate, and scale a relational database in the cloud. Amazon RDS supports MySQL as one of the database engines. By using Amazon RDS with a MySQL
database, the company can offload the tasks of patching the database and taking backup snapshots to AWS. Amazon RDS automatically patches the database software and operating system of the database
instances. Amazon RDS also automatically backs up the database and retains the backups for a user-defined retention period. The company can also restore the database to any point in time within the retention
period. Deploying MySQL database server clusters on Amazon EC2 instances, using an AWS CloudFormation template to deploy MySQL database servers on Amazon EC2 instances, or migrating all the MySQL
database data to Amazon S3 are not the best options to meet the requirements. These options would not automate the tasks of patching the database and taking backup snapshots, and would require more
operational overhead from the company3
QUESTION 304
A company needs to store infrequently used data for data archives and long-term backups.
A company needs a history report about how its Amazon EC2 instances were modified last month.
Which AWS service can be used to meet this requirement?
A. AWS Service Catalog

B. AWS Config
D. AWS Artifact
Correct Answer: B
Section:
Explanation:
www.VCEplus.io
AWS Config can also track changes to your EC2 instances over time and provide a history report of the modifications. AWS Service Catalog, Amazon CloudWatch, and AWS Artifact are not the best services to meet
this requirement. AWS Service Catalog is a service that allows you to create and manage catalogs of IT services that are approved for use on AWS. Amazon CloudWatch is a service that monitors your AWS resources
and applications and provides metrics, alarms, dashboards, and logs. AWS Artifact is a service that provides on-demand access to AWS security and compliance reports and online agreements
QUESTION 305
A company wants to use the latest technologies and wants to minimize its capital investment.
Instead of upgrading on-premises infrastructure, the company wants to move to the AWS Cloud.
Which AWS Cloud benefit does this scenario describe?
A. Increased speed to market

B. The trade of infrastructure expenses for operating expenses
C. Massive economies of scale
D. The ability to go global in minutes
Correct Answer: B
Section:
Explanation:
The trade of infrastructure expenses for operating expenses is one of the benefits of the AWS Cloud.
By moving to the AWS Cloud, the company can avoid the upfront costs of purchasing and maintaining on-premises infrastructure, such as servers, storage, network, and software. Instead, the company can pay only
for the AWS resources and services that they use, as they use them. This reduces the risk and complexity of planning and managing IT infrastructure, and allows the company to focus on innovation and growth.
Increased speed to market, massive economies of scale, and the ability to go global in minutes are also benefits of the AWS Cloud, but they are not the best ones to describe this scenario. Increased speed to
market means that the company can launch new products and services faster by using AWS services and tools. Massive economies of scale means that the company can benefit from the lower costs and higher

performance that AWS achieves by operating at a large scale. The ability to go global in minutes means that the company can deploy their applications and data in multiple regions and availability zones around the
world to reach their customers faster and improve performance and reliability5
QUESTION 306
Which AWS service provides threat detection by monitoring for malicious activities and unauthorized actions to protect AWS accounts, workloads, and data that is stored in Amazon S3?
A. AWS Shield
B. AWS Firewall Manager
C. Amazon GuardDuty
D. Amazon Inspector
Correct Answer: C
Section:
Explanation:
Amazon GuardDuty is a service that provides intelligent threat detection and continuous monitoring for your AWS accounts, workloads, and data. Amazon GuardDuty analyzes and processes data sources, such as
VPC Flow Logs, AWS CloudTrail event logs, and DNS logs, to identify malicious activities and unauthorized actions, such as reconnaissance, instance compromise, account compromise, and data exfiltration. Amazon
GuardDuty can also detect threats to your data stored in Amazon S3, such as API calls from unusual locations or disabling of preventative controls. Amazon GuardDuty generates findings that summarize the details
of the detected threats and provides recommendations for remediation. AWS Shield, AWS Firewall Manager, and Amazon Inspector are not the best services to meet this requirement. AWS Shield is a service that
provides protection against distributed denial of service (DDoS) attacks. AWS Firewall Manager is a service that allows you to centrally configure and manage firewall rules across your accounts and resources.
Amazon
Inspector is a service that assesses the security and compliance of your applications running on EC2 instances.
QUESTION 307
A. File storage
www.VCEplus.io
Amazon Elastic File System (Amazon EFS) and Amazon FSx offer which type of storage?
B. Object storage
C. Block storage
D. Instance store
Correct Answer: A
Section:
Explanation:
Amazon Elastic File System (Amazon EFS) and Amazon FSx are AWS services that offer file storage.
File storage is a type of storage that organizes data into files and folders that can be accessed and shared over a network. File storage is suitable for applications that require shared access to data, such as content
management, media processing, and web serving. Amazon EFS provides a simple, scalable, and fully managed elastic file system that can be used with AWS Cloud services and onpremises resources. Amazon FSx
provides fully managed third-party file systems, such as Windows File Server and Lustre, with native compatibility and high performance12
QUESTION 308
Which AWS service provides protection against DDoS attacks for applications that run in the AWS Cloud?
A. Amazon VPC
B. AWS Shield
C. AWS Audit Manager
D. AWS Config

Correct Answer: B
Section:
Explanation:
AWS Shield is an AWS service that provides protection against distributed denial of service (DDoS) attacks for applications that run in the AWS Cloud. DDoS attacks are attempts to make an online service
unavailable by overwhelming it with traffic from multiple sources. AWS Shield provides two tiers of protection: AWS Shield Standard and AWS Shield Advanced. AWS Shield Standard is automatically enabled for all
AWS customers at no additional charge. It provides protection against common and frequently occurring network and transport layer DDoS attacks. AWS Shield Advanced is an optional paid service that provides
additional protection against larger and more sophisticated DDoS attacks. AWS Shield Advanced also provides access to 24/7 DDoS response team, cost protection, and enhanced detection and mitigation
capabilities
QUESTION 309
A company wants to migrate its server-based applications to the AWS Cloud. The company wants to determine the total cost of ownership for its compute resources that will be hosted on the AWS Cloud.
Which combination of AWS services or tools will meet these requirements?

B. Migration Evaluator
C. AWS Support Center
D. AWS Application Discovery Service
E. AWS Database Migration Service (AWS DMS)
Section:
Explanation:
AWS Pricing Calculator and AWS Application Discovery Service are the best combination of AWS services or tools to meet the requirements of determining the total cost of ownership for compute resources that
www.VCEplus.io
will be hosted on the AWS Cloud. AWS Pricing Calculator is a tool that enables you to estimate the cost of using AWS services based on your usage scenarios and requirements. You can use AWS Pricing Calculator to
compare the costs of running your applications on-premises or on AWS, and to optimize your AWS spending. AWS Application Discovery Service is a service that helps you plan your migration to the AWS Cloud by
collecting and analyzing information about your onpremises servers, applications, and dependencies. You can use AWS Application Discovery Service to identify the inventory of your on-premises infrastructure,
group servers by applications, and estimate the performance and resource utilization of your applications45
QUESTION 310
A company is planning to migrate to the AWS Cloud and wants to become more responsive to customer inquiries and feedback. The company wants to focus on organizational transformation.
A company wants to give its customers the ability to view specific data that is hosted in Amazon S3 buckets. The company wants to keep control over the full datasets that the company shares with the customers.
Which S3 feature will meet these requirements?
A. S3 Storage Lens
B. S3 Cross-Region Replication (CRR)
C. S3 Versioning D.S3 Access Points
Correct Answer:
Section:
Explanation:
S3 Access Points are a feature of Amazon S3 that allows you to easily manage access to specific data that is hosted in S3 buckets. S3 Access Points are unique hostnames that customers can use to access data in S3
buckets. You can create multiple access points for a single bucket, each with its own name and permissions. You can use S3 Access Points to provide different levels of access to different groups of customers, such
as read-only or write-only access. You can also use S3 Access Points to enforce encryption or logging requirements for specific data. S3 Access Points help you keep control over the full datasets that you share with
your customers, while simplifying the access management and improving the performance and scalability of your applications.
QUESTION 311
Which AWS services can limit manual errors by consistently provisioning AWS resources in multiple envirom

A. AWS Config
B. AWS CodeStar
C. AWS CloudFormation
D. AWS Cloud Development Kit (AWS CDK)
E. AWS CodeBuild
Section:
Explanation:
AWS CloudFormation and AWS Cloud Development Kit (AWS CDK) are AWS services that can limit manual errors by consistently provisioning AWS resources in multiple environments. AWS CloudFormation is a
service that enables you to model and provision AWS resources using templates.
You can use AWS CloudFormation to define the AWS resources and their dependencies that you need for your applications, and to automate the creation and update of those resources across multiple
environments, such as development, testing, and production. AWS CloudFormation helps you ensure that your AWS resources are configured consistently and correctly, and that you can easily replicate or modify
them as needed. AWS Cloud Development Kit (AWS CDK) is a service that enables you to use familiar programming languages, such as Python, TypeScript, Java, and C#, to define and provision AWS resources. You
can use AWS CDK to write code that synthesizes into AWS CloudFormation templates, and to leverage the existing libraries and tools of your preferred language. AWS CDK helps you reduce the complexity and
errors of writing and maintaining AWS CloudFormation templates, and to apply the best practices and standards of software development to your AWS infrastructure.
QUESTION 312
A company is preparing to launch a redesigned website on AWS. Users from around the world will download digital handbooks from the website.
Which AWS solution should the company use to provide these static files securely?
A. Amazon Kinesis Data Streams

B.
C.
D.
Amazon CloudFront with Amazon S3
Amazon EC2 instances with an Application Load Balancer
www.VCEplus.io
Correct Answer: B
Section:
Explanation:
Amazon CloudFront with Amazon S3 is a solution that allows you to provide static files securely to users from around the world. Amazon CloudFront is a fast content delivery network (CDN) service that securely
delivers data, videos, applications, and APIs to customers globally with low latency, high transfer speeds, all within a developer-friendly environment. Amazon S3 is an object storage service that offers industry-
leading scalability, data availability, security, and performance. You can use Amazon S3 to store and retrieve any amount of data from anywhere. You can also configure Amazon S3 to work with Amazon CloudFront
to distribute your content to edge locations near your users for faster delivery and lower latency. Amazon Kinesis Data Streams is a service that enables you to build custom applications that process or analyze
streaming data for specialized needs. This option is not relevant for providing static files securely. Amazon EC2 instances with an Application Load Balancer is a solution that allows you to distribute incoming traffic
across multiple targets, such as EC2 instances, in multiple Availability Zones. This option is suitable for dynamic web applications, but not necessary for static files. Amazon Elastic File System (Amazon EFS) is a
service that provides a simple, scalable, fully managed elastic NFS file system for use with AWS Cloud services and onpremises resources. This option is not relevant for providing static files securely.
QUESTION 313
Which service is an AWS in-memory data store service?
A. Amazon Aurora
B. Amazon RDS
C. Amazon DynamoDB

Correct Answer: D
Section:
Explanation:
Amazon ElastiCache is a service that offers fully managed in-memory data store and cache services that deliver sub-millisecond response times to applications. You can use Amazon ElastiCache to improve the
performance of your applications by retrieving data from fast, managed, in-memory data stores, instead of relying entirely on slower disk-based databases. Amazon Aurora is a relational database service that
combines the performance and availability of high-end commercial databases with the simplicity and cost-effectiveness of open source databases. Amazon RDS is a service that makes it easy to set up, operate, and
scale a relational database in the cloud. Amazon DynamoDB is a key-value and document database that delivers single-digit millisecond performance at any scale.
None of these services are in-memory data store services.
QUESTION 314
Which AWS service or tool offers consolidated billing?
A. AWS Artifact
B. AWS Budgets
C. AWS Organizations
D. AWS Trusted Advisor A company wants to limit its employees' AWS access to a portfolio of predefined AWS resources.
Correct Answer: C
Section:
Explanation:
AWS Organizations is a service that enables you to consolidate multiple AWS accounts into an organization that you create and centrally manage. With AWS Organizations, you can create a single payment method
for all the AWS accounts in your organization through consolidated billing.
Consolidated billing enables you to see a combined view of AWS charges incurred by all accounts in your organization, as well as get a detailed cost report for each individual AWS account associated with your
www.VCEplus.io
organization. AWS Artifact is a service that provides on-demand access to AWS' security and compliance reports and select online agreements. AWS Budgets is a service that enables you to plan your service usage,
service costs, and instance reservations. AWS Trusted Advisor is a service that provides real-time guidance to help you provision your resources following AWS best practices.
None of these services or tools offer consolidated billing.
QUESTION 315
Which AWS solution should the company use to meet this requirement?
A. AWS Config
B. AWS software development kits (SDKs)
C. AWS Service Catalog
D. AWS AppSync
Correct Answer: C
Section:
Explanation:
AWS Service Catalog is a service that allows you to create and manage catalogs of IT services that are approved for use on AWS. You can use AWS Service Catalog to centrally manage commonly deployed IT services
and help your organization achieve consistent governance and meet your compliance requirements, while enabling users to quickly deploy only the approved IT services they need1. AWS Config is a service that
enables you to assess, audit, and evaluate the configurations of your AWS resources. AWS software development kits (SDKs) are tools that enable you to easily integrate your applications with AWS services using
your preferred programming language. AWS AppSync is a service that simplifies application development by letting you create a flexible API to securely access, manipulate, and combine data from one or more data
sources. None of these services can help you limit your employees' AWS access to a portfolio of predefined AWS resources.
QUESTION 316
A company processes personally identifiable information (Pll) and must keep data in the country where it was generated. The company wants to use Amazon EC2 instances for these workloads.

A. AWS Outposts
C. AWS DataSync
D. AWS OpsWorks
Correct Answer: A
Section:
Explanation:
AWS Outposts is an AWS service that extends AWS infrastructure, services, APIs, and tools to virtually any datacenter, co-location space, or on-premises facility. AWS Outposts enables you to run Amazon EC2
instances and other AWS services locally, while maintaining a consistent and seamless connection to the AWS Cloud. AWS Outposts is ideal for workloads that require low latency, local data processing, or data
residency. By using AWS Outposts, the company can process personally identifiable information (PII) and keep data in the country where it was generated, while leveraging the benefits of AWS
QUESTION 317
Which tasks are customer responsibilities, according to the AWS shared responsibility model? (Select TWO.)
A. Configure the AWS provided security group firewall.

B. Classify company assets in the AWS Cloud.
C. Determine which Availability Zones to use for Amazon S3 buckets.
D. Patch or upgrade Amazon DynamoDB.
E. Select Amazon EC2 instances to run AWS Lambda on.
F. AWS Config
Section:
Explanation:
www.VCEplus.io
According to the AWS shared responsibility model, the customer is responsible for security in the cloud, which includes the tasks of configuring the AWS provided security group firewall and classifying company
assets in the AWS Cloud. A security group is a virtual firewall that controls the inbound and outbound traffic for one or more EC2 instances. The customer must configure the security group rules to allow or deny
traffic based on protocol, port, or source and destination IP address2 Classifying company assets in the AWS Cloud means identifying the types, categories, and sensitivity levels of the data and resources that the
customer stores and processes on AWS. The customer must also determine the applicable compliance requirements and regulations that apply to their assets, and implement the appropriate security controls and
measures to protect them
QUESTION 318
A company is running an Amazon EC2 instance in a VPC.
An ecommerce company is using Amazon EC2 Auto Scaling groups to manage a fleet of web servers running on Amazon EC2.
This architecture follows which AWS Well-Architected Framework best practice?
A. Secure the workload

B. Decouple infrastructure components
C. Design for failure
D. Think parallel
Correct Answer: C
Section:
Explanation:
Design for failure is one of the best practices of the AWS Well-Architected Framework. It means that the architecture should be resilient and fault-tolerant, and able to handle failures without impacting the

availability and performance of the applications. By using Amazon EC2 Auto Scaling groups, the ecommerce company can design for failure by automatically scaling the number of EC2 instances up or down based
on demand or health status. Amazon EC2 Auto Scaling groups can also distribute the EC2 instances across multiple Availability Zones, which are isolated locations within an AWS Region that have independent
power, cooling, and network connectivity. This way, the company can ensure that their web servers can handle traffic spikes, recover from failures, and provide a consistent user experience
QUESTION 319
Which tasks are the responsibility of the customer, according to the AWS shared responsibility model? (Select TWO.)
A. Patch the Amazon RDS operating system.

B. Upgrade the firmware of the network infrastructure.
C. Manage data encryption.
D. Maintain physical access control in an AWS Region.
E. Grant least privilege access to 1AM users.
Section:
Explanation:
According to the AWS shared responsibility model, the customer is responsible for security in the cloud, which includes the tasks of managing data encryption and granting least privilege access to IAM users. Data
encryption is the process of transforming data into an unreadable format that can only be accessed with a key or a password. The customer must decide whether to encrypt their data at rest (when it is stored on
AWS) or in transit (when it is moving between AWS and the customer or between AWS services). The customer must also choose the encryption method, algorithm, and key management solution that best suit
their needs. AWS provides various services and features that support data encryption, such as AWS Key Management Service (AWS KMS), AWS Certificate Manager (ACM), and AWS Encryption SDK5 IAM users are
entities that represent the people or applications that interact with AWS resources and services. The customer must grant the IAM users the minimum permissions that they need to perform their tasks, and avoid
giving them unnecessary or excessive access. This is known as the principle of least privilege, and it helps reduce the risk of unauthorized or malicious actions. The customer can use IAM policies, roles, groups, and
permissions boundaries to manage the access of IAM users.

A company wants to migrate its high-performance computing (HPC) application to Amazon EC2 instances. The application has multiple components. The application must have fault tolerance and must have the
ability to fail over automatically.
Which AWS infrastructure solution will meet these requirements with the LEAST latency between components?
A. Multiple AWS Regions

B. Multiple edge locations
C. Multiple Availability Zones
D. Regional edge caches
Correct Answer: C
Section:
Explanation:
Using EC2 instances in multiple Availability Zones is an AWS infrastructure solution that meets the requirements of migrating a high performance computing (HPC) application to AWS with fault tolerance and
failover capabilities, and with the least latency between components. An Availability Zone is a physically isolated location within an AWS Region that has its own power, cooling, and network connectivity. EC2
instances within the same Region can communicate with each other using low-latency private IP addresses. By using EC2 instances in multiple Availability Zones, the company can achieve fault tolerance and
failover for their HPC application, because they can distribute the workload and data across different locations that are independent of each other. If one Availability Zone becomes unavailable or impaired, the
company can redirect the traffic and data to another Availability Zone without affecting the performance and availability of the application5
QUESTION 321
A company is running its application in the AWS Cloud. The company wants to periodically review its AWS account for cost optimization opportunities.

A. AWS Cost Explorer
D. AWS Budgets
Correct Answer: A
Section:
Explanation:
AWS Cost Explorer is an AWS service or tool that the company can use to periodically review its AWS account for cost optimization opportunities. AWS Cost Explorer is a tool that enables the company to visualize,
understand, and manage their AWS costs and usage over time. The company can use AWS Cost Explorer to access interactive graphs and tables that show the breakdown of their costs and usage by service, region,
account, tag, and more. The company can also use AWS Cost Explorer to forecast their future costs, identify trends and anomalies, and discover potential savings by using Reserved Instances or Savings Plans.
QUESTION 322
A developer who has no AWS Cloud experience wants to use AWS technology to build a web application.
Which AWS service should the developer use to start building the application?
A. Amazon SageMaker
B. AWS Lambda
C. Amazon Lightsail
D. Amazon Elastic Container Service (Amazon ECS)
Correct Answer: C
Section:
Explanation:
www.VCEplus.io
Amazon Lightsail is an easy-to-use cloud platform that offers everything you need to build an application or website, plus a cost-effective, monthly plan1. It is designed for developers who have little or no prior
cloud experience and want to launch and manage applications on AWS with minimal complexity2. Amazon SageMaker is a service for building, training, and deploying machine learning models3. AWS Lambda is a
service that lets you run code without provisioning or managing servers4.
Amazon Elastic Container Service (Amazon ECS) is a fully managed container orchestration service.
QUESTION 323
A company wants to monitor for misconfigured security groups that are allowing unrestricted access to specific ports.

C. Amazon GuardDuty
D. AWS Health Dashboard
Correct Answer: A
Section:
Explanation:
AWS Trusted Advisor is an online tool that provides you real time guidance to help you provision your resources following AWS best practices, including security and performance. It can help you monitor for
misconfigured security groups that are allowing unrestricted access to specific ports. Amazon CloudWatch is a service that monitors your AWS resources and the applications you run on AWS.
Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior. AWS Health Dashboard provides relevant and timely information to help you manage
events in progress, and provides proactive notification to help you plan for scheduled activities.

QUESTION 324
An IT engineer needs to access AWS services from an on-premises application.
Which credentials or keys does the application need for authentication?
A. AWS account user name and password

B. 1AM access key and secret
C. Amazon EC2 key pairs
D. AWS Key Management Service (AWS KMS) keys
Correct Answer: B
Section:
Explanation:
IAM access keys are long-term credentials that consist of an access key ID and a secret access key.
You use access keys to sign programmatic requests that you make to AWS. If you need to access AWS services from an on-premises application, you can use IAM access keys to authenticate your requests. AWS
account user name and password are used to sign in to the AWS Management Console. Amazon EC2 key pairs are used to connect to your EC2 instances using SSH. AWS Key Management Service (AWS KMS) keys
are used to encrypt and decrypt your data using the AWS Encryption SDK or the AWS CLI.
QUESTION 325
A company simulates workflows to review and validate that all processes are effective and that staff are familiar with the processes.
Which design principle of the AWS Well-Architected Framework is the company following with this practice?

B. Refine operation procedures frequently.
C.
D.
Make frequent, small, reversible changes.
Structure the company to support business outcomes. www.VCEplus.io
Correct Answer: B
Section:
Explanation:
Refining operation procedures frequently is one of the design principles of the operational excellence pillar of the AWS Well-Architected Framework. It means that you should review and validate your processes
regularly to ensure they are effective and that staff are familiar with them. Performing operations as code, making frequent, small, reversible changes, and structuring the company to support business outcomes
are design principles of other pillars of the AWS Well-Architected Framework.
QUESTION 326
A company wants to launch its web application in a second AWS Region. The company needs to determine which services must be regionally configured for this launch.
Which AWS services can be configured at the Region level? (Select TWO.)
A. Amazon EC2
B. Amazon Route 53
C. Amazon CloudFront
D. AWS WAF
E. Amazon DynamoDB
Section:
Explanation:

Amazon Route 53 and AWS WAF are AWS services that can be configured at the Region level.
Amazon Route 53 is a highly available and scalable cloud Domain Name System (DNS) web service that lets you register domain names, route traffic to resources, and check the health of your resources. AWS WAF
is a web application firewall that helps protect your web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive resources. Amazon EC2, Amazon
CloudFront, and Amazon DynamoDB are AWS services that can be configured at the global level or the Availability Zone level .
QUESTION 327
A company needs to identify who accessed an AWS service and what action was performed for a given time period.
Which AWS service should the company use to meet this requirement?
B. AWS CloudTrail
C. AWS Security Hub
D. Amazon Inspector
Correct Answer: B
Section:
Explanation:
AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain account activity related
to actions across your AWS infrastructure. You can use CloudTrail to identify who accessed an AWS service and what action was performed for a given time period. Amazon CloudWatch, AWS Security Hub, and
Amazon Inspector are AWS services that provide different types of monitoring and security capabilities.
QUESTION 328
A company is running its application in the AWS Cloud and wants to protect against a DDoS attack.
www.VCEplus.io
The company's security team wants near real-time visibility into DDoS attacks.
Which AWS service or traffic filter will meet these requirements with the MOST features for DDoS protection?
A. AWS Shield Advanced

B. AWS Shield
C. Amazon GuardDuty
D. Network ACLs
Correct Answer: A
Section:
Explanation:
AWS Shield Advanced is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. AWS Shield Advanced provides you with 24x7 access to the AWS DDoS
Response Team (DRT) and protection against DDoS attacks of any size or duration. AWS Shield Advanced also provides near real-time visibility into attacks, advanced attack mitigation capabilities, and integration
with AWS WAF and AWS Firewall Manager1. AWS Shield is a standard service that provides always-on detection and automatic inline mitigations to minimize application downtime and latency, but it does not offer
the same level of features and support as AWS Shield Advanced2. Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity and unauthorized behavior, but it does not
provide DDoS protection3. Network ACLs are stateless filters that can be associated with a subnet to control the traffic to and from the subnet, but they are not designed to protect against DDoS attacks
QUESTION 329
A company is planning to migrate its application to the AWS Cloud.
Which AWS tool or set of resources should the company use to analyze and asses its readiness for migration?
A. AWS Cloud Adoption Framework (AWS CAF)

B. AWS Pricing Calculator

C. AWS Well-Architected Framework
D. AWS Budgets
Correct Answer: A
Section:
Explanation:
AWS Cloud Adoption Framework (AWS CAF) is a tool that helps organizations understand how cloud adoption transforms the way they work, and it provides structure to identify and address gaps in skills and
processes. Applying the AWS CAF in your organization results in an actionable plan that helps you prepare the cloud environment, enable your staff with new skills, and migrate your applications. AWS Pricing
Calculator is a tool that helps you estimate the cost of AWS services for your use cases and compare the cost of different AWS service configurations. AWS Well-Architected Framework is a tool that helps you
review and improve your cloud-based architectures and better understand the business impact of your design decisions. AWS Budgets is a tool that helps you plan your service usage, service costs, and instance
reservations, and track how close your plan is to your budgeted amount.
QUESTION 330
Which task must a user perform by using the AWS account root user credentials?
A. Make changes to AWS production resources.

B. Change AWS Support plans.
C. Access AWS Cost and Usage Reports.
D. Grant auditors' access to an AWS account for a compliance audit.
Correct Answer: B
Section:
Explanation:
www.VCEplus.io
Changing AWS Support plans is a task that must be performed by using the AWS account root user credentials. The root user is the email address that you used to sign up for AWS. It has complete access to all AWS
services and resources in the account. You should use the root user only to perform a few account and service management tasks, such as changing AWS Support plans, closing the account, or changing the account
name or email address. Making changes to AWS production resources, accessing AWS Cost and Usage Reports, and granting auditors access to an AWS account for a compliance audit are tasks that can be
performed by using IAM users or roles, which are entities that you create in AWS to delegate permissions to access AWS services and resources.
QUESTION 331
A company wants high levels of detection and near-real-time (NRT) mitigation against large and sophisticated distributed denial of service (DDoS) attacks on applications running on AWS.
A. Amazon GuardDuty
B. Amazon Inspector
C. AWS Shield Advanced
D. Amazon Macie
Correct Answer: C
Section:
Explanation:
AWS Shield Advanced is a service that provides high levels of detection and near-real-time (NRT) mitigation against large and sophisticated distributed denial of service (DDoS) attacks on applications running on
AWS. AWS Shield Advanced also provides you with 24x7 access to the AWS DDoS Response Team (DRT) and protection against DDoS attacks of any size or duration1. Amazon GuardDuty is a service that provides
threat detection for your AWS accounts and workloads, but it does not offer DDoS protection3. Amazon Inspector is a service that helps you improve the security and compliance of your applications deployed on
AWS by automatically assessing them for vulnerabilities and deviations from best practices. Amazon Macie is a service that uses machine learning and pattern matching to discover and protect your sensitive data in
AWS.
QUESTION 332

A company needs to control inbound and outbound traffic for an Amazon EC2 instance.
Which AWS service or feature can the company associate with the EC2 instance to meet this requirement?
A. Network ACL
B. Security group
C. AWS WAF
D. VPC route tables
Correct Answer: B
Section:
Explanation:
A security group is a virtual firewall that can be associated with an Amazon EC2 instance to control the inbound and outbound traffic for the instance. You can specify which protocols, ports, and source or
destination IP ranges are allowed or denied by the security group. A network ACL is a stateless filter that can be associated with a subnet to control the traffic to and from the subnet, but it is not associated with an
EC2 instance4. AWS WAF is a web application firewall that helps protect your web applications or APIs against common web exploits that may affect availability, compromise security, or consume excessive
resources. VPC route tables are used to determine where network traffic is directed within a VPC or to an internet gateway, virtual private gateway, NAT device, VPC peering connection, or VPC endpoint.
QUESTION 333
A company is expecting a short-term spike in internet traffic for its application. During the traffic increase, the application cannot be interrupted. The company also needs to minimize cost and maximize flexibility.
A company needs to use a serverless interactive query service to analyze data in Amazon S3. The query service must support standard SQL.
A. Amazon Redshift
B. AWS Glue
C.
D.
Amazon Athena
Amazon Kinesis Data Streams www.VCEplus.io
Correct Answer: C
Section:
Explanation:
Amazon Athena is a serverless interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL. Athena is ideal for quick, ad-hoc querying but it can also handle complex analysis,
including large joins, window functions, and arrays. Athena scales automatically-executing queries in parallel-so results are fast, even with large datasets and complex queries. Amazon Redshift is a fully managed,
petabyte-scale data warehouse service that can run complex analytic queries against structured and semi-structured data using standard SQL. However, it is not a serverless service and requires provisioning and
managing clusters of nodes. AWS Glue is a fully managed extract, transform, and load (ETL) service that makes it easy to prepare and load your data for analytics. However, it is not a query service and does not
support standard SQL. Amazon Kinesis Data Streams is a service that enables you to build custom applications that process or analyze streaming data for specialized needs. However, it is not a query service and
does not support standard SQL.
QUESTION 334
A company needs to run a workload for several batch image rendering applications. It is acceptable for the workload to experience downtime.
Which Amazon EC2 pricing model would be MOST cost-effective in this situation?
C. Dedicated Instances
D. Spot Instances
Correct Answer: D

Section:
Explanation:
Amazon EC2 Spot Instances are instances that use spare EC2 capacity that is available at up to a 90%discount compared to On-Demand prices. You can use Spot Instances for various stateless, fault-tolerant, or
flexible applications such as big data, containerized workloads, high-performance computing (HPC), and test & development workloads. Spot Instances are ideal for workloads that can be interrupted, such as batch
image rendering applications1. On-Demand Instances are instances that let you pay for compute capacity by the hour or second (minimum of 60 seconds) with no longterm commitments. This frees you from the
costs and complexities of planning, purchasing, and maintaining hardware and transforms what are commonly large fixed costs into much smaller variable costs2. Reserved Instances are instances that provide you
with a significant discount (up to 75%) compared to On-Demand Instance pricing. In exchange, you select a term and make an upfront payment to reserve a certain amount of compute capacity for that term3.
Dedicated Instances are instances that run in a VPC on hardware that's dedicated to a single customer. Your Dedicated Instances are physically isolated at the host hardware level from instances that belong to other
AWS accounts4.
QUESTION 335
A company has an application that runs periodically in an on-premises environment. The application runs for a few hours most days, but runs for 8 hours a day for a week at the end of each month.
Which AWS service or feature should be used to host the application in the AWS Cloud?
A. Amazon EC2 Standard Reserved Instances

B. Amazon EC2 On-Demand Instances
C. AWS Wavelength
D. Application Load Balancer
Correct Answer: B
Section:
Explanation:
Amazon EC2 On-Demand Instances are instances that let you pay for compute capacity by the hour or second (minimum of 60 seconds) with no long-term commitments. This frees you from the costs and
www.VCEplus.io
complexities of planning, purchasing, and maintaining hardware and transforms what are commonly large fixed costs into much smaller variable costs. On-Demand Instances are suitable for applications with short-
term, irregular, or unpredictable workloads that cannot be interrupted, such as periodic applications that run for a few hours most days, but run for 8 hours a day for a week at the end of each month2. Amazon EC2
Standard Reserved Instances are instances that provide you with a significant discount (up to 75%) compared to On-Demand Instance pricing. In exchange, you select a term and make an upfront payment to
reserve a certain amount of compute capacity for that term. Reserved Instances are suitable for applications with steady state or predictable usage that require reserved capacity3. AWS Wavelength is a service that
enables developers to build applications that deliver ultra-low latency to mobile devices and users by deploying AWS compute and storage at the edge of the 5G network. Wavelength is suitable for applications
that require single-digit millisecond latencies, such as game and live video streaming, machine learning inference at the edge, and augmented and virtual reality (AR/VR). Application Load Balancer is a service that
operates at the request level (layer 7) and distributes incoming application traffic across multiple targets, such as EC2 instances, containers, Lambda functions, and IP addresses. Application Load Balancer is suitable
for applications that need advanced routing capabilities, such as microservices or container-based architectures.
QUESTION 336
A company is planning to migrate to the AWS Cloud. The company is conducting organizational transformation and wants to become more responsive to customer inquiries and feedback.
Which tasks should the company perform to meet these requirements, according to the AWS Cloud Adoption Framework (AWS CAF)? (Select TWO.)
A. Realign teams to focus on products and value streams.

B. Create new value propositions with new products and services.
C. Use agile methods to rapidly iterate and evolve.
D. Use a new data and analytics platform to create actionable insights.
E. Migrate and modernize legacy infrastructure.
Section:
Explanation:
Realigning teams to focus on products and value streams, and using agile methods to rapidly iterate and evolve are tasks that the company should perform to meet the requirements of becoming more responsive
to customer inquiries and feedback, according to the AWS Cloud Adoption Framework (AWS CAF). AWS CAF organizes guidance into six areas of focus, called perspectives: business, people, governance, platform,

security, and operations. Each perspective is divided into capabilities, which describe the skills and processes to execute the transition effectively. The people perspective helps you prepare your organization for
cloud adoption, and includes capabilities such as organizational change management, staff skills and readiness, and organizational alignment. The business perspective helps you align IT strategy with business
strategy, and includes capabilities such as business case development, value proposition, and product ownership. Creating new value propositions with new products and services is a task that belongs to the
business perspective, but it is not directly related to the requirement of becoming more responsive to customer inquiries and feedback. Using a new data and analytics platform to create actionable insights is a task
that belongs to the platform perspective, which helps you design, implement, and optimize the architecture of the AWS environment. However, it is also not directly related to the requirement of becoming more
responsive to customer inquiries and feedback. Migrating and modernizing legacy infrastructure is a task that belongs to the operations perspective, which helps you enable, run, use, operate, and recover IT
workloads to the level agreed upon with your business stakeholders. However, it is also not directly related to the requirement of becoming more responsive to customer inquiries and feedback.
QUESTION 337
A company is building an application on AWS. The application needs to comply with credit card regulatory requirements. The company needs proof that the AWS services and deployment are in compliance.
Which actions should the company take to meet these requirements? (Select TWO.)
A. Use Amazon Inspector to submit the application for certification.

B. Ensure that the application's underlying hardware components comply with requirements.
C. Use AWS Artifact to access AWS documents about the compliance of the services.
D. Get the compliance of the application certified by a company assessor.
E. Use AWS Security Hub to certify the compliance of the application.
Section:
Explanation:
Using AWS Artifact to access AWS documents about the compliance of the services, and getting the compliance of the application certified by a company assessor are actions that the company should take to meet
the requirements of complying with credit card regulatory requirements. AWS Artifact is a service that provides on-demand access to AWS security and compliance reports and select online agreements. Reports
www.VCEplus.io
available in AWS Artifact include our Service Organization Control (SOC) reports, Payment Card Industry (PCI) reports, and certifications from accreditation bodies across geographies and compliance verticals that
validate the implementation and operating effectiveness of AWS security controls. AWS Artifact can help you demonstrate compliance with credit card regulatory requirements by providing you with proof that the
AWS services and deployment are in compliance. Getting the compliance of the application certified by a company assessor is an action that the company should take to ensure that the application meets the
specific requirements of the credit card industry. A company assessor is an independent third-party entity that is qualified to assess the compliance of the application with the relevant standards and regulations.
Using Amazon Inspector to submit the application for certification is not an action that the company should take, because Amazon Inspector is a service that helps you improve the security and compliance of your
applications deployed on AWS by automatically assessing them for vulnerabilities and deviations from best practices, but it does not provide certification for the applications. Ensuring that the application's
underlying hardware components comply with requirements is not an action that the company should take, because the application is deployed on AWS, and AWS is responsible for the security and compliance of
the underlying hardware components. This is part of the shared responsibility model, where AWS is responsible for security of the cloud, and customers are responsible for security in the cloud. Using AWS Security
Hub to certify the compliance of the application is not an action that the company should take, because AWS Security Hub is a service that gives you a comprehensive view of your security posture across your AWS
accounts and helps you check your environment against security industry standards and best practices, but it does not provide certification for the applications.
QUESTION 338
A company has set up a VPC on AWS. The company needs a dedicated connection between the VPC and the company's on-premises network.
Which action should the company take to meet this requirement?
A. Establish a VPN connection between the VPC and the company's on-premises network.
B. Establish an AWS Direct Connect connection between the VPC and the company's on-premises network.
C. Attach an internet gateway to the VPC. Use the AWS public endpoints for connectivity.
D. Configure Amazon Connect to provide connectivity between the VPC and the company's onpremises network.
Correct Answer: B
Section:
Explanation:
Establishing an AWS Direct Connect connection between the VPC and the company's on-premises network is the action that the company should take to meet the requirement of having a dedicated connection

between the VPC and the company's on-premises network. AWS Direct Connect is a service that lets you establish a dedicated network connection between your network and one of the AWS Direct Connect
locations. Using AWS Direct Connect, you can create a private connection between AWS and your datacenter, office, or colocation environment, which can reduce your network costs, increase bandwidth
throughput, and provide a more consistent network experience than internet-based connections. Establishing a VPN connection between the VPC and the company's on-premises network is an action that the
company can take to create a secure and encrypted connection between the VPC and the company's on-premises network, but it is not a dedicated connection, as it uses the public internet as the transport
mechanism. Attaching an internet gateway to the VPC and using the AWS public endpoints for connectivity is an action that the company can take to enable communication between the VPC and the internet, but it
is not a dedicated connection, as it also uses the public internet as the transport mechanism. Configuring Amazon Connect to provide connectivity between the VPC and the company's on-premises network is not
an action that the company can take, because Amazon Connect is a service that lets you set up and manage a contact center in the cloud, but it does not provide network connectivity between the VPC and the
company's on-premises network.
QUESTION 339
A company has deployed an application in the AWS Cloud. The company wants to ensure that the application is highly resilient.
Which component of AWS infrastructure can the company use to meet this requirement?
A. Content delivery network (CDN)

B. Edge locations
C. Wavelength Zones
D. Availability Zones
Correct Answer: D
Section:
Explanation:
Availability Zones are components of AWS infrastructure that can help the company ensure that the application is highly resilient. Availability Zones are multiple, isolated locations within each AWS Region. Each
Availability Zone has independent power, cooling, and physical security, and is connected to the other Availability Zones in the same Region via low-latency, high-throughput, and highly redundant networking.
QUESTION 340
www.VCEplus.io
Availability Zones allow you to operate production applications and databases that are more highly available, fault tolerant, and scalable than would be possible from a single data center.
Which AWS services are connectivity services for a VPC? (Select TWO.)
A. AWS Site-to-Site VPN

C. Amazon Connect
D. AWS Key Management Service (AWS KMS)
E. AWS Identity and Access Management (1AM)
Correct Answer: A
Section:
Explanation:
AWS Site-to-Site VPN and AWS Direct Connect are AWS services that are connectivity services for a VPC. AWS Site-to-Site VPN is a service that enables you to securely connect your on-premises network or branch
office site to your Amazon Virtual Private Cloud (Amazon VPC). You can establish VPN connections over the internet or over AWS Direct Connect1. AWS Direct Connect is a service that lets you establish a dedicated
network connection between your network and one of the AWS Direct Connect locations. Using AWS Direct Connect, you can create a private connection between AWS and your datacenter, office, or colocation
environment, which can reduce your network costs, increase bandwidth throughput, and provide a more consistent network experience than internetbased connections2. Amazon Connect is a service that lets you
set up and manage a contact center in the cloud, but it does not provide network connectivity between the VPC and your on-premises network. AWS Key Management Service (AWS KMS) is a service that makes it
easy for you to create and manage cryptographic keys and control their use across a wide range of AWS services and in your applications, but it does not provide network connectivity between the VPC and your
onpremises network. AWS Identity and Access Management (IAM) is a service that enables you to manage access to AWS services and resources securely, but it does not provide network connectivity between the
VPC and your on-premises network.
QUESTION 341

A company wants a key-value NoSQL database that is fully managed and serverless.
A. Amazon DynamoDB
B. Amazon RDS
C. Amazon Aurora
D. Amazon Memory DB for Redis
Correct Answer: A
Section:
Explanation:
Amazon DynamoDB is a key-value and document database that delivers single-digit millisecond performance at any scale. It is a fully managed, serverless database that does not require provisioning, patching, or
backup. It offers built-in security, backup and restore, and in-memory caching3. Amazon RDS is a relational database service that makes it easy to set up, operate, and scale a relational database in the cloud. It
provides cost-efficient and resizable capacity while automating time-consuming administration tasks such as hardware provisioning, database setup, patching, and backups. However, it is not a key-value NoSQL
database, and it is not serverless, as it requires you to choose an instance type and size4. Amazon Aurora is a MySQL and PostgreSQLcompatible relational database built for the cloud, that combines the
performance and availability of traditional enterprise databases with the simplicity and cost-effectiveness of open source databases.
However, it is also not a key-value NoSQL database, and it is not serverless, as it requires you to choose an instance type and size. Amazon MemoryDB for Redis is a Redis-compatible, durable, inmemory database
service that delivers ultra-fast performance and multi-AZ reliability for the most demanding applications. However, it is also not a key-value NoSQL database, and it is not serverless, as it requires you to choose a
node type and size.
QUESTION 342
A company needs to set a maximum spending limit on AWS services each month. The company also needs to set up alerts for when the company reaches its spending limit.
A.
B.
Cost Explorer
AWS Trusted Advisor
www.VCEplus.io
C. Service Quotas
D. AWS Budgets
Correct Answer: D
Section:
Explanation:
AWS Budgets is a service that helps you plan your service usage, service costs, and instance reservations, and track how close your plan is to your budgeted amount. You can set custom budgets that alert you when
you exceed (or are forecasted to exceed) your budgeted thresholds. You can also use AWS Budgets to set a maximum spending limit on AWS services each month and set up alerts for when you reach your spending
limit. Cost Explorer is a service that enables you to visualize, understand, and manage your AWS costs and usage over time. You can use Cost Explorer to view charts and graphs that show how your costs are
trending, identify areas that need further inquiry, and see the impact of your cost management actions. However, Cost Explorer does not allow you to set a maximum spending limit or alerts for your AWS services.
AWS Trusted Advisor is a service that provides you real time guidance to help you provision your resources following AWS best practices, including security and performance. It can help you monitor for cost
optimization opportunities, such as unused or underutilized resources, but it does not allow you to set a maximum spending limit or alerts for your AWS services. Service Quotas is a service that enables you to view
and manage your quotas, also referred to as limits, from a central location. Quotas, also referred to as limits, are the maximum number of resources that you can create in your AWS account. However, Service
Quotas does not allow you to set a maximum spending limit or alerts for your AWS services.
QUESTION 343
A software engineer wants to launch a virtual machine (VM) and MySQL database on AWS.
Which AWS service will meet these requirements with the LEAST operational effort?
A. Amazon Elastic Container Service (Amazon ECS)

C. Amazon Lightsail
D. Amazon EC2
Correct Answer: B
Section:
Explanation:
AWS Elastic Beanstalk is a service that enables you to quickly deploy and manage applications in the AWS Cloud without worrying about the infrastructure that runs those applications. You simply upload your
application, and Elastic Beanstalk automatically handles the details of capacity provisioning, load balancing, scaling, and application health monitoring. Elastic Beanstalk supports several platform configurations for
Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker web applications that can run on familiar servers such as Apache, Nginx, Passenger, and IIS. You can also use Elastic Beanstalk to launch a virtual machine (VM)
and MySQL database on AWS with the least operational effort. Amazon Elastic Container Service (Amazon ECS) is a fully managed container orchestration service that enables you to easily run, scale, and secure
Docker containerized applications on AWS.
However, it requires more operational effort than Elastic Beanstalk, as you need to define your application architecture and the specifications of the containers that run it. Amazon Lightsail is an easy-to-use cloud
platform that offers everything you need to build an application or website, plus a cost-effective, monthly plan. It is designed for developers who have little or no prior cloud experience and want to launch and
manage applications on AWS with minimal complexity. However, it does not support MySQL databases, and it requires more operational effort than Elastic Beanstalk, as you need to configure your VM and
database settings. Amazon EC2 is a web service that provides secure, resizable compute capacity in the cloud. It allows you to launch a virtual machine (VM) and MySQL database on AWS, but it requires the most
operational effort, as you need to provision, monitor, and manage your EC2 instances and database.
QUESTION 344
A company runs business applications in an on-premises data center and in the AWS Cloud. The company needs a shared file system that can be available to both environments.
A. Amazon Elastic Block Store (Amazon EBS)

B.
C.
D.
Amazon S3
Amazon ElastiCache
www.VCEplus.io
Correct Answer: D
Section:
Explanation:
Amazon Elastic File System (Amazon EFS) is a service that provides a simple, scalable, fully managed elastic NFS file system for use with AWS Cloud services and on-premises resources. It is built to scale on demand
to petabytes without disrupting applications, growing and shrinking automatically as you add and remove files, eliminating the need to provision and manage capacity to accommodate growth. You can use Amazon
EFS to create a shared file system that can be available to both your onpremises data center and your AWS Cloud environment. Amazon Elastic Block Store (Amazon EBS) is a service that provides persistent block
storage volumes for use with Amazon EC2 instances in the AWS Cloud. Each Amazon EBS volume is automatically replicated within its Availability Zone to protect you from component failure, offering high
availability and durability. However, Amazon EBS volumes are not shared file systems, and they cannot be available to both your on-premises data center and your AWS Cloud environment. Amazon S3 is a service
that provides object storage through a web services interface. You can use Amazon S3 to store and protect any amount of data for a range of use cases, such as data lakes, websites, mobile applications, backup and
restore, archive, enterprise applications, IoT devices, and big data analytics. However, Amazon S3 is not a shared file system, and it cannot be available to both your on-premises data center and your AWS Cloud
environment without additional configuration. Amazon ElastiCache is a service that enables you to seamlessly set up, run, and scale popular open-source compatible in-memory data stores in the cloud. You can
use Amazon ElastiCache to improve the performance of your applications by allowing you to retrieve information from fast, managed, in-memory data stores, instead of relying entirely on slower disk-based
databases. However, Amazon ElastiCache is not a shared file system, and it cannot be available to both your on-premises data center and your AWS Cloud environment.
QUESTION 345
Which option is AWS responsible for under the AWS shared responsibility model?
A. Network and firewall configuration

B. Client-side data encryption

C. Management of user permissions
D. Hardware and infrastructure
Correct Answer: D
Section:
Explanation:
Hardware and infrastructure is the option that AWS is responsible for under the AWS shared responsibility model. The AWS shared responsibility model describes how AWS and customers share responsibilities for
security and compliance in the cloud. AWS is responsible for security of the cloud, which means protecting the infrastructure that runs all the services offered in the AWS Cloud. This infrastructure is composed of
the hardware, software, networking, and facilities that run AWS Cloud services. Customers are responsible for security in the cloud, which means taking care of the security of their own applications, data, and
operating systems. This includes network and firewall configuration, client-side data encryption, management of user permissions, and more.
QUESTION 346
A company needs to run some of its workloads on premises to comply with regulatory guidelines.
The company wants to use the AWS Cloud to run workloads that are not required to be on premises.
The company also wants to be able to use the same API calls for the on-premises workloads and the cloud workloads.
A. Dedicated Hosts
B. AWS Outposts
C. Availability Zones
D. AWS Wavelength
Correct Answer: B
Section:
AWS Outposts is a fully managed service that extends AWS infrastructure, AWS services, APIs, and tools to virtually any datacenter, co-location space, or on-premises facility for a truly consistent hybrid
experience1. AWS Outposts enables customers to run workloads on premises using the same
AWS APIs, tools, and services that they use in the cloud2. Dedicated Hosts are physical servers with EC2 instance capacity fully dedicated to a customer's use3. Availability Zones are one or more discrete data
centers, each with redundant power, networking, and connectivity, housed in separate facilities within an AWS Region4. AWS Wavelength is an AWS Infrastructure offering optimized for mobile edge computing
applications.
QUESTION 347
A company wants to set up a high-speed connection between its data center and its applications that run on AWS. The company must not transfer data over the internet.
Which action should the company take to meet these requirements?
A. Transfer data to AWS by using AWS Snowball.

B. Transfer data to AWS by using AWS Storage Gateway.
C. Set up a VPN connection between the data center and an AWS Region.
D. Set up an AWS Direct Connect connection between the company network and AWS.
Correct Answer: D
Section:
Explanation:
AWS Direct Connect is a cloud service solution that makes it easy to establish a dedicated network connection from a customer's premises to AWS. AWS Direct Connect does not involve the public internet, and
therefore can reduce network costs, increase bandwidth throughput, and provide a more consistent network experience than internet-based connections. AWS Snowball is a petabytescale data transport service
that uses secure devices to transfer large amounts of data into and out of the AWS Cloud. AWS Storage Gateway is a hybrid cloud storage service that gives customers onpremises access to virtually unlimited cloud
storage. A VPN connection enables customers to establish a secure and private connection between their network and AWS.

QUESTION 348
A company is using a central data platform to manage multiple types of data for its customers. The company wants to use AWS services to discover, transform, and visualize the data.
Which combination of AWS services should the company use to meet these requirements? (Select TWO.)
A. AWS Glue
C. Amazon Redshift
E. Amazon Quantum Ledger Database (Amazon QLDB)
Section:
Explanation:
AWS Glue is a fully managed extract, transform, and load (ETL) service that makes it easy to prepare and load data for analytics. AWS Glue can discover data sources, transform data, and make it available for
analysis by using data catalogs and workflows. Amazon Redshift is a fully managed, petabyte-scale data warehouse service in the cloud that enables customers to analyze data using standard SQL and existing
business intelligence tools. Amazon Redshift can also integrate with other AWS services to visualize and transform data. Amazon Elastic File System (Amazon EFS) provides a simple, scalable, fully managed elastic
NFS file system for use with AWS Cloud services and onpremises resources. Amazon QuickSight is a fast, cloud-powered business intelligence service that makes it easy to deliver insights to everyone in an
organization. Amazon Quantum Ledger Database (Amazon QLDB) is a fully managed ledger database that provides a transparent, immutable, and cryptographically verifiable transaction log owned by a central
trusted authority.
QUESTION 349
A company deployed an Amazon EC2 instance last week. A developer realizes that the EC2 instance is no longer running. The developer reviews a list of provisioned EC2 instances, and the EC2 instance is no longer
on the list.
A.
www.VCEplus.io
What can the developer do to generate a recent history of the EC2 instance?
Run Cost Explorer to identify the start time and end time of the EC2 instance.
B. Use Amazon Inspector to find out when the EC2 instance was stopped.
C. Perform a search in AWS CloudTrail to find all EC2 instance-related events.
D. Use AWS Secrets Manager to display hidden termination logs of the EC2 instance.
Correct Answer: C
Section:
Explanation:
AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk auditing of a customer's AWS account. AWS CloudTrail allows customers to track user activity and API usage across
their AWS infrastructure. AWS CloudTrail can also provide a history of EC2 instance events, such as launch, stop, terminate, and reboot. Cost Explorer is a tool that enables customers to visualize, understand, and
manage their AWS costs and usage over time. Amazon Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS. AWS Secrets
Manager helps customers protect secrets needed to access their applications, services, and IT resources.
QUESTION 350
A company has all of its servers in the us-east-1 Region. The company is considering the deployment of additional servers different Region.
Which AWS tool should the company use to find pricing information for other Regions?
A. Cost Explorer
B. AWS Budgets
C. AWS Purchase Order Management
D. AWS Pricing Calculator

Correct Answer: D
Section:
Explanation:
AWS Pricing Calculator lets customers explore AWS services, and create an estimate for the cost of their use cases on AWS. AWS Pricing Calculator can also compare the costs of different AWS Regions and
configurations. Cost Explorer is a tool that enables customers to visualize, understand, and manage their AWS costs and usage over time. AWS Budgets gives customers the ability to set custom budgets that alert
them when their costs or usage exceed (or are forecasted to exceed) their budgeted amount. AWS Purchase Order Management is a feature that allows customers to pay for their AWS invoices using purchase
orders.
QUESTION 351
A company is moving to the AWS Cloud to reduce operational overhead for its application infrastructure.
Which IT operation will the company still be responsible for after the migration to AWS?
A. Security patching of AWS Elastic Beanstalk

B. Backups of data that is stored in Amazon Aurora
C. Termination of Amazon EC2 instances that are managed by AWS Auto Scaling
D. Configuration of 1AM access controls
Correct Answer: D
Section:
Explanation:
AWS Elastic Beanstalk, Amazon Aurora, and AWS Auto Scaling are managed services that reduce the operational overhead for the customers. AWS is responsible for security patching, backups, and termination of
these services. However, the customers are still responsible for configuring IAM access controls to manage the permissions and policies for their AWS resources. This is part of the AWS shared responsibility model,
which defines the security and compliance responsibilities of AWS and the customers. You can learn more about the AWS shared responsibility model from this whitepaper or this digital course.
QUESTION 352
www.VCEplus.io
Which AWS service provides storage that can be mounted across multiple Amazon EC2 instances?
A. Amazon Workspaces
C. AWS Database Migration Service (AWS DMS)
D. AWS Snowball Edge
Correct Answer: B
Section:
Explanation:
Amazon EFS is a fully managed service that provides scalable and elastic file storage for multiple Amazon EC2 instances. Amazon EFS supports the Network File System (NFS) protocol, which allows multiple EC2
instances to access the same file system concurrently. You can learn more about Amazon EFS from this webpage or this digital course.
QUESTION 353
Which AWS services or features can a company use to connect the network of its on-premises data center to AWS? (Select TWO.)
A. AWS VPN
B. AWS Directory Service
C. AWS Data Pipeline
E. AWS CloudHSM

Section:
Explanation:
AWS VPN and AWS Direct Connect are two services that enable customers to connect their onpremises data center network to the AWS Cloud. AWS VPN establishes a secure and encrypted connection over the
public internet, while AWS Direct Connect establishes a dedicated and private connection through a partner network. You can learn more about AWS VPN from [this webpage] or [this digital course]. You can learn
more about AWS Direct Connect from [this webpage] or [this digital course].
QUESTION 354
Which pillar of the AWS Well-Architected Framework includes the AWS shared responsibility model?
C. Reliability
D. Security
Correct Answer: D
Section:
Explanation:
The AWS Well-Architected Framework is a set of best practices and guidelines for designing and operating reliable, secure, efficient, and cost-effective systems in the cloud. The framework consists of five pillars:
operational excellence, performance efficiency, reliability, security, and cost optimization. The security pillar covers the AWS shared responsibility model, which defines the security and compliance responsibilities
of AWS and the customers. You can learn more about the AWS Well-Architected Framework from [this whitepaper] or [this digital course].
QUESTION 355
This describes which advantage of the AWS Cloud?
A. Launch globally in minutes

www.VCEplus.io
AWS has the ability to achieve lower pay-as-you-go pricing by aggregating usage across hundreds of thousands of users.
B. Increase speed and agility

C. High economies of scale
D. No guessing about compute capacity
Correct Answer: C
Section:
Explanation:
AWS has the ability to achieve lower pay-as-you-go pricing by aggregating usage across hundreds of thousands of users. This means that AWS can leverage its massive scale and purchasing power to reduce the
costs of infrastructure, hardware, software, and operations. These savings are then passed on to the customers, who only pay for the resources they use. You can learn more about the AWS pricing model from [this
webpage] or [this digital course].
QUESTION 356
A company wants to use guidelines from the AWS Well-Architected Framework to limit human error and facilitate consistent responses to events.
Which of the following is a Well-Architected design principle that will meet these requirements?
A. Use AWS CodeDeploy.

B. Perform operations as code.
C. Migrate workloads to a Dedicated Host.
D. Use AWS Compute Optimizer.

Correct Answer: B
Section:
Explanation:
This is a design principle of the operational excellence pillar of the AWS Well-Architected Framework. Performing operations as code means using scripts, templates, or automation tools to perform routine tasks,
such as provisioning, configuration, deployment, and monitoring. This reduces human error, increases consistency, and enables faster recovery from failures. You can learn more about the operational excellence
pillar from this whitepaper or this digital course.
QUESTION 357
Which of the following is a benefit of using an AWS managed service?
A. Reduced operational overhead for a company's IT staff

B. Increased fixed costs that can be predicted by a finance team
C. Removal of the need to have a backup strategy
D. Removal of the need to follow compliance standards
Correct Answer: A
Section:
Explanation:
This is a benefit of using an AWS managed service, such as Amazon S3, Amazon DynamoDB, or AWS Lambda. AWS managed services are fully managed by AWS, which means that AWS handles the provisioning,
scaling, patching, backup, and recovery of the underlying infrastructure and software.
This reduces the operational overhead for the company's IT staff, who can focus on their core business logic and innovation. You can learn more about the AWS managed services from this webpage or this digital
course.
QUESTION 358
www.VCEplus.io
A company encourages its teams to test failure scenarios regularly and to validate their understanding of the impact of potential failures.
Which pillar of the AWS Well-Architected Framework does this philosophy represent?
C. Performance efficiency
D. Security
Correct Answer: A
Section:
Explanation:
This is the pillar of the AWS Well-Architected Framework that represents the philosophy of testing failure scenarios regularly and validating the understanding of the impact of potential failures. The operational
excellence pillar covers the best practices for designing, running, monitoring, and improving systems in the AWS Cloud. Testing failure scenarios is one of the ways to improve the system's resilience, reliability, and
recovery. You can learn more about the operational excellence pillar from this whitepaper or this digital course.
QUESTION 359
Which of the following are general AWS Cloud design principles described in the AWS Well-Architected Framework?
A. Consolidate key components into monolithic architectures.

B. Test systems at production scale.
C. Provision more capacity than a workload is expected to need.
D. Drive architecture design based on data collected about the workload behavior and requirements.

E. Make AWS Cloud architectural decisions static, one-time events.
Section:
Explanation:
These are two of the general AWS Cloud design principles described in the AWS Well-Architected Framework. Testing systems at production scale means using tools such as AWS CloudFormation, AWS CodeDeploy,
and AWS X-Ray to simulate real-world scenarios and measure the performance, scalability, and availability of the system. Driving architecture design based on data means using tools such as Amazon CloudWatch,
AWS CloudTrail, and AWS Config to collect and analyze metrics, logs, and events about the system and use the insights to optimize the system's design and operation. You can learn more about the AWS Well-
Architected Framework from this whitepaper or [this digital course].
QUESTION 360
Which scenarios represent the concept of elasticity on AWS? (Select TWO.)
A. Scaling the number of Amazon EC2 instances based on traffic

B. Resizing Amazon RDS instances as business needs change
C. Automatically directing traffic to less-utilized Amazon EC2 instances
D. Using AWS compliance documents to accelerate the compliance process
E. Having the ability to create and govern environments using code
Section:
Explanation:
These are two scenarios that represent the concept of elasticity on AWS. Elasticity means the ability to adjust the resources and capacity of the system in response to changes in demand or environment. Scaling
instances as business needs change means using the Amazon www.VCEplus.io

the number of Amazon EC2 instances based on traffic means using services such as AWS Auto Scaling or Elastic Load Balancing to add or remove instances as the traffic increases or decreases. Resizing Amazon RDS
RDS console or API to modify the instance type, storage type, or storage size of the database as the workload grows or shrinks. You can learn more about the concept of elasticity on AWS from [this webpage] or
[this digital course].
QUESTION 361
An ecommerce company wants to distribute traffic between the Amazon EC2 instances that host its website.
A. Application Load Balancer

B. AWS WAF
C. AWS CloudHSM
Correct Answer: A
Section:
Explanation:
This is the AWS service or resource that will meet the requirements of distributing traffic between the Amazon EC2 instances that host the website. Application Load Balancer is a type of Elastic Load
Balancing that distributes incoming application traffic across multiple targets, such as Amazon EC2 instances, containers, IP addresses, and Lambda functions. Application Load Balancer operates at the application
layer (layer 7) of the OSI model and supports advanced features such as path-based routing, host-based routing, health checks, and SSL termination. You can learn more about Application Load Balancer from [this
webpage] or [this digital course].
QUESTION 362
Which AWS service will allow a user to set custom cost and usage limits, and will alert when the thresholds are exceeded?

B. AWS Budgets
C. Cost Explorer
Correct Answer: B
Section:
Explanation:
AWS Budgets allows you to set custom budgets that alert you when your costs or usage exceed (or are forecasted to exceed) your budgeted amount. You can also use AWS Budgets to set reservation utilization or
coverage targets and receive alerts when your utilization drops below the threshold you define. AWS Budgets provides you with a comprehensive view of your cost and usage, as well as your reservation utilization
and coverage1.
QUESTION 363
Which AWS service or feature can the company use to limit the access to AWS services for member accounts?

B. Service control policies (SCPs)
C. Organizational units (OUs)
D. Access control lists (ACLs)
Correct Answer: B
Section:
Explanation:
www.VCEplus.io
Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. SCPs offer central control over the maximum available permissions for all accounts in
your organization, allowing you to ensure your accounts stay within your organization's access control guidelines2. SCPs are available only in an organization that has all features enabled2.
QUESTION 364
A company must archive Amazon S3 data that the company's business units no longer need to access.
Which S3 storage class will meet this requirement MOST cost-effectively?
A. S3 Glacier Instant Retrieval

B. S3 Glacier Flexible Retrieval
C. S3 Glacier Deep Archive
D. S3 One Zone-Infrequent Access (S3 One Zone-IA)
Correct Answer: C
Section:
Explanation:
S3 Glacier Deep Archive is Amazon S3's lowest-cost storage class and supports long-term retention and digital preservation for data that may be accessed once or twice in a year. It is designed for customers -
particularly those in highly-regulated industries, such as the Financial Services, Healthcare, and Public Sectors - that retain data sets for 7-10 years or longer to meet regulatory compliance requirements. Customers
can store large amounts of data at a very low cost, and reliably access it with a wait time of 12 hours3.
QUESTION 365
A company wants to build a new web application by using AWS services. The application must meet the on-demand load for periods of heavy activity.
Which AWS services or resources provide the necessary workload adjustments to meet these requirements? (Select TWO.)

A. Amazon Machine Image (AMI)
B. Amazon EC2 Auto Scaling
C. Amazon EC2 instance
D. AWS Lambda
E. EC2 Image Builder
Section:
Explanation:
Amazon EC2 Auto Scaling helps you ensure that you have the correct number of Amazon EC2 instances available to handle the load for your application. You create collections of EC2 instances, called Auto Scaling
groups. You can specify the minimum number of instances in each Auto Scaling group, and Amazon EC2 Auto Scaling ensures that your group never goes below this size. You can specify the maximum number of
instances in each Auto Scaling group, and Amazon EC2 Auto Scaling ensures that your group never goes above this size4. AWS Lambda lets you run code without provisioning or managing servers. You pay only for
the compute time you consume. With Lambda, you can run code for virtually any type of application or backend service - all with zero administration. Just upload your code and Lambda takes care of everything
required to run and scale your code with high availability. You can set up your code to automatically trigger from other AWS services or call it directly from any web or mobile app.
QUESTION 366
Which AWS service or feature is an example of a relational database management system?
A. Amazon Athena
B. Amazon Redshift
C. Amazon S3 Select
D. Amazon Kinesis Data Streams
Correct Answer: B
Section:
www.VCEplus.io
Explanation:
Amazon Redshift is a fully managed, petabyte-scale data warehouse service in the cloud. You can start with just a few hundred gigabytes of data and scale to a petabyte or more. This enables you to use your data
to acquire new insights for your business and customers. Amazon Redshift is a relational database management system (RDBMS), so it is compatible with other RDBMS applications. You can use standard SQL to
query the data.
QUESTION 367
A company needs to apply security rules to specific Amazon EC2 instances.
Which AWS service or feature provides this functionality?
A. AWS Shield
B. Network ACLs
C. Security groups
D. AWS Firewall Manager
Correct Answer: C
Section:
Explanation:
Security groups act as a firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the instance level. You can use security groups to set rules that allow or deny traffic to or
from your instances. You can modify the rules for a security group at any time; the new rules are automatically applied to all instances that are associated with the security group.

QUESTION 368
Which AWS service is deployed to VPCs and provides protection from common network threats?
A. AWSShield
B. AWSWAF
C. AWS Network Firewall
D. AWS FirewallManager
Correct Answer: C
Section:
Explanation:
AWS Network Firewall is a managed service that makes it easy to deploy essential network protections for all of your Amazon Virtual Private Clouds (VPCs). The service can be set up with just a few clicks from the
AWS console or using APIs. AWS Network Firewall automatically scales with your network traffic, so you don't have to worry about deploying and managing any infrastructure. AWS Network Firewall provides
protection from common network threats such as SQL injection, cross-site scripting, and DDoS attacks1.
QUESTION 369
Which option is a perspective that includes foundational capabilities of the AWS Cloud Adoption Framework (AWS CAF)?
A. Sustainability
B. Security
D. Reliability
Correct Answer: B
Section:
Explanation:
www.VCEplus.io
The AWS Cloud Adoption Framework (AWS CAF) helps organizations understand how cloud adoption transforms the way they work, and it provides structure to identify and address gaps in skills and processes. The
AWS CAF organizes guidance into six areas of focus, called perspectives. Each perspective reflects a different stakeholder viewpoint with its own distinct responsibilities, skills, and attributes. The Security
Perspective helps you structure the selection and implementation of security controls that meet your organization's needs2.
QUESTION 370
A company needs to store data from a recommendation engine in a database.
Which AWS service provides this functionality with the LEAST operational overhead?
A. Amazon RDS for PostgreSQL

B. Amazon DynamoDB
C. Amazon Neptune
D. Amazon Aurora
Correct Answer: B
Section:
Explanation:
Amazon DynamoDB is a key-value and document database that delivers single-digit millisecond performance at any scale. It's a fully managed, multi-region, multi-active, durable database with built-in security,
backup and restore, and in-memory caching for internet-scale applications.
DynamoDB can handle more than 10 trillion requests per day and can support peaks of more than 20 million requests per second. DynamoDB provides the least operational overhead for storing data from a
recommendation engine, as it does not require any server provisioning, patching, or maintenance3

QUESTION 371
Which AWS Support plan is the minimum recommended tier for users who have production workloads on AWS?
A. AWS Developer Support

B. AWS Enterprise Support
D. AWS Enterprise On-Ramp Support
Correct Answer: C
Section:
Explanation:
AWS Business Support is the minimum recommended tier for users who have production workloads on AWS. AWS Business Support provides 24x7 access to cloud support engineers via phone, chat, or email, as
well as a guaranteed response time of less than one hour for urgent issues. AWS Business Support also includes access to AWS Trusted Advisor, a tool that provides real-time guidance to help you provision your
resources following AWS best practices4.
QUESTION 372
Which AWS service is an in-memory data store service?
A. Amazon Aurora
B. Amazon RDS
C. Amazon DynamoDB
Correct Answer: D
Section:
Explanation:
www.VCEplus.io
Amazon ElastiCache is a fully managed in-memory data store and cache service that delivers submillisecond response times to applications. You can use ElastiCache as a primary data store for your applications, or
as a cache to improve the performance of your existing databases. ElastiCache supports two popular open-source in-memory engines: Redis and Memcached5.
QUESTION 373
A company runs a MySQL database in its on-premises data center. The company wants to run a copy of this database in the AWS Cloud.
Which AWS service would support this workload?
A. Amazon RDS
B. Amazon Neptune
C. Amazon ElastiCache for Redis
D. Amazon Quantum Ledger Database (Amazon QLDB)
Correct Answer: A
Section:
Explanation:
Amazon Relational Database Service (Amazon RDS) is a web service that makes it easier to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity, while
automating time-consuming administration tasks such as hardware provisioning, database setup, patching, and backups. Amazon RDS supports six popular database engines: Amazon Aurora, PostgreSQL, MySQL,
MariaDB, Oracle Database, and SQL Server. Amazon RDS can support running a copy of a MySQL database in the AWS Cloud, as it offers compatibility, scalability, and availability features.
QUESTION 374

A company uses AWS Organizations. The company wants to apply security best practices from the AWS Well-Architected Framework to all of its AWS accounts.
A. Amazon Macie
B. Amazon Detective
C. AWS Control Tower
D. AWS Secrets Manager
Correct Answer: C
Section:
Explanation:
AWS Control Tower is the easiest way to set up and govern a secure, multi-account AWS environment based on best practices established through AWS's experience working with thousands of enterprises as they
move to the cloud. With AWS Control Tower, builders can provision new AWS accounts in a few clicks, while you have peace of mind knowing your accounts conform to your organization's policies. AWS Control
Tower automates the setup of a baseline environment, or landing zone, that is a secure, well-architected multi-account AWS environment1. AWS Control Tower helps you apply security best practices from the AWS
Well-Architected Framework to all of your AWS accounts2.
QUESTION 375
A company uses AWS for its web application. The company wants to minimize latency and perform compute operations for the application as close to end users as possible.
Which AWS service or infrastructure component will provide this functionality?
A. AWS Regions
B. Availability Zones
C. Edge locations
Correct Answer: C
www.VCEplus.io
Section:
Explanation:
Edge locations are sites that Amazon CloudFront uses to cache copies of your content for faster delivery to users at any location. You can use Amazon CloudFront to deliver your entire website, including dynamic,
static, streaming, and interactive content using a global network of edge locations. Requests for your content are automatically routed to the nearest edge location, so content is delivered with the best possible
performance3. Edge locations can also host AWS Lambda functions to perform compute operations for your web application as close to end users as possible4.
QUESTION 376
A company wants to ensure that all of its Amazon EC2 instances have compliant operating system patches.
A. AWS Compute Optimizer

C. AWS AppSync
Correct Answer: D
Section:
Explanation:
AWS Systems Manager gives you visibility and control of your infrastructure on AWS. Systems Manager provides a unified user interface so you can view operational data from multiple AWS services and allows you
to automate operational tasks across your AWS resources. You can use Systems Manager to apply OS patches, create system images, configure Windows and Linux operating systems, and execute PowerShell

commands5. Systems Manager can help you ensure that all of your Amazon EC2 instances have compliant operating system patches by using the Patch Manager feature.
QUESTION 377
Which task must a user perform by using the AWS account root user credentials?
A. Make changes to AWS production resources.

B. Change AWS Support plans.
C. Access AWS Cost and Usage Reports.
D. Grant auditors' access to an AWS account for a compliance audit.
Correct Answer: B
Section:
Explanation:
The AWS account root user is the email address that you used to sign up for AWS. The root user has complete access to all AWS services and resources in the account. You should use the root user only to perform a
few account and service management tasks. One of these tasks is changing AWS
Support plans, which requires root user credentials. For other tasks, you should create an IAM user or role with the appropriate permissions and use that instead of the root user.
QUESTION 378
A company wants to integrate natural language processing (NLP) into business intelligence (Bl) dashboards. The company wants to ask questions and receive answers with relevant visualizations.
A. Amazon Macie
B. Amazon Rekognition
C.
D.
Amazon QuickSight Q
Amazon Lex www.VCEplus.io
Correct Answer: C
Section:
Explanation:
Amazon QuickSight Q is a natural language query feature that lets you ask questions about your data using everyday language and get answers in seconds. You can type questions such as "What are the total sales
by region?" or "How did marketing campaign A perform?" and get answers in the form of relevant visualizations, such as charts or tables. You can also use Q to drill down into details, filter data, or perform
calculations. Q uses machine learning to understand your data and your intent, and provides suggestions and feedback to help you refine your questions.
QUESTION 379
Which of the following is a pillar of the AWS Well-Architected Framework?
A. Redundancy
B. Operational excellence
C. Availability
D. Multi-Region
Correct Answer: B
Section:
Explanation:
The AWS Well-Architected Framework helps cloud architects build secure, high-performing, resilient, and efficient infrastructure for their applications and workloads. Based on five pillars - operational excellence,
security, reliability, performance efficiency, and cost optimization - the Framework provides a consistent approach for customers and partners to evaluate architectures, and implement designs that can scale over

time. Operational excellence is one of the pillars of the Framework, and it focuses on running and monitoring systems to deliver business value, and continually improving processes and procedures.
QUESTION 380
A company wants to integrate natural language processing (NLP) into business intelligence (Bl) dashboards. The company wants to ask questions and receive answers with relevant visualizations.
A. Amazon Macie
C. Amazon QuickSight Q
D. Amazon Lex
Correct Answer: C
Section:
Explanation:
Amazon QuickSight Q is a natural language query feature that allows users to ask questions about their data and receive answers in the form of relevant visualizations1. Amazon Macie is a data security and data
privacy service that uses machine learning and pattern matching to discover and protect sensitive data in AWS2. Amazon Rekognition is a computer vision service that can analyze images and videos for faces,
objects, scenes, text, and more3. Amazon Lex is a service for building conversational interfaces using voice and text4.
QUESTION 381
Which option is an AWS Cloud Adoption Framework (AWS CAF) foundational capability for the operations perspective?
A. Performance and capacity management

B. Application portfolio management
C.
D.
Identity and access management
Product management www.VCEplus.io
Correct Answer: C
Section:
Explanation:
Identity and access management is one of the foundational capabilities for the operations perspective of the AWS Cloud Adoption Framework (AWS CAF). It involves managing the identities, roles, permissions, and
credentials of users and systems that interact with AWS resources.
Performance and capacity management is a capability for the platform perspective. Application portfolio management is a capability for the business perspective. Product management is a capability for the
governance perspective.
QUESTION 382
A company needs to implement identity management for a fleet of mobile apps that are running in the AWS Cloud.
A. Amazon Cognito
B. AWS Security Hub
C. AWS Shield
D. AWS WAF
Correct Answer: A
Section:
Explanation:

Amazon Cognito is a service that provides identity management for mobile and web applications, allowing users to sign up, sign in, and access AWS resources with different identity providers. AWS Security Hub is a
service that provides a comprehensive view of the security posture of AWS accounts and resources. AWS Shield is a service that provides protection against distributed denial of service (DDoS) attacks. AWS WAF is
a web application firewall that helps protect web applications from common web exploits.
QUESTION 383
Which AWS service or feature offers security for a VPC by acting as a firewall to control traffic in and out of subnets?
A. AWS Security Hub

B. Security groups
C. Network ACL
D. AWSWAF
Correct Answer: C
Section:
Explanation:
A network access control list (network ACL) is a feature that acts as a firewall for controlling traffic in and out of one or more subnets in a virtual private cloud (VPC). AWS Security Hub is a service that provides a
comprehensive view of the security posture of AWS accounts and resources. Security groups are features that act as firewalls for controlling traffic at the instance level. AWS WAF is a web application firewall that
helps protect web applications from common web exploits.
QUESTION 384
An ecommerce company wants to provide relevant product recommendations to its customers. The recommendations will include products that are frequently purchased with other products that the customer
already purchased. The recommendations also will include products of a specific color and products from the customer's favorite brand.
Which AWS service or feature should the company use to meet these requirements with the LEAST development effort?
A.
B.
Amazon Comprehend
Amazon Forecast
www.VCEplus.io
C. Amazon Personalize
D. Amazon SageMaker Studio
Correct Answer: C
Section:
Explanation:
Amazon Personalize is a service that provides real-time personalized recommendations based on the user's behavior, preferences, and context. It can also incorporate metadata such as product color and brand to
generate more relevant recommendations. Amazon Comprehend is a natural language processing (NLP) service that can analyze text for entities, sentiments, topics, and more. Amazon Forecast is a service that
provides accurate time-series forecasting based on machine learning.
Amazon SageMaker Studio is a web-based integrated development environment (IDE) for machine learning.
QUESTION 385
Which AWS service or storage class provides low-cost, long-term data storage?
A. Amazon S3 Glacier Deep Archive

B. AWS Snowball
C. Amazon MQ
D. AWS Storage Gateway
Correct Answer: A

Section:
Explanation:
Amazon S3 Glacier Deep Archive is a storage class within Amazon S3 that provides the lowest-cost, long-term data storage for data that is rarely accessed. AWS Snowball is a service that provides a physical device
for transferring large amounts of data into and out of AWS. Amazon MQ is a service that provides managed message broker service for Apache ActiveMQ. AWS Storage Gateway is a service that provides hybrid
cloud storage for on-premises applications.
QUESTION 386
Which AWS service or feature offers security for a VPC by acting as a firewall to control traffic in and out of subnets?
A. AWS Security Hub

B. Security groups
C. Network ACL
D. AWSWAF
Correct Answer: C
Section:
Explanation:
A network access control list (network ACL) is a feature that acts as a firewall for controlling traffic in and out of one or more subnets in a virtual private cloud (VPC). Network ACLs can be configured with rules that
allow or deny traffic based on the source and destination IP addresses, ports, and protocols1. AWS Security Hub is a service that provides a comprehensive view of the security posture of AWS accounts and
resources2. Security groups are features that act as firewalls for controlling traffic at the instance level3. AWS WAF is a web application firewall that helps protect web applications from common web exploits4.
QUESTION 387
A company wants to create a set of custom dashboards to collect metrics to monitor its applications.
www.VCEplus.io
B. AWS X-Ray
C. AWS Systems Manager
D. AWS CloudTrail
Correct Answer: A
Section:
Explanation:
Amazon CloudWatch is a service that provides monitoring and observability for AWS resources and applications. Users can create custom dashboards to collect and visualize metrics, logs, alarms, and events from
different sources5. AWS X-Ray is a service that provides distributed tracing and analysis for applications. AWS Systems Manager is a service that provides operational management for AWS resources and
applications. AWS CloudTrail is a service that provides governance, compliance, and auditing for AWS account activity.
QUESTION 388
A company wants to migrate its workloads to AWS, but it lacks expertise in AWS Cloud computing.
Which AWS service or feature will help the company with its migration?

B. AWS Consulting Partners
C. AWS Artifacts
D. AWS Managed Services

Correct Answer: D
Section:
Explanation:
AWS Managed Services is a service that provides operational management for AWS infrastructure and applications. It helps users migrate their workloads to AWS and provides ongoing support, security,
compliance, and automation. AWS Trusted Advisor is a service that provides best practices and recommendations for cost optimization, performance, security, and fault tolerance. AWS Consulting Partners are
professional services firms that help customers design, architect, build, migrate, and manage their workloads and applications on AWS. AWS Artifacts is a service that provides on-demand access to AWS
compliance reports and select online agreements.
QUESTION 389
A company deployed an application on an Amazon EC2 instance. The application ran as expected for 6 months. In the past week, users have reported latency issues. A system administrator found that the CPU
utilization was at 100%during business hours. The company wants a scalable solution to meet demand.
Which AWS service or feature should the company use to handle the load for its application during periods of high demand?
A. Auto Scaling groups

B. AWS Global Accelerator
C. Amazon Route 53
D. An Elastic IP address
Correct Answer: A
Section:
Explanation:
Auto Scaling groups are a feature that allows users to automatically scale the number of Amazon EC2 instances up or down based on demand or a predefined schedule. Auto Scaling groups can help improve the
performance and availability of applications by adjusting the capacity in response to traffic fluctuations1. AWS Global Accelerator is a service that improves the availability and performance of applications by
with an Amazon EC2 instance4.
QUESTION 390
www.VCEplus.io
routing traffic through AWS edge locations2. Amazon Route 53 is a service that provides scalable and reliable domain name system (DNS) service3. An Elastic IP address is a static IPv4 address that can be associated
Which VPC component provides a layer of security at the subnet level?
A. Security groups
B. Network ACLs
C. NAT gateways
D. Route tables
Correct Answer: B
Section:
Explanation:
Network ACLs are a feature that provide a layer of security at the subnet level by acting as a firewall to control traffic in and out of one or more subnets. Network ACLs can be configured with rules that allow or
deny traffic based on the source and destination IP addresses, ports, and protocols5.
Security groups are a feature that provide a layer of security at the instance level by acting as a firewall to control traffic to and from one or more instances. Security groups can be configured with rules that allow
or deny traffic based on the source and destination IP addresses, ports, protocols, and security groups. NAT gateways are a feature that enable instances in a private subnet to connect to the internet or other AWS
services, but prevent the internet from initiating a connection with those instances. Route tables are a feature that determine where network traffic from a subnet or gateway is directed.
QUESTION 391
For which AWS service is the customer responsible for maintaining the underlying operating system?
A. Amazon DynamoDB

B. Amazon S3
C. Amazon EC2
D. AWS Lambda
Correct Answer: C
Section:
Explanation:
Amazon EC2 is a service that provides resizable compute capacity in the cloud. Users can launch and manage virtual servers, known as instances, that run on the AWS infrastructure. Users are responsible for
maintaining the underlying operating system of the instances, as well as any applications or software that run on them. Amazon DynamoDB is a service that provides a fully managed NoSQL database that delivers
fast and consistent performance at any scale. Users do not need to manage the underlying operating system or the database software. Amazon S3 is a service that provides scalable and durable object storage in
the cloud. Users do not need to manage the underlying operating system or the storage infrastructure. AWS Lambda is a service that allows users to run code without provisioning or managing servers. Users only
need to upload their code and configure the triggers and parameters. AWS Lambda takes care of the underlying operating system and the execution environment.
QUESTION 392
According to the AWS shared responsibility model, who is responsible for the virtualization layer down to the physical security of the facilities in which AWS services operate?
A. It is the sole responsibility of the customer.

B. It is the sole responsibility of AWS.
C. It is a shared responsibility between AWS and the customer.
D. The customer's AWS Support plan tier determines who manages the configuration.
Correct Answer: B
Section:
Explanation:
www.VCEplus.io
According to the AWS shared responsibility model, AWS is responsible for the security of the cloud, which includes the virtualization layer down to the physical security of the facilities in which AWS services
operate1. The customer is responsible for the security in the cloud, which includes the configuration and management of the AWS resources and applications that they use1.
QUESTION 393
A company wants to automatically set up and govern a multi-account AWS environment. Which benefit does AWS offer exclusively to users who have an AWS Enterprise Support plan?
A. Access to a technical project manager

B. Access to a technical account manager (TAM)
C. Access to a cloud support engineer
D. Access to a solutions architect
Correct Answer: B
Section:
Explanation:
AWS Enterprise Support plan is the highest level of support that AWS offers to its customers. One of the exclusive benefits of this plan is the access to a technical account manager (TAM), who is a dedicated point
of contact for guidance, advocacy, and support2. A technical project manager, a cloud support engineer, and a solutions architect are not exclusive benefits of the AWS Enterprise Support plan, as they are also
available to customers with lower-tier support plans or through other AWS services or programs345.
QUESTION 394

B. AWS Systems Manager
C. AWS Config
D. AWS Control Tower
Correct Answer: D
Section:
Explanation:
AWS Control Tower is a service that provides an easy way to set up and govern a secure, multiaccount AWS environment. It automates the creation of accounts, organizational units, policies, and best practices
based on the AWS Well-Architected Framework. AWS IAM Identity Center (AWS Single Sign-On) is a service that enables users to centrally manage access to multiple AWS accounts and business applications using a
single sign-on experience. AWS Systems Manager is a service that provides operational management for AWS resources and applications. AWS Config is a service that enables users to assess, audit, and evaluate the
configurations of AWS resources.
QUESTION 395
A company wants its AWS usage to be more sustainable. The company wants to track, measure, review, and forecast polluting emissions that result from its AWS applications.
A. AWS Health Dashboard

B. AWS customer carbon footprint tool
C. AWS Support Center
Correct Answer: B
Section:
Explanation:
www.VCEplus.io
AWS customer carbon footprint tool is a tool that helps customers measure and manage their carbon emissions from their AWS usage. It provides data on the carbon intensity, energy consumption, and estimated
emissions of AWS services across regions and time periods. It also enables customers to review and forecast their emissions, and compare them with industry benchmarks. AWS Health Dashboard is a service that
provides personalized information about the health and performance of AWS services and resources. AWS Support Center is a service that provides access to AWS support resources, such as cases, forums, and
documentation. Amazon QuickSight is a service that provides business intelligence and analytics for AWS data sources.
QUESTION 396
A company has a large number of Linux Amazon EC2 instances across several Availability Zones in an AWS Region. Applications that run on the EC2 instances need access to a common set of files.
Which AWS service or device should the company use to meet this requirement?
A. AWS Backup
D. AWS Snowball Edge Storage Optimized
Correct Answer: B
Section:
Explanation:
Amazon Elastic File System (Amazon EFS) is a service that provides a scalable and elastic file system for Linux-based workloads. It can be mounted on multiple Amazon EC2 instances across different Availability
Zones within a region, allowing applications to access a common set of files1. AWS Backup is a service that provides a centralized and automated way to back up data across AWS services. Amazon Elastic Block
Store (Amazon EBS) is a service that provides persistent block storage volumes for Amazon EC2 instances. AWS Snowball Edge Storage Optimized is a device that provides a petabyte-scale data transport and edge
computing solution.

QUESTION 397
Which of the following is a benefit that AWS Professional Services provides?
A. Management of the ongoing security of user data

B. Advisory solutions for AWS adoption
C. Technical support 24 hours a day, 7 days a week
D. Monitoring of monthly billing costs in AWS accounts
Correct Answer: B
Section:
Explanation:
AWS Professional Services is a team of experts that help customers achieve their desired outcomes using the AWS Cloud. One of the benefits that AWS Professional Services provides is advisory solutions for AWS
adoption, which include guidance on cloud strategy, architecture, migration, and innovation2. Management of the ongoing security of user data, technical support 24 hours a day, 7 days a week, and monitoring of
monthly billing costs in AWS accounts are not benefits that AWS Professional Services provides, as they are either the responsibility of the customer or the features of other AWS services or support plans3
QUESTION 398
Which of the following is a benefit of operating in the AWS Cloud?
A. The ability to migrate on-premises network devices to the AWS Cloud

B. The ability to expand compute, storage, and memory when needed
C. The ability to host custom hardware in the AWS Cloud
D. The ability to customize the underlying hypervisor layer for Amazon EC2
Correct Answer: B
Section:
Explanation:
www.VCEplus.io
One of the benefits of operating in the AWS Cloud is the ability to expand compute, storage, and memory when needed, which enables users to scale their applications and resources up or down based on demand.
This also helps users optimize their costs and performance. The ability to migrate on-premises network devices to the AWS Cloud, the ability to host custom hardware in the AWS Cloud, and the ability to customize
the underlying hypervisor layer for Amazon EC2 are not benefits of operating in the AWS Cloud, as they are either not possible or not recommended by AWS .
QUESTION 399
A company is operating several factories where it builds products. The company needs the ability to process data, store data, and run applications with local system interdependencies that require low latency.
A. AWS loT Greengrass

B. AWS Lambda
C. AWS Outposts
Correct Answer: C
Section:
Explanation:
AWS Outposts is a service that provides fully managed AWS infrastructure and services on premises.
It allows users to run applications that require low latency and local data processing, while seamlessly connecting to the AWS Cloud for a consistent hybrid experience. AWS IoT Greengrass is a service that provides
local compute, messaging, data caching, sync, and ML inference capabilities for connected devices. AWS Lambda is a service that allows users to run code without provisioning or managing servers. AWS Snowball
Edge is a device that provides a petabyte-scale data transport and edge computing solution.

QUESTION 400
What is the LEAST expensive AWS Support plan that provides the full set of AWS Trusted Advisor best practice checks for cost optimization?
A. AWS Enterprise Support

C. AWS Developer Support
Correct Answer: B
Section:
Explanation:
AWS Business Support is the least expensive AWS Support plan that provides the full set of AWS Trusted Advisor best practice checks for cost optimization. AWS Trusted Advisor is a service that provides best
practices and recommendations for cost optimization, performance, security, and fault tolerance. AWS Business Support also provides other benefits, such as 24/7 technical support, unlimited cases, and faster
response times. AWS Enterprise Support is the most expensive AWS Support plan that provides the same benefits as AWS Business Support, plus additional benefits, such as a technical account manager and
enterprise concierge support. AWS Developer Support and AWS Basic Support are cheaper AWS Support plans that provide only a limited set of AWS Trusted Advisor best practice checks for cost optimization .
QUESTION 401
Which AWS service helps developers use loose coupling and reliable messaging between microservices?
A. Elastic Load Balancing

B. Amazon Simple Notification Service (Amazon SNS)
C. Amazon CloudFront
D. Amazon Simple Queue Service (Amazon SQS)
Correct Answer: D
Section:
www.VCEplus.io
Explanation:
Amazon Simple Queue Service (Amazon SQS) is a service that provides fully managed message queues for asynchronous communication between microservices. It helps developers use loose coupling and reliable
messaging by allowing them to send, store, and receive messages between distributed components without losing them or requiring each component to be always available1.
Elastic Load Balancing is a service that distributes incoming traffic across multiple targets, such as Amazon EC2 instances, containers, and IP addresses. Amazon Simple Notification Service (Amazon SNS) is a service
that provides fully managed pub/sub messaging for event-driven and push-based communication between microservices. Amazon CloudFront is a service that provides a fast and secure content delivery network
(CDN) for web applications.
QUESTION 402
A company is building a mobile app to provide shopping recommendations to its customers. The company wants to use a graph database as part of the shopping recommendation engine.
Which AWS database service should the company choose?
A. Amazon DynamoDB
B. Amazon Aurora
C. Amazon Neptune
Correct Answer: C
Section:
Explanation:
Amazon Neptune is a service that provides a fully managed graph database that supports property graphs and RDF graphs. It can be used to build applications that work with highly connected datasets, such as

shopping recommendations, social networks, fraud detection, and knowledge graphs2. Amazon DynamoDB is a service that provides a fully managed NoSQL database that delivers fast and consistent performance
at any scale. Amazon Aurora is a service that provides a fully managed relational database that is compatible with MySQL and PostgreSQL. Amazon DocumentDB (with MongoDB compatibility) is a service that
provides a fully managed document database that is compatible with MongoDB.
QUESTION 403
Which option is the default pricing model for Amazon EC2 instances?
B. Savings Plans
C. Spot Instances
D. Reserved Instances
Correct Answer: A
Section:
Explanation:
On-Demand Instances are the default pricing model for Amazon EC2 instances. They allow users to pay for compute capacity by the second, with no long-term commitments or upfront payments. They are suitable
for applications with short-term, irregular, or unpredictable workloads that cannot be interrupted3. Savings Plans are a pricing model that offer significant savings on Amazon EC2 and AWS Fargate usage, in
exchange for a commitment to a consistent amount of usage (measured in $/hour) for a 1-year or 3-year term. Spot Instances are a pricing model that offer spare Amazon EC2 compute capacity at up to 90%
discount compared to On-Demand prices, but they can be interrupted by AWS with a two-minute notice when the demand exceeds the supply. Reserved Instances are a pricing model that offer up to 75% discount
compared to On-Demand prices, in exchange for a commitment to use a specific instance type and size in a specific region for a 1-year or 3-year term.
QUESTION 404
Which AWS service can provide a dedicated network connection with consistent low latency from on premises to the AWS Cloud?
A.
B.
Amazon VPC
Amazon Kinesis Data Streams
www.VCEplus.io
C. AWS Direct Connect
D. Amazon OpenSearch Service
Correct Answer: C
Section:
Explanation:
AWS Direct Connect is a service that provides a dedicated network connection from on premises to the AWS Cloud. It can reduce network costs, increase bandwidth throughput, and provide a more consistent
network experience than internet-based connections. It can also provide low latency for applications that require real-time data transfer4. Amazon VPC is a service that provides a logically isolated section of the
AWS Cloud where users can launch AWS resources in a virtual network that they define. Amazon Kinesis Data Streams is a service that provides a scalable and durable stream of data records for real-time data
processing. Amazon OpenSearch Service is a service that provides a fully managed, scalable, and secure search and analytics solution that is compatible with Elasticsearch.
QUESTION 405
A company simulates workflows to review and validate that all processes are effective and that staff are familiar with the processes.
Which design principle of the AWS Well-Architected Framework is the company following with this practice?

B. Refine operation procedures frequently.
C. Make frequent, small, reversible changes.
D. Structure the company to support business outcomes.

Correct Answer: B
Section:
Explanation:
Refine operation procedures frequently is one of the design principles of the operational excellence pillar of the AWS Well-Architected Framework. It means that users should continuously review and validate their
operational processes to ensure that they are effective and that staff are familiar with them. It also means that users should identify and address any gaps or issues in their processes, and incorporate feedback and
lessons learned from operational events5. Perform operations as code is another design principle of the operational excellence pillar, which means that users should automate and script their operational tasks to
reduce human error and enable consistent and repeatable execution. Make frequent, small, reversible changes is a design principle of the reliability pillar, which means that users should deploy changes in small
increments that can be easily tested and rolled back if necessary. Structure the company to support business outcomes is a design principle of the performance efficiency pillar, which means that users should align
their organizational structure and culture with their business goals and cloud strategy.
QUESTION 406
A company has designed its AWS Cloud infrastructure to run its workloads effectively. The company also has protocols in place to continuously improve supporting processes.
Which pillar of the AWS Well-Architected Framework does this scenario represent?
A. Security
C. Cost optimization
D. Operational excellence
Correct Answer: D
Section:
Explanation:
The scenario represents the operational excellence pillar of the AWS Well-Architected Framework, which focuses on running and monitoring systems to deliver business value and continually improve supporting
QUESTION 407
www.VCEplus.io
processes and procedures1. Security, performance efficiency, cost optimization, and reliability are the other four pillars of the framework1.
Which AWS service is a continuous delivery and deployment solution?
A. AWSAppSync
B. AWS CodePipeline
C. AWS Cloud9
D. AWS CodeCommit
Correct Answer: B
Section:
Explanation:
AWS CodePipeline is a continuous delivery and deployment service that automates the release process of software applications across different stages, such as source code, build, test, and deploy2. AWSAppSync,
AWS Cloud9, and AWS CodeCommit are other AWS services related to application development, but they do not provide continuous delivery and deployment solutions34 .
QUESTION 408
A company wants to set AWS spending targets and track costs against those targets.
Which AWS tool or feature should the company use to meet these requirements?
A. AWS Cost Explorer

B. AWS Budgets
C. AWS Cost and Usage Report

D. Savings Plans
Correct Answer: B
Section:
Explanation:
AWS Budgets is a tool that allows users to set AWS spending targets and track costs against those targets. Users can create budgets for various dimensions, such as service, linked account, tag, and more. Users can
also receive alerts when the actual or forecasted costs exceed or are projected to exceed the budgeted amount. AWS Cost Explorer, AWS Cost and Usage Report, and Savings Plans are other AWS tools or features
that can help users manage and optimize their AWS costs, but they do not enable users to set and track spending targets .
QUESTION 409
Which AWS services can be used to store files? (Select TWO.)
A. Amazon S3
B. AWS Lambda
D. Amazon SageMaker
E. AWS Storage Gateway
Section:
Explanation:
Amazon S3 and Amazon EBS are two AWS services that can be used to store files . Amazon S3 is an object storage service that offers high scalability, durability, availability, and performance. Amazon EBS is a block
storage service that provides persistent and low-latency storage volumes for Amazon EC2 instances. AWS Lambda, Amazon SageMaker, and AWS Storage Gateway are other AWS services that have different
www.VCEplus.io
purposes, such as serverless computing, machine learning, and hybrid cloud storage .
QUESTION 410
A company's application has high customer usage during certain times of the day. The company wants to reduce the number of Amazon EC2 instances that run when application usage is low.
Which AWS service or instance purchasing option should the company use to meet this requirement?
A. EC2 Instance Savings Plans

B. Spot Instances
D. Amazon EC2 Auto Scaling
Correct Answer: D
Section:
Explanation:
Amazon EC2 Auto Scaling is an AWS service that can help users reduce the number of Amazon EC2 instances that run when application usage is low. Amazon EC2 Auto Scaling allows users to create scaling policies
that automatically adjust the number of EC2 instances based on the demand or a schedule. EC2 Instance Savings Plans, Spot Instances, and Reserved Instances are instance purchasing options that can help users
save money on EC2 usage, but they do not automatically scale the number of instances according to the application usage .
QUESTION 411
A company is running a workload in the AWS Cloud.
Which AWS best practice ensures the MOST cost-effective architecture for the workload?
A. Loose coupling

B. Rightsizing
C. Caching
D. Redundancy
Correct Answer: B
Section:
Explanation:
The AWS best practice that ensures the most cost-effective architecture for the workload is rightsizing. Rightsizing means selecting the most appropriate instance type or resource configuration that matches the
needs of the workload. Rightsizing can help optimize performance and reduce costs by avoiding over-provisioning or under-provisioning of resources1. Loose coupling, caching, and redundancy are other AWS best
practices that can improve the scalability, availability, and performance of the workload, but they do not necessarily ensure the most cost-effective architecture.
QUESTION 412
A company wants to verify if multi-factor authentication (MFA) is enabled for all users within its AWS accounts.
Which AWS service or resource will meet this requirement?
A. AWS Cost and Usage Report

B. IAM credential reports
C. AWS Artifact
D. Amazon CloudFront reports
Correct Answer: B
Section:
Explanation:
www.VCEplus.io
The AWS service or resource that will meet the requirement of verifying if multi-factor authentication (MFA) is enabled for all users within its AWS accounts is IAM credential reports. IAM credential reports are
downloadable reports that list all the users in an AWS account and the status of their various credentials, including passwords, access keys, and MFA devices. Users can use IAM credential reports to audit the
security status of their AWS accounts and identify any issues or risks4.
AWS Cost and Usage Report, AWS Artifact, and Amazon CloudFront reports are other AWS services or resources that provide different types of information, such as billing, compliance, and content delivery, but
they do not show the MFA status of the users.
QUESTION 413
A company has migrated its workloads to AWS. The company wants to adopt AWS at scale and operate more efficiently and securely.
Which AWS service or framework should the company use for operational support?
A. AWS Support
B. AWS Cloud Adoption Framework (AWS CAF)
C. AWS Managed Services (AMS)
Correct Answer: D
Section:
Explanation:
The AWS Well-Architected Framework is a set of best practices and guidelines for designing and operating workloads on AWS. It helps customers achieve operational excellence, security, reliability, performance
efficiency, cost optimization, and sustainability. The framework is based on six pillars, each with its own design principles, best practices, and questions. Customers can use the framework to assess their current
state, identify gaps, and implement improvements12.
AWS Support is a service that provides technical assistance, guidance, and resources for AWS customers. It offers different plans with varying levels of access to AWS experts, response times, and features3. AWS
Support does not provide a comprehensive framework for operational support.

AWS Cloud Adoption Framework (AWS CAF) is a guidance tool that helps customers plan and execute their cloud migration journey. It provides a set of perspectives, capabilities, and best practices to align the
business and technical aspects of cloud adoption4. AWS CAF does not focus on operational support for existing workloads on AWS.
AWS Managed Services (AMS) is a service that operates AWS infrastructure on behalf of customers. It provides a secure and compliant environment, automates common activities, and applies best practices for
provisioning, patching, backup, recovery, and monitoring5. AMS does not provide a framework for customers to operate their own workloads on AWS.
QUESTION 414
A company is building an application in the AWS Cloud. The company wants to use temporary credentials for the application to access other AWS resources.
A. AWS Key Management Service (Aws KMS)

B. AWS CloudHSM
C. Amazon Cognito
D. AWS Security Token Service (Aws STS)
Correct Answer: D
Section:
Explanation:
AWS Security Token Service (AWS STS) is a service that provides temporary security credentials to users or applications that need to access AWS resources. The temporary credentials have a limited lifetime and can
be configured to last from a few minutes to several hours. The credentials are not stored with the user or application, but are generated dynamically and provided on request. The credentials work almost
identically to long-term access key credentials, but have the advantage of not requiring distribution, rotation, or revocation1.
AWS Key Management Service (AWS KMS) is a service that provides encryption and decryption services for data and keys. It does not provide temporary security credentials2.
AWS CloudHSM is a service that provides hardware security modules (HSMs) for cryptographic operations and key management. It does not provide temporary security credentials3.
Amazon Cognito is a service that provides user authentication and authorization for web and mobile applications. It can also provide temporary security credentials for authenticated users, but not for
applications4.
QUESTION 415
Which AWS service offers object storage?
www.VCEplus.io
A. Amazon RDS
C. Amazon S3
D. Amazon DynamoDB
Correct Answer: C
Section:
Explanation:
Amazon S3 is the AWS service that offers object storage. Object storage is a technology that stores and manages data in an unstructured format called objects. Each object consists of the data, metadata, and a
unique identifier. Object storage is ideal for storing large amounts of unstructured data, such as photos, videos, email, web pages, sensor data, and audio files1. Amazon S3 provides industry-leading scalability, data
availability, security, and performance for object storage2.
Amazon RDS is the AWS service that offers relational database storage. Relational database storage is a technology that stores and manages data in a structured format called tables. Each table consists of rows and
columns that define the attributes and values of the dat a. Relational database storage is ideal for storing structured or semi-structured data, such as customer records, inventory, transactions, and analytics3.
Amazon Elastic File System (Amazon EFS) is the AWS service that offers file storage. File storage is a technology that stores and manages data in a hierarchical format called files and folders. Each file consists of the
data and metadata, and each folder consists of files or subfolders. File storage is ideal for storing shared data that can be accessed by multiple users or applications, such as home directories, content repositories,
media libraries, and configuration files4.
Amazon DynamoDB is the AWS service that offers NoSQL database storage. NoSQL database storage is a technology that stores and manages data in a flexible format called documents or key-value pairs. Each
document or key-value pair consists of the data and metadata, and can have different attributes and values depending on the schema. NoSQL database storage is ideal for storing dynamic or unstructured data that
requires high performance, scalability, and availability, such as web applications, social media, gaming, and IoT.

QUESTION 416
A company needs to deploy applications in the AWS Cloud as quickly as possible. The company also needs to minimize the complexity that is related to the management of AWS resources.
A. AWS config
C. Amazon EC2
D. Amazon Personalize
Correct Answer: B
Section:
Explanation:
AWS Elastic Beanstalk is the AWS service that allows customers to deploy applications in the AWS Cloud as quickly as possible. AWS Elastic Beanstalk automatically handles the deployment, from capacity
provisioning, load balancing, and auto-scaling to application health monitoring. Customers can upload their code and Elastic Beanstalk will take care of the rest1. AWS Elastic Beanstalk also minimizes the
complexity that is related to the management of AWS resources. Customers can retain full control of the underlying AWS resources powering their applications and adjust the settings to suit their needs1.
Customers can also use the AWS Management Console, the AWS Command Line Interface (AWS CLI), or APIs to manage their applications1.
AWS Config is the AWS service that enables customers to assess, audit, and evaluate the configurations of their AWS resources. AWS Config continuously monitors and records the configuration changes of the
resources and evaluates them against desired configurations or best practices2. AWS Config does not help customers deploy applications in the AWS Cloud as quickly as possible or minimize the complexity that is
related to the management of AWS resources.
Amazon EC2 is the AWS service that provides secure, resizable compute capacity in the cloud. Customers can launch virtual servers called instances and choose from various configurations of CPU, memory, storage,
and networking resources3. Amazon EC2 does not automatically handle the deployment or management of AWS resources for customers. Customers have to manually provision, configure, monitor, and scale their
instances and other related resources.
Amazon Personalize is the AWS service that enables customers to create personalized recommendations for their users based on their behavior and preferences. Amazon Personalize uses machine learning to
management of AWS resources.
QUESTION 417
www.VCEplus.io
analyze data and deliver real-time recommendations4. Amazon Personalize does not help customers deploy applications in the AWS Cloud as quickly as possible or minimize the complexity that is related to the
Which AWS service can identify when an Amazon EC2 instance was terminated?
A. AWS Identity and Access Management (IAM)

B. AWS CloudTrail
C. AWS Compute Optimizer
D. Amazon EventBridge
Correct Answer: B
Section:
Explanation:
AWS CloudTrail is the AWS service that can identify when an Amazon EC2 instance was terminated.
AWS CloudTrail is a service that records API calls and events for AWS accounts and resources. AWS CloudTrail can capture the TerminateInstances event, which is triggered when an EC2 instance is terminated by a
user or an AWS service. The event contains information such as the instance ID, the user identity, the source IP address, the time, and the reason for the termination12. Customers can use the CloudTrail console,
the AWS CLI, or the AWS SDKs to view and search for the TerminateInstances events in their event history or in their S3 buckets where they store their CloudTrail logs13.
QUESTION 418
A company needs to categorize and track AWS usage cost based on business categories.
A. Cost allocation tags

C. AWS Security Hub
Correct Answer: A
Section:
Explanation:
The AWS service or feature that the company should use to categorize and track AWS usage cost based on business categories is cost allocation tags. Cost allocation tags are key-value pairs that users can attach to
AWS resources to organize and track their AWS costs. Users can use cost allocation tags to filter and group their AWS costs by categories such as project, department, environment, or application. Users can also use
cost allocation tags to generate detailed billing reports that show the costs associated with each tag3. AWS Organizations, AWS Security Hub, and AWS Cost and Usage Report are other AWS services or features
that can help users with different aspects of their AWS usage, such as managing multiple accounts, monitoring security issues, or analyzing billing data, but they do not enable users to categorize and track AWS
costs based on business categories.
QUESTION 419
Which options are AWS Cloud Adoption Framework (AWS CAF) cloud transformation journey recommendations? (Select TWO.)
A. Envision phase
B. Align phase
C. Assess phase
D. Mobilize phase
E. Migrate and modernize phase
Section:
The AWS Cloud Adoption Framework (AWS CAF) cloud transformation journey is a four-phase process that helps customers plan and execute their cloud migration and digital transformation. The four phases are:
Envision phase: This phase focuses on demonstrating how cloud will help accelerate the business outcomes of the customer. It involves identifying and prioritizing transformation opportunities across four domains:
business, people, governance, and platform. It also involves associating the transformation initiatives with key stakeholders and measurable business outcomes1.
Align phase: This phase focuses on identifying capability gaps across six perspectives: business, people, governance, platform, security, and operations. It also involves identifying crossorganizational dependencies
and surfacing stakeholder concerns and challenges. The goal of this phase is to create strategies for improving the cloud readiness, ensure stakeholder alignment, and facilitate relevant organizational change
management activities1.
Launch phase: This phase focuses on delivering pilot initiatives in production and demonstrating incremental business value. Pilots should be highly impactful and influence future direction. The customer should
learn from the pilots and adjust their approach before scaling to full production1.
Scale phase: This phase focuses on expanding production pilots and business value to the desired scale and ensuring that the business benefits associated with the cloud investments are realized and sustained1.
QUESTION 420
Which AWS service requires the customer to be fully responsible for applying operating system patches?
A. Amazon DynamoDB
B. AWS Lambda
C. AWS Fargate
D. Amazon EC2
Correct Answer: D
Section:
Explanation:

Amazon EC2 is the AWS service that requires the customer to be fully responsible for applying operating system patches. Amazon EC2 is a service that provides secure, resizable compute capacity in the cloud.
Customers can launch virtual servers called instances and choose from various configurations of CPU, memory, storage, and networking resources1. Customers have full control and access to their instances, which
means they are also responsible for managing and maintaining them, including applying operating system patches2. Customers can use AWS Systems Manager Patch Manager, a feature of AWS Systems Manager,
to automate the process of patching their EC2 instances with both security-related updates and other types of updates3.
QUESTION 421
Which AWS service provides encryption at rest for Amazon RDS and for Amazon Elastic Block Store (Amazon EBS) volumes?
A. AWS Lambda
B. AWS Key Management Service (AWS KMS)
C. AWSWAF
D. Amazon Rekognition
Correct Answer: B
Section:
Explanation:
AWS Key Management Service (AWS KMS) is a managed service that enables you to easily encrypt your data. AWS KMS provides you with centralized control of the encryption keys used to protect your data. You
can use AWS KMS to encrypt data in Amazon RDS and Amazon EBS volumes12
QUESTION 422
Which task can only an AWS account root user perform?
A.
B.
C.
Changing the AWS Support plan
Deleting AWS resources
Creating an Amazon EC2 instance key pair
www.VCEplus.io
D. Configuring AWS WAF
Correct Answer: A
Section:
Explanation:
The AWS account root user is the email address that you use to sign up for AWS. The root user has complete access to all AWS services and resources in the account. The root user can perform tasks that only the
root user can do, such as changing the AWS Support plan, closing the account, and restoring IAM user permissions34
QUESTION 423
A company is considering migration to the AWS Cloud. The company wants a fully managed service or feature that can transfer streaming data from multiple sources to an Amazon S3 bucket.
A. AWS DataSync
B. Amazon Kinesis Data Firehose
C. S3 Select
D. AWS Transfer Family
Correct Answer: B
Section:
Explanation:

Amazon Kinesis Data Firehose is a fully managed service that delivers real-time streaming data to destinations such as Amazon S3, Amazon Redshift, Amazon Elasticsearch Service, and Splunk. You can use Amazon
Kinesis Data Firehose to capture, transform, and load streaming data from multiple sources, such as web applications, mobile devices, IoT sensors, and social media.
QUESTION 424
Which Amazon S3 storage class is the MOST cost-effective for long-term storage?
A. S3 Glacier Deep Archive

B. S3 Standard
C. S3 Standard-Infrequent Access (S3 Standard-IA)
D. S3 One Zone-Infrequent Access (S3 One Zone-IA)
Correct Answer: A
Section:
Explanation:
Amazon S3 Glacier Deep Archive is the lowest-cost storage class in the cloud. It is designed for longterm data archiving that is rarely accessed. It offers a retrieval time of 12 hours and a durability of 99.999999999%
(11 9's). It is ideal for data that must be retained for 7 years or longer to meet regulatory compliance requirements.
QUESTION 425
A company is launching a mobile app. The company wants customers to be able to use the app without upgrading their mobile devices.
Which pillar of the AWS Well-Architected Framework does this goal represent?
A. Security
B. Reliability
C.
D.
Cost optimization
Sustainability www.VCEplus.io
Correct Answer: C
Section:
Explanation:
Cost optimization is one of the five pillars of the AWS Well-Architected Framework. It focuses on avoiding unnecessary costs, understanding and controlling where money is being spent, selecting the most
appropriate and right number of resource types, analyzing spend over time, and scaling to meet business needs without overspending.
QUESTION 426
Which AWS service can a company use to find security and compliance reports, including International Organization for Standardization (ISO) reports?
A. AWS Artifact
C. AWS Config
D. AWS Audit Manager
Correct Answer: A
Section:
Explanation:
AWS Artifact is a self-service portal that provides on-demand access to AWS security and compliance reports and select online agreements. You can use AWS Artifact to download AWS service audit reports, such as
ISO, PCI, and SOC, and to accept and manage agreements with AWS, such as the Business Associate Addendum (BAA).

QUESTION 427
Which database engines does Amazon Aurora support? (Select TWO.)
A. Oracle
B. Microsoft SQL Server
C. MySQL
D. PostgreSQL
E. MongoDB
Section:
Explanation:
Amazon Aurora is a relational database service that is compatible with MySQL and PostgreSQL engines. It delivers up to five times the performance of MySQL and up to three times the performance of PostgreSQL.
It also provides high availability, scalability, security, and durability1
QUESTION 428
A company's headquarters is located on a different continent from where the majority of the company's customers live. The company wants an AWS Cloud environment setup that will provide the lowest latency to
the customers.
A company wants to automate the creation of new AWS accounts and automatically prevent all users from creating Amazon EC2 instances.
A. AWS Service Catalog

C.
D.
EC2 Image Builder
AWS Systems Manager
www.VCEplus.io
Correct Answer: B
Section:
Explanation:
AWS Organizations is a service that enables you to create and manage multiple AWS accounts centrally. You can use AWS Organizations to automate account creation, apply policies to control access and
permissions, and consolidate billing across your accounts. You can also use AWS Organizations to prevent users from creating Amazon EC2 instances in certain regions or with certain configurations2
QUESTION 429
A company needs to set up user authentication for a new application. Users must be able to sign in directly with a user name and password, or through a third-party provider.

B. AWS Signer
C. Amazon Cognito
D. AWS Directory Service
Correct Answer: C
Section:
Explanation:
Amazon Cognito is a service that provides user authentication and authorization for web and mobile applications. You can use Amazon Cognito to enable users to sign in directly with a user name and password, or
through a third-party provider, such as Facebook, Google, or Amazon. You can also use Amazon Cognito to manage user profiles, preferences, and security settings3

QUESTION 430
Which abilities are benefits of the AWS Cloud? (Select TWO.)
A. Trade variable expenses for capital expenses.

B. Deploy globally in minutes.
C. Plan capacity in advance of deployments.
D. Take advantage of economies of scale.
E. Reduce dependencies on network connectivity.
Section:
Explanation:
The AWS Cloud offers many benefits, such as:
Trade variable expenses for capital expenses: You can pay only for the resources you use, instead of investing in fixed costs upfront. This reduces the risk and complexity of planning and managing your IT
infrastructure4 Deploy globally in minutes: You can leverage the global infrastructure of AWS to deploy your applications and data in multiple regions and availability zones. This enables you to reach your
customers faster, improve performance, and increase reliability5
QUESTION 431
A company is looking for a managed machine learning (ML) service that can recommend products based on a customer's previous behaviors.
A. Amazon Personalize
B. Amazon SageMaker
C.
D.
Amazon Pinpoint
Amazon Comprehend
www.VCEplus.io
Correct Answer: A
Section:
Explanation:
The AWS service that meets the requirement of providing a managed machine learning (ML) service that can recommend products based on a customer's previous behaviors is Amazon Personalize.
Amazon Personalize is a fully managed service that enables developers to create personalized recommendations for customers using their own data. Amazon Personalize can automatically process and examine the
data, identify what is meaningful, select the right algorithms, and train and optimize a personalized recommendation model2. Amazon SageMaker, Amazon Pinpoint, and Amazon Comprehend are other AWS
services related to machine learning, but they do not provide the specific functionality of product recommendation.
QUESTION 432
A company wants its Amazon EC2 instances to share the same geographic area but use multiple independent underlying power sources.
Which solution achieves this goal?

B. Use EC2 instances in multiple AWS Regions.
C. Use EC2 instances in multiple Availability Zones in the same AWS Region.
D. Use EC2 instances in the same edge location and the same AWS Region.
Correct Answer: C
Section:
Explanation:

The solution that achieves the goal of having Amazon EC2 instances share the same geographic area but use multiple independent underlying power sources is to use EC2 instances in multiple Availability Zones in
the same AWS Region. An Availability Zone is a physically isolated location within an AWS Region that has its own power, cooling, and network connectivity. An AWS Region is a geographical area that consists of
two or more Availability Zones. By using multiple Availability Zones, users can increase the fault tolerance and resilience of their applications, as well as reduce latency for end users3. Using EC2 instances in a single
Availability Zone, multiple AWS Regions, or the same edge location and the same AWS Region would not meet the requirement of having multiple independent power sources.
QUESTION 433
Which AWS service should be used when a company needs to provide its remote employees with virtual desktops?
A. Amazon Identity and Access Management (1AM)

B. AWS Directory Service
C. AWS 1AM Identity Center (AWS Single Sign-On)
D. Amazon Workspaces
Correct Answer: D
Section:
Explanation:
The AWS service that should be used when a company needs to provide its remote employees with virtual desktops is Amazon WorkSpaces. Amazon WorkSpaces is a fully managed, secure desktop-asa-service
(DaaS) solution that runs on AWS. Amazon WorkSpaces allows users to provision cloudbased virtual desktops and provide their end users access to the documents, applications, and resources they need from any
supported device, including Windows and Mac computers, Chromebooks, iPads, Fire tablets, and Android tablets4. Amazon Identity and Access Management (IAM), AWS Directory Service, and AWS IAM Identity
Center (AWS Single Sign-On) are other AWS services related to identity and access management, but they do not provide virtual desktops.
QUESTION 434
A company needs a graph database service that is scalable and highly available.
A. Amazon Aurora
www.VCEplus.io
B. Amazon Redshift
C. Amazon DynamoDB
D. Amazon Neptune
Correct Answer: D
Section:
Explanation:
The AWS service that meets the requirements of providing a graph database service that is scalable and highly available is Amazon Neptune. Amazon Neptune is a fast, reliable, and fully managed graph database
service that supports property graph and RDF graph models. Amazon Neptune is designed to store billions of relationships and query the graph with milliseconds latency. Amazon Neptune also offers high
availability and durability by replicating six copies of the data across three Availability Zones and continuously backing up the data to Amazon S35. Amazon Aurora, Amazon Redshift, and Amazon DynamoDB are
other AWS services that provide relational or non-relational database solutions, but they do not support graph database models.
QUESTION 435
Which AWS Cloud benefit describes the ability to acquire resources as they are needed and release resources when they are no longer needed?
A. Economies of scale
B. Elasticity
C. Agility
D. Security

Correct Answer: B
Section:
Explanation:
The AWS Cloud benefit that describes the ability to acquire resources as they are needed and release resources when they are no longer needed is elasticity. Elasticity means that users can quickly add and remove
resources to match the demand of their applications, and only pay for what they use. Elasticity enables users to handle unpredictable workloads, reduce costs, and improve performance1. Economies of scale,
agility, and security are other benefits of the AWS Cloud, but they do not describe the specific ability of acquiring and releasing resources on demand.
QUESTION 436
A company wants to design a reliable web application that is hosted on Amazon EC2.
Which approach will achieve this goal?
A. Launch large EC2 instances in the same Availability Zone.

B. Spread EC2 instances across more than one security group.
C. Spread EC2 instances across more than one Availability Zone.
D. Use an Amazon Machine Image (AMI) from AWS Marketplace.
Correct Answer: C
Section:
Explanation:
The approach that will achieve the goal of designing a reliable web application that is hosted on Amazon EC2 is to spread EC2 instances across more than one Availability Zone. An Availability Zone is a physically
isolated location within an AWS Region that has its own power, cooling, and network connectivity. By spreading EC2 instances across multiple Availability Zones, users can increase the fault tolerance and availability
of their web applications, as well as reduce latency for end users2.
Launching large EC2 instances in the same Availability Zone, spreading EC2 instances across more than one security group, or using an Amazon Machine Image (AMI) from AWS Marketplace are not sufficient to
QUESTION 437
www.VCEplus.io
ensure reliability, as they do not provide redundancy or resilience in case of an outage in one Availability Zone.
A company has a MySQL database running on a single Amazon EC2 instance. The company now requires higher availability in the event of an outage.
Which set of tasks would meet this requirement?
A. Add an Application Load Balancer in front of the EC2 instance.

B. Configure EC2 Auto Recovery to move the instance to another Availability Zone.
C. Migrate to Amazon RDS and enable Multi-AZ.
D. Enable termination protection for the EC2 instance to avoid outages.
Correct Answer: C
Section:
Explanation:
The set of tasks that would meet the requirement of having higher availability for a MySQL database running on a single Amazon EC2 instance is to migrate to Amazon RDS and enable Multi-AZ. Amazon RDS is a
fully managed relational database service that supports MySQL and other popular database engines. By enabling Multi-AZ, users can have a primary database in one Availability Zone and a synchronous standby
replica in another Availability Zone. In case of a planned or unplanned outage of the primary database, Amazon RDS automatically fails over to the standby replica with minimal disruption3. Adding an Application
Load Balancer in front of the EC2 instance, configuring EC2 Auto Recovery to move the instance to another Availability Zone, or enabling termination protection for the EC2 instance would not provide higher
availability for the database, as they do not address the single point of failure or data replication issues.
QUESTION 438
Which AWS service or feature can a company use to apply security rules to specific Amazon EC2 instances?
A. Network ACLs

B. Security groups
D. AWS WAF
Correct Answer: B
Section:
Explanation:
Security groups are the AWS service or feature that can be used to apply security rules to specific Amazon EC2 instances. Security groups are virtual firewalls that control the inbound and outbound traffic for one or
more instances. Customers can create security groups and add rules that reflect the role of the instance that is associated with the security group. For example, a web server instance needs security group rules that
allow inbound HTTP and HTTPS access, while a database instance needs rules that allow access for the type of database12. Security groups are stateful, meaning that the responses to allowed inbound traffic are
also allowed, regardless of the outbound rules1. Customers can assign multiple security groups to an instance, and the rules from each security group are effectively aggregated to create one set of rules1.
Network ACLs are another AWS service or feature that can be used to control the traffic for a subnet.
Network ACLs are stateless, meaning that they do not track the traffic that they allow. Therefore, customers must add rules for both inbound and outbound traffic3. Network ACLs are applied at the subnet level,
not at the instance level.
AWS Trusted Advisor is an AWS service that provides best practice recommendations for security, performance, cost optimization, and fault tolerance. AWS Trusted Advisor does not apply security rules to specific
Amazon EC2 instances, but it can help customers identify security gaps and improve their security posture4.
AWS WAF is an AWS service that helps protect web applications from common web exploits, such as SQL injection, cross-site scripting, and bot attacks. AWS WAF does not apply security rules to specific Amazon
EC2 instances, but it can be integrated with other AWS services, such as Amazon CloudFront, Amazon API Gateway, and Application Load Balancer.
QUESTION 439
Which actions are best practices for an AWS account root user? (Select TWO.)
A. Share root user credentials with team members.

B.
C.
D.
Enable multi-factor authentication (MFA) on the root user. www.VCEplus.io
Create multiple root users for the account, separated by environment.
Create an IAM user with administrator privileges for daily administrative tasks, instead of using the root user.
Use programmatic access instead of the root user and password.
Section:
Explanation:
The AWS account root user is the identity that has complete access to all AWS services and resources in the account. It is accessed by signing in with the email address and password that were used to create the
account1. The root user should be protected and used only for a few account and service management tasks that require it1. Therefore, the following actions are best practices for an AWS account root user:
Enable multi-factor authentication (MFA) on the root user. MFA is a security feature that requires users to provide two or more pieces of information to authenticate themselves, such as a password and a code
from a device. MFA adds an extra layer of protection for the root user credentials, which can access sensitive information and perform critical operations in the account2.
Create an IAM user with administrator privileges for daily administrative tasks, instead of using the root user. IAM is a service that helps customers manage access to AWS resources for users and groups. Customers
can create IAM users and assign them permissions to perform specific tasks on specific resources. Customers can also create IAM roles and policies to delegate access to other AWS services or external entities3. By
creating an IAM user with administrator privileges, customers can avoid using the root user for everyday tasks and reduce the risk of accidental or malicious changes to the account1.
QUESTION 440
A company wants an automated process to continuously scan its Amazon EC2 instances for software vulnerabilities.
A. Amazon GuardDuty
B. Amazon Inspector
C. Amazon Detective

D. Amazon Cognito
Correct Answer: B
Section:
Explanation:
Amazon Inspector is the AWS service that can be used to perform vulnerability scans on AWS EC2 instances for software vulnerabilities automatically in a periodic fashion. Amazon Inspector automatically discovers
EC2 instances and scans them for software vulnerabilities and unintended network exposure. Amazon Inspector uses AWS Systems Manager (SSM) and the SSM Agent to collect information about the software
application inventory of the EC2 instances. This data is then scanned by Amazon Inspector for software vulnerabilities12. Amazon Inspector also integrates with other AWS services, such as Amazon EventBridge and
AWS Security Hub, to automate discovery, expedite vulnerability routing, and shorten mean time to remediate (MTTR) vulnerabilities2.
QUESTION 441
A company wants to implement controls (guardrails) in a newly created AWS Control Tower landing zone.
Which AWS services or features can the company use to create and define these controls (guardrails)? (Select TWO.)
A. AWS Config
B. Service control policies (SCPs)
C. Amazon GuardDuty
E. Security groups
Section:
Explanation:
www.VCEplus.io
AWS Config and service control policies (SCPs) are AWS services or features that the company can use to create and define controls (guardrails) in a newly created AWS Control Tower landing zone.
AWS Config is a service that enables users to assess, audit, and evaluate the configurations of their AWS resources. It can be used to create rules that check for compliance with the desired configurations and
report any deviations. AWS Control Tower provides a set of predefined AWS Config rules that can be enabled as guardrails to enforce compliance across the landing zone1.
Service control policies (SCPs) are a type of policy that can be used to manage permissions in AWS Organizations. They can be used to restrict the actions that the users and roles in the member accounts can
perform on the AWS resources. AWS Control Tower provides a set of predefined SCPs that can be enabled as guardrails to prevent access to certain services or regions across the landing zone2. Amazon GuardDuty
is a service that provides intelligent threat detection and continuous monitoring for AWS accounts and resources. It is not a feature that can be used to create and define controls (guardrails) in a landing zone. AWS
Identity and Access Management (IAM) is a service that allows users to manage access to AWS resources and services. It can be used to create users, groups, roles, and policies that control who can do what in
AWS. It is not a feature that can be used to create and define controls (guardrails) in a landing zone. Security groups are virtual firewalls that control the inbound and outbound traffic for Amazon EC2 instances.
They can be used to allow or deny access to an EC2 instance based on the port, protocol, and source or destination. They are not a feature that can be used to create and define controls (guardrails) in a landing
zone.
QUESTION 442
A developer wants to use an Amazon S3 bucket to store application logs that contain sensitive data.
Which AWS service or feature should the developer use to restrict read and write access to the S3 bucket?
A. Security groups
C. AWS CloudTrail
D. ACLs
Correct Answer: D
Section:
Explanation:
ACLs are an AWS service or feature that the developer can use to restrict read and write access to the S3 bucket. ACLs are access control lists that grant basic permissions to other AWS accounts or predefined

groups. They can be used to grant read or write access to an S3 bucket or an object3.
Security groups are virtual firewalls that control the inbound and outbound traffic for Amazon EC2 instances. They are not a service or feature that can be used to restrict access to an S3 bucket.
Amazon CloudWatch is a service that provides monitoring and observability for AWS resources and applications. It can be used to collect and analyze metrics, logs, events, and alarms. It is not a service or feature
that can be used to restrict access to an S3 bucket. AWS CloudTrail is a service that provides governance, compliance, and audit for AWS accounts and resources. It can be used to track and record the API calls and
user activity in AWS. It is not a service or feature that can be used to restrict access to an S3 bucket.
QUESTION 443
Which AWS service or tool helps companies measure the environmental impact of their AWS usage?
A. AWS customer carbon footprint tool

C. Sustainability pillar
D. OS-Climate (Open Source Climate Data Commons)
Correct Answer: A
Section:
Explanation:
AWS customer carbon footprint tool is an AWS service or tool that helps companies measure the environmental impact of their AWS usage. It allows users to estimate the carbon emissions associated with their
AWS resources and services, such as EC2, S3, and Lambda. It also provides recommendations and best practices to reduce the carbon footprint and improve the sustainability of their AWS workloads4. AWS
Compute Optimizer is an AWS service that helps users optimize the performance and cost of their EC2 instances and Auto Scaling groups. It provides recommendations for optimal instance types, sizes, and
configurations based on the workload characteristics and utilization metrics. It does not help users measure the environmental impact of their AWS usage.
Sustainability pillar is a concept that refers to the ability of a system to operate in an environmentally friendly and socially responsible manner. It is not an AWS service or tool that helps users measure the
environmental impact of their AWS usage. OS-Climate (Open Source Climate Data Commons) is an initiative that aims to provide open source data, tools, and platforms to accelerate climate action and innovation.
QUESTION 444
www.VCEplus.io
It is not an AWS service or tool that helps users measure the environmental impact of their AWS usage.
Which option is a perspective that includes foundational capabilities of the AWS Cloud Adoption Framework (AWS CAF)?
A. Sustainability
B. Operations
D. Reliability
Correct Answer: B
Section:
Explanation:
Operations is an option that is a perspective that includes foundational capabilities of the AWS Cloud Adoption Framework (AWS CAF). Operations is one of the six perspectives of the AWS CAF, along with business,
people, governance, platform, and security. Operations focuses on the processes and procedures to support the ongoing management and maintenance of the cloud-based IT assets. It covers topics such as
monitoring, backup and recovery, change management, incident management, and automation5. Sustainability is not a perspective of the AWS CAF, but a concept that refers to the ability of a system to operate in
an environmentally friendly and socially responsible manner.
Performance efficiency is not a perspective of the AWS CAF, but a pillar of the AWS Well-Architected Framework. It focuses on using the right resources and services for the workload, monitoring performance, and
continuously improving the efficiency of the solution. Reliability is not a perspective of the AWS CAF, but a pillar of the AWS Well-Architected Framework. It focuses on the ability of a system to recover from
infrastructure or service disruptions, dynamically acquire computing resources to meet demand, and mitigate disruptions such as misconfigurations or transient network issues.
QUESTION 445
Which of the following is a benefit of decoupling an AWS Cloud architecture?

A. Reduced latency
B. Fewer components to manage
C. Decreased costs
D. Ability to upgrade components independently
Correct Answer: D
Section:
Explanation:
QUESTION 446
Which AWS service uses AWS Compute Optimizer to provide sizing recommendations based on workload metrics?
A. Amazon EC2
B. Amazon RDS
C. Amazon Lightsail
Correct Answer: A
Section:
Explanation:
Amazon EC2 is a web service that provides secure, resizable compute capacity in the cloud. It allows you to launch virtual servers, called instances, with different configurations of CPU, memory, storage, and
networking resources. AWS Compute Optimizer analyzes the specifications and utilization metrics of your Amazon EC2 instances and generates recommendations for optimal instance types that can reduce costs
www.VCEplus.io
and improve performance.You can view the recommendations on the AWS Compute Optimizer console or the Amazon EC2 console12.
Amazon RDS, Amazon Lightsail, and AWS Step Functions are not supported by AWS Compute Optimizer. Amazon RDS is a managed relational database service that lets you set up, operate, and scale a relational
database in the cloud. Amazon Lightsail is an easy-to-use cloud platform that offers everything you need to build an application or website, plus a cost-effective, monthly plan.AWS Step Functions lets you
coordinate multiple AWS services into serverless workflows so you can build and update apps quickly3.
QUESTION 447
Which capabilities are in the platform perspective of the AWS Cloud Adoption Framework (AWS CAF)? (Select TWO.)

B. Data engineering
C. Continuous integration and continuous delivery (CI/CD)
D. Infrastructure protection
E. Change and release management
Section:
Explanation:
These are two of the seven capabilities that are in the platform perspective of the AWS Cloud Adoption Framework (AWS CAF).The platform perspective helps you build an enterprise-grade, scalable, hybrid cloud
platform, modernize existing workloads, and implement new cloud-native solutions1. The other five capabilities are:
Platform architecture -- Establish and maintain guidelines, principles, patterns, and guardrails for your cloud environment.
Platform engineering -- Build a compliant multi-account cloud environment with enhanced security features, and packaged, reusable cloud products.
Platform operations -- Manage and optimize your cloud environment with automation, monitoring, and incident response.
Application development -- Develop and deploy cloud-native applications using modern architectures and best practices.

Application migration -- Migrate your existing applications to the cloud using proven methodologies and tools.
Performance and capacity management, infrastructure protection, and change and release management are not capabilities of the platform perspective.They are part of the operations perspective, which helps you
achieve operational excellence in the cloud2. The operations perspective comprises six capabilities:
Performance and capacity management -- Monitor and optimize the performance and capacity of your cloud workloads.
Infrastructure protection -- Protect your cloud infrastructure from unauthorized access, malicious attacks, and data breaches.
Change and release management -- Manage changes and releases to your cloud workloads using automation and governance.
Configuration management -- Manage the configuration of your cloud resources and applications using automation and version control.
Incident management -- Respond to incidents affecting your cloud workloads using best practices and tools.
Service continuity management -- Ensure the availability and resilience of your cloud workloads using backup, recovery, and disaster recovery strategies.
QUESTION 448
How does the AWS Enterprise Support Concierge team help users?
A. Supporting application development

B. Providing architecture guidance
C. Answering billing and account inquiries
D. Answering questions regarding technical support cases
Correct Answer: C
Section:
Explanation:
The AWS Enterprise Support Concierge team is a group of billing and account experts who specialize in working with enterprise customers. They can help customers with questions about billing, account
management, cost optimization, and other non-technical issues. They can also assist customers with navigating and optimizing their AWS environment, such as setting up consolidated billing, applying for service
limit increases, or requesting refunds.
AWS Support Plan Comparison
AWS Enterprise Support Plan
www.VCEplus.io
Answer Explained: Which AWS Support plan provides access to AWS Concierge Support team for account assistance?
QUESTION 449
A company wants to make an upfront commitment for continued use of its production Amazon EC2 instances in exchange for a reduced overall cost.
Which pricing options meet these requirements with the LOWEST cost? (Select TWO.)
A. Spot Instances
B. On-Demand Instances
D. Savings Plans
E. Dedicated Hosts
Section:
Explanation:
Reserved Instances (RIs) are a pricing model that allows you to reserve EC2 instances for a specified period of time (one or three years) and receive a significant discount compared to On-Demand pricing. RIs are
suitable for workloads that have predictable usage patterns and require a long-term commitment. You can choose between three payment options: All Upfront, Partial Upfront, or No Upfront.The more you pay
upfront, the greater the discount1.
Savings Plans are a flexible pricing model that can help you reduce your EC2 costs by up to 72% compared to On-Demand pricing, in exchange for a commitment to a consistent amount of usage (measured in
$/hour) for a one or three year term. Savings Plans apply to usage across EC2, AWS Lambda, and AWS Fargate. You can choose between two types of Savings Plans: Compute Savings Plans and EC2 Instance Savings
Plans. Compute Savings Plans offer the most flexibility and apply to any instance family, size, OS, tenancy, or region.EC2 Instance Savings Plans offer the highest discount and apply to a specific instance family within

a region2.
Spot Instances are a pricing model that allows you to bid for unused EC2 capacity in the AWS cloud and are available at a discount of up to 90% compared to On-Demand pricing. Spot Instances are suitable for
fault-tolerant or stateless workloads that can run on heterogeneous hardware and have flexible start and end times.However, Spot Instances are not guaranteed and can be interrupted by AWS at any time if the
demand for capacity increases or your bid price is lower than the current Spot price3.
On-Demand Instances are a pricing model that allows you to pay for compute capacity by the hour or second with no long-term commitments. On-Demand Instances are suitable for short-term, spiky, or
unpredictable workloads that cannot be interrupted, or for applications that are being developed or tested on EC2 for the first time.However, On-Demand Instances are the most expensive option among the four
pricing models4.
Dedicated Hosts are physical EC2 servers fully dedicated for your use. Dedicated Hosts can help you reduce costs by allowing you to use your existing server-bound software licenses, such as Windows Server, SQL
Server, and SUSE Linux Enterprise Server. Dedicated Hosts can be purchased On-Demand or as part of Savings Plans. Dedicated Hosts are suitable for workloads that need to run on dedicated physical servers or
have strict licensing requirements. However, Dedicated Hosts are not the lowest cost option among the four pricing models.
QUESTION 450
A company wants a time-series database service that makes it easier to store and analyze trillions of events each day.
A. Amazon Neptune
B. Amazon Timestream
C. Amazon Forecast
Correct Answer: B
Section:
Explanation:
www.VCEplus.io
Amazon Timestream is a fast, scalable, and serverless time-series database service for IoT and other operational applications that makes it easy to store and analyze trillions of events per day up to 1,000 times
faster and at as little as 1/10th the cost of relational databases1.Amazon Timestream saves you time and cost in managing the lifecycle of time series data, and its purpose-built query engine lets you access and
analyze recent and historical data together with a single query1.Amazon Timestream has built-in time series analytics functions, helping you identify trends and patterns in near real time1.
The other options are not suitable for storing and analyzing trillions of events per day. Amazon Neptune is a graph database service that supports highly connected data sets. Amazon Forecast is a machine learning
service that generates accurate forecasts based on historical dat a. Amazon DocumentDB (with MongoDB compatibility) is a document database service that supports MongoDB workloads.
1: Time Series Database -- Amazon Timestream -- Amazon Web Services
QUESTION 451
A company plans to migrate to the AWS Cloud. The company wants to use the AWS Cloud Adoption Framework (AWS CAF) to define and track business outcomes as part of its cloud transformation journey.
Which AWS CAF governance perspective capability will meet these requirements?
A. Benefits management
B. Risk management
C. Application portfolio management
D. Cloud financial management
Correct Answer: A
Section:
Explanation:
The correct answer is A) Benefits management.
Benefits management is the AWS CAF governance perspective capability that helps you define and track business outcomes as part of your cloud transformation journey. Benefits management helps you align your
cloud initiatives with your business objectives, measure the value and impact of your cloud investments, and communicate the benefits of cloud adoption to your stakeholders12.
Risk management is the AWS CAF governance perspective capability that helps you identify and mitigate the potential risks associated with cloud adoption, such as security, compliance, legal, and operational
risks12.

Application portfolio management is the AWS CAF governance perspective capability that helps you assess and optimize your existing application portfolio for cloud migration or modernization. Application
portfolio management helps you categorize your applications based on their business value and technical fit, prioritize them for cloud adoption, and select the best migration or modernization strategy for each
application12.
Cloud financial management is the AWS CAF governance perspective capability that helps you manage and optimize the costs and value of your cloud resources. Cloud financial management helps you plan and
budget for cloud adoption, track and allocate cloud costs, implement cost optimization strategies, and report on cloud financial performance12.
1: AWS Cloud Adoption Framework: Governance Perspective 2: All you need to know about AWS Cloud Adoption Framework --- Governance Perspective
QUESTION 452
Which perspective in the AWS Cloud Adoption Framework (AWS CAF) includes a capability for well-designed data and analytics architecture?
A. Security
B. Governance
C. Operations
D. Platform
Correct Answer: D
Section:
Explanation:
The correct answer is D. Platform.
The Platform perspective in the AWS Cloud Adoption Framework (AWS CAF) includes a capability for well-designed data and analytics architecture. This capability helps you design, implement, and optimize your
data and analytics solutions on AWS, using services such as Amazon S3, Amazon Redshift, Amazon EMR, Amazon Kinesis, Amazon Athena, and Amazon QuickSight. A well-designed data and analytics architecture
enables you to collect, store, process, analyze, and visualize data from various sources, and derive insights that can drive your business decisions12.
The Security perspective does not include a capability for data and analytics architecture, but it does include a capability for data protection, which helps you secure your data at rest and in transit using encryption,
key management, access control, and auditing13.
www.VCEplus.io
The Governance perspective does not include a capability for data and analytics architecture, but it does include a capability for data governance, which helps you manage the quality, availability, usability, integrity,
and security of your data assets14.
The Operations perspective does not include a capability for data and analytics architecture, but it does include a capability for data operations, which helps you monitor, troubleshoot, and optimize the
performance and availability of your data pipelines and workloads1 .
1: Foundational capabilities - An Overview of the AWS Cloud Adoption Framework 2: [AWS Cloud Adoption Framework: Platform Perspective] 3: [AWS Cloud Adoption Framework: Security Perspective] 4: [AWS
Cloud Adoption Framework: Governance Perspective] : [AWS Cloud Adoption Framework: Operations Perspective]
QUESTION 453
A developer has been hired by a large company and needs AWS credentials.
Which are security best practices that should be followed? (Select TWO.)
A. Grant the developer access to only the AWS resources needed to perform the job.
B. Share the AWS account root user credentials with the developer.
C. Add the developer to the administrator's group in AWS IAM.
D. Configure a password policy that ensures the developer's password cannot be changed.
E. Ensure the account password policy requires a minimum length.
Section:
Explanation:
The security best practices that should be followed are A and E.
A) Grant the developer access to only the AWS resources needed to perform the job. This is an example of the principle of least privilege, which means giving the minimum permissions necessary to achieve a task.
This reduces the risk of unauthorized access, data leakage, or accidental damage to AWS resources. You can use AWS Identity and Access Management (IAM) to create users, groups, roles, and policies that grant

fine-grained access to AWS resources12.
E) Ensure the account password policy requires a minimum length. This is a basic security measure that helps prevent brute-force attacks or guessing of passwords. A longer password is harder to crack than a
shorter one. You can use IAM to configure a password policy that enforces a minimum password length, as well as other requirements such as complexity, expiration, and history34.
B) Share the AWS account root user credentials with the developer. This is a bad practice that should be avoided. The root user has full access to all AWS resources and services, and can perform sensitive actions
such as changing billing information, closing the account, or deleting all resources. Sharing the root user credentials exposes your account to potential compromise or misuse. You should never share your root user
credentials with anyone, and use them only for account administration tasks5 .
C) Add the developer to the administrator's group in IAM. This is also a bad practice that should be avoided. The administrator's group has full access to all AWS resources and services, which is more than what a
developer needs to perform their job. Adding the developer to the administrator's group violates the principle of least privilege and increases the risk of unauthorized access, data leakage, or accidental damage to
AWS resources. You should create a custom group for the developer that grants only the necessary permissions for their role12.
D) Configure a password policy that ensures the developer's password cannot be changed. This is another bad practice that should be avoided. Preventing the developer from changing their password reduces their
ability to protect their credentials and comply with security policies. For example, if the developer's password is compromised, they cannot change it to prevent further unauthorized access. Or if the company
requires periodic password rotation, they cannot update their password to meet this requirement. You should allow the developer to change their password as needed, and enforce a password policy that sets
reasonable rules for password management34.
QUESTION 454
A company is moving an on-premises data center to the AWS Cloud. The company must migrate 50 petabytes of file storage data to AWS with the least possible operational overhead.
Which AWS service or resource should the company use to meet these requirements?
A. AWS Snowmobile
B. AWS Snowball Edge
C. AWS Data Exchange
D. AWS Database Migration Service (AWS DMS)
Correct Answer: A
Section:
Explanation:
www.VCEplus.io
The AWS service that the company should use to meet these requirements is A. AWS Snowmobile.
AWS Snowmobile is a service that allows you to migrate large amounts of data to AWS using a 45-foot long ruggedized shipping container that can store up to 100 petabytes of data. AWS Snowmobile is designed
for situations where you need to move massive amounts of data to the cloud in a fast, secure, and cost-effective way. AWS Snowmobile has the least possible operational overhead because it eliminates the need to
buy, configure, or manage hundreds or thousands of storage devices12.
AWS Snowball Edge is a service that allows you to migrate data to AWS using a physical device that can store up to 80 terabytes of data and has compute and storage capabilities to run applications on the device.
AWS Snowball Edge is suitable for situations where you have limited or intermittent network connectivity, or where bandwidth costs are high. However, AWS Snowball Edge has more operational overhead than
AWS Snowmobile because you need to request multiple devices and transfer your data onto them using the client3.
AWS Data Exchange is a service that allows you to find, subscribe to, and use third-party data in the cloud. AWS Data Exchange is not a data migration service, but rather a data marketplace that enables data
providers and data consumers to exchange data sets securely and efficiently4.
AWS Database Migration Service (AWS DMS) is a service that helps migrate databases to AWS. AWS DMS does not migrate file storage data, but rather supports various database platforms and engines as sources
and targets5.
1: AWS Snowmobile -- Move Exabytes of Data to the Cloud in Weeks 2: AWS Snowmobile - Amazon Web Services 3: Automated Software Vulnerability Management - Amazon Inspector - AWS 4: AWS Data Exchange
- Find, subscribe to, and use third-party data in ... 5: AWS Database Migration Service -- Amazon Web Services
QUESTION 455
A company wants to define a central data protection policy that works across AWS services for compute, storage, and database resources.
A. AWS Batch
B. AWS Elastic Disaster Recovery
C. AWS Backup

D. Amazon FSx
Correct Answer: C
Section:
Explanation:
The AWS service that will meet this requirement is C. AWS Backup.
AWS Backup is a service that allows you to define a central data protection policy that works across AWS services for compute, storage, and database resources. You can use AWS Backup to create backup plans that
specify the frequency, retention, and lifecycle of your backups, and apply them to your AWS resources using tags or resource IDs. AWS Backup supports various AWS services, such as Amazon EC2, Amazon EBS,
Amazon RDS, Amazon DynamoDB, Amazon EFS, Amazon FSx, and AWS Storage Gateway12.
AWS Batch is a service that allows you to run batch computing workloads on AWS. AWS Batch does not provide a central data protection policy, but rather enables you to optimize the allocation and utilization of
your compute resources3.
AWS Elastic Disaster Recovery is a service that allows you to prepare for and recover from disasters using AWS. AWS Elastic Disaster Recovery does not provide a central data protection policy, but rather helps you
minimize downtime and data loss by replicating your applications and data to AWS4.
Amazon FSx is a service that provides fully managed file storage for Windows and Linux applications. Amazon FSx does not provide a central data protection policy, but rather offers features such as encryption,
snapshots, backups, and replication to protect your file systems5.
1: AWS Backup -- Centralized backup across AWS services 3: AWS Batch -- Run Batch Computing Jobs on AWS 2: Data Protection Reference Architectures with AWS Backup 4: AWS Elastic Disaster Recovery --
Prepare for and recover from disasters using AWS 5: Amazon FSx -- Fully managed file storage for Windows and Linux applications
QUESTION 456
A company needs to engage third-party consultants to help maintain and support its AWS environment and the company's business needs.
A. AWS Support
C.
D.
AWS Service Catalog
AWS Partner Network (APN)
www.VCEplus.io
Correct Answer: D
Section:
Explanation:
The AWS service or resource that will meet these requirements is D. AWS Partner Network (APN).
AWS Partner Network (APN) is a global community of consulting and technology partners that offer a wide range of services and solutions for AWS customers. APN partners can help customers design, architect,
build, migrate, and manage their workloads and applications on AWS. APN partners have access to various resources, training, tools, and support to enhance their AWS expertise and deliver value to customers12.
AWS Support is a service that provides technical assistance and guidance for AWS customers. AWS Support offers different plans with varying levels of response time, access channels, and features. AWS Support
does not directly engage third-party consultants, but rather connects customers with AWS experts and resources3.
AWS Organizations is a service that allows customers to manage multiple AWS accounts within a single organization. AWS Organizations enables customers to create groups of accounts, apply policies, automate
account creation, and consolidate billing. AWS Organizations does not directly engage third-party consultants, but rather helps customers simplify and optimize their AWS account management4.
AWS Service Catalog is a service that allows customers to create and manage catalogs of IT services that are approved for use on AWS. AWS Service Catalog enables customers to control the configuration,
deployment, and governance of their IT services. AWS Service Catalog does not directly engage third-party consultants, but rather helps customers standardize and streamline their IT service delivery5.
1: AWS Partner Network (APN) - Amazon Web Services (AWS) 2: Find an APN Partner - Amazon Web Services (AWS) 3: AWS Support -- Amazon Web Services 4: AWS Organizations -- Amazon Web Services 5: AWS
Service Catalog -- Amazon Web Services
QUESTION 457
A company wants to use the AWS Cloud to deploy an application globally.
Which architecture deployment model should the company use to meet this requirement?
A. Multi-Region

B. Single-Region
C. Multi-AZ
D. Single-AZ
Correct Answer: A
Section:
Explanation:
The architecture deployment model that the company should use to meet this requirement is
A) Multi-Region.
A multi-region deployment model is a cloud computing architecture that distributes an application and its data across multiple geographic regions. A multi-region deployment model enables a company to achieve
global reach, high availability, disaster recovery, and performance optimization. By deploying an application in multiple regions, a company can serve customers from the nearest region, reduce latency, increase
redundancy, and comply with data sovereignty regulations12.
A single-region deployment model is a cloud computing architecture that runs an application and its data within a single geographic region. A single-region deployment model is simpler and cheaper than a multi-
region deployment model, but it has limited scalability, availability, and performance. A single-region deployment model may not be suitable for a company that wants to deploy an application globally, as it may
face challenges such as network latency, regional outages, or regulatory compliance12.
A multi-AZ (Availability Zone) deployment model is a cloud computing architecture that distributes an application and its data across multiple isolated locations within a single region. An Availability Zone is a
physically separate location within an AWS Region that has independent power, cooling, and networking. A multi-AZ deployment model enhances the availability and durability of an application by providing
redundancy and fault tolerance within a region34.
A single-AZ deployment model is a cloud computing architecture that runs an application and its data within a single Availability Zone. A single-AZ deployment model is the simplest and most cost-effective option,
but it has no redundancy or fault tolerance. A single-AZ deployment model may not be suitable for a company that wants to deploy an application globally, as it may face challenges such as network latency,
regional outages, or regulatory compliance34.
1: AWS Cloud Computing - W3Schools 2: Understand the Different Cloud Computing Deployment Models Unit - Trailhead 3: Regions and Availability Zones - Amazon Elastic Compute Cloud 4: AWS Reference
Architecture Diagrams
QUESTION 458
www.VCEplus.io
Which option is a customer responsibility under the AWS shared responsibility model?
A. Maintenance of underlying hardware of Amazon EC2 instances

B. Application data security
C. Physical security of data centers
D. Maintenance of VPC components
Correct Answer: B
Section:
Explanation:
The option that is a customer responsibility under the AWS shared responsibility model is B. Application data security.
According to the AWS shared responsibility model, AWS is responsible for the security of the cloud, while the customer is responsible for the security in the cloud. This means that AWS manages the security of the
underlying infrastructure, such as the hardware, software, networking, and facilities that run the AWS services, while the customer manages the security of their applications, data, and resources that they use on
top of AWS12.
Application data security is one of the customer responsibilities under the AWS shared responsibility model. This means that the customer is responsible for protecting their application data from unauthorized
access, modification, deletion, or leakage. The customer can use various AWS services and features to help with application data security, such as encryption, key management, access control, logging, and
auditing12.
Maintenance of underlying hardware of Amazon EC2 instances is not a customer responsibility under the AWS shared responsibility model. This is part of the AWS responsibility to secure the cloud. AWS manages
the physical servers that host the Amazon EC2 instances and ensures that they are updated, patched, and replaced as needed13.
Physical security of data centers is not a customer responsibility under the AWS shared responsibility model. This is also part of the AWS responsibility to secure the cloud. AWS operates and controls the facilities
where the AWS services are hosted and ensures that they are protected from unauthorized access, environmental hazards, fire, and theft14.
Maintenance of VPC components is not a customer responsibility under the AWS shared responsibility model. This is a shared responsibility between AWS and the customer. AWS provides the VPC service and

ensures that it is secure and reliable, while the customer configures and manages their own VPCs and related components, such as subnets, route tables, security groups, network ACLs, gateways, and endpoints15.
1: Shared Responsibility Model - Amazon Web Services (AWS) 2: AWS Cloud Computing - W3Schools 3: [Amazon EC2 FAQs - Amazon Web Services] 4: [AWS Security - Amazon Web Services] 5: [Amazon Virtual
Private Cloud (VPC) - Amazon Web Services]
QUESTION 459
A company wants an AWS service to provide product recommendations based on its customer data.
A. Amazon Polly
B. Amazon Personalize
C. Amazon Comprehend
D. Amazon Rekognition
Correct Answer: B
Section:
Explanation:
Amazon Personalize is an AWS service that helps developers quickly build and deploy a custom recommendation engine with real-time personalization and user segmentation1. It uses machine learning (ML) to
analyze customer data and provide relevant recommendations based on their preferences, behavior, and context. Amazon Personalize can be used for various use cases such as optimizing recommendations,
targeting customers more accurately, maximizing the value of unstructured text, and promoting items using business rules1.
The other options are not suitable for providing product recommendations based on customer data. Amazon Polly is a service that converts text into lifelike speech. Amazon Comprehend is a service that uses
natural language processing (NLP) to extract insights from text and documents. Amazon Rekognition is a service that uses computer vision (CV) to analyze images and videos for faces, objects, scenes, and activities.
1: Cloud Products - Amazon Web Services (AWS)
2: Recommender System -- Amazon Personalize -- Amazon Web Services
3: Top 25 AWS Services List 2023 - GeeksforGeeks
www.VCEplus.io
4: AWS to Azure services comparison - Azure Architecture Center
5: The 25+ Best AWS Cost Optimization Tools (Updated 2023) - CloudZero
6: Amazon Polly -- Text-to-Speech Service - AWS
7: Natural Language Processing - Amazon Comprehend - AWS
8: Image and Video Analysis - Amazon Rekognition - AWS
QUESTION 460
A company wants to launch multiple workloads on AWS. Each workload is related to a different business unit. The company wants to separate and track costs for each business unit.
Which solution will meet these requirements with the LEAST operational overhead?
A. Use AWS Organizations and create one account for each business unit.
B. Use a spreadsheet to control the owners and cost of each resource.
C. Use an Amazon DynamoDB table to record costs for each business unit.
D. Use the AWS Billing console to assign owners to resources and track costs.
Correct Answer: A
Section:
Explanation:
AWS Organizations is a service that helps you centrally manage and govern your AWS environment.You can use AWS Organizations to create multiple accounts for different business units, and group them into
organizational units (OUs) that reflect your organizational structure1.By doing so, you can separate and track costs for each business unit using the account ID as a cost allocation tag2.You can also use AWS
Organizations to apply policies and controls to your accounts, such as service control policies (SCPs) and tag policies1.
The other options are not suitable for meeting the requirements with the least operational overhead. Using a spreadsheet or a DynamoDB table to control and record costs for each business unit would require
manual data entry and maintenance, which is prone to errors and inconsistencies. Using the AWS Billing console to assign owners to resources and track costs would also require manual tagging of each resource,

which is time-consuming and inefficient.
1: What Is AWS Organizations? - AWS Organizations
2: Cost Tagging and Reporting with AWS Organizations | AWS Cloud Financial Management
QUESTION 461
Which AWS services are supported by Savings Plans? (Select TWO.)
A. Amazon EC2
B. Amazon RDS
C. Amazon SageMaker
D. Amazon Redshift
E. Amazon DynamoDB
Section:
Explanation:
The AWS services that are supported by Savings Plans are:
Amazon EC2: Amazon EC2 is a service that provides scalable computing capacity in the AWS cloud. You can use Amazon EC2 to launch virtual servers, configure security and networking, and manage
storage.Amazon EC2 is eligible for both Compute Savings Plans and EC2 Instance Savings Plans12.
Amazon SageMaker: Amazon SageMaker is a service that helps you build and deploy machine learning models. You can use Amazon SageMaker to access Jupyter notebooks, use common machine learning
algorithms, train and tune models, and deploy them to a hosted environment.Amazon SageMaker is eligible for SageMaker Savings Plans13.
The other options are not supported by Savings Plans.Amazon RDS, Amazon Redshift, and Amazon DynamoDB are database services that are eligible for Reserved Instances, but not Savings Plans4.
QUESTION 462
www.VCEplus.io
Which AWS service provides a single location to track the progress of application migrations?
A. AWS Application Discovery Service

B. AWS Application Migration Service
C. AWS Service Catalog
D. AWS Migration Hub
Correct Answer: D
Section:
Explanation:
AWS Migration Hub is a service that provides a single location to track the progress of application migrations across multiple AWS and partner solutions.It allows you to choose the AWS and partner migration tools
that best fit your needs, while providing visibility into the status of migrations across your portfolio of applications1.AWS Migration Hub supports migration status updates from the following tools: AWS Application
Migration Service, AWS Database Migration Service, CloudEndure Migration, Server Migration Service, and Migrate for Compute Engine1.
The other options are not correct for the following reasons:
AWS Application Discovery Service is a service that helps you plan your migration projects by automatically identifying servers, applications, and dependencies in your on-premises data centers2. It does not track
the progress of application migrations, but rather provides information to help you plan and scope your migrations.
AWS Application Migration Service is a service that helps you migrate and modernize applications from any source infrastructure to AWS with minimal downtime and disruption3. It is one of the migration tools that
can send status updates to AWS Migration Hub, but it is not the service that provides a single location to track the progress of application migrations.
AWS Service Catalog is a service that allows you to create and manage catalogs of IT services that are approved for use on AWS4. It does not track the progress of application migrations, but rather helps you
manage the provisioning and governance of your IT services.
1: What Is AWS Migration Hub? - AWS Migration Hub
2: What Is AWS Application Discovery Service? - AWS Application Discovery Service
3: App Migration Tool - AWS Application Migration Service - AWS

4: What Is AWS Service Catalog? - AWS Service Catalog
QUESTION 463
Which capabilities are in the platform perspective of the AWS Cloud Adoption Framework (AWS CAF)? (Select TWO.)

B. Data engineering
C. Continuous integration and continuous delivery (CI/CD)
D. Infrastructure protection
E. Change and release management
Section:
Explanation:
The platform perspective of the AWS Cloud Adoption Framework (AWS CAF) helps you build an enterprise-grade, scalable, hybrid cloud platform, modernize existing workloads, and implement new cloud-native
solutions1.It comprises seven capabilities, two of which are data engineering and CI/CD1.
Data engineering: This capability helps you design and evolve a fit-for-purpose data and analytics architecture that can reduce complexity, cost, and technical debt while enabling you to gain actionable insights
from exponentially growing data volumes1. It involves selecting key technologies for each of your architectural layers, such as ingestion, storage, catalog, processing, and consumption.It also involves supporting
real-time data processing and adopting a Lake House architecture to facilitate data movements between data lakes and purpose-built data stores1.
CI/CD: This capability helps you automate the delivery of your cloud solutions using a set of practices and tools that enable faster and more reliable deployments1. It involves establishing a pipeline that can build,
test, and deploy your code across multiple environments.It also involves adopting a DevOps culture that fosters collaboration, feedback, and continuous improvement among your development and operations
teams1.
1: Platform perspective: infrastructure and applications - An Overview of the AWS Cloud Adoption Framework

A company hosts a large amount of data in AWS. The company wants to identify if any of the data should be considered sensitive.
Which AWS service will meet the requirement?
A. Amazon Inspector
B. Amazon Macie
C. AWS Identity and Access Management (IAM)
D. Amazon CloudWatch
Correct Answer: B
Section:
Explanation:
Amazon Macie is a fully managed service that uses machine learning and pattern matching to help you detect, classify, and better protect your sensitive data stored in the AWS Cloud1.Macie can automatically
discover and scan your Amazon S3 buckets for sensitive data such as personally identifiable information (PII), financial information, healthcare information, intellectual property, and credentials1.Macie also
provides you with a dashboard that shows the type, location, and volume of sensitive data in your AWS environment, as well as alerts and findings on potential security issues1.
The other options are not suitable for identifying sensitive data in AWS.Amazon Inspector is a service that helps you find security vulnerabilities and deviations from best practices in your Amazon EC2
instances2.AWS Identity and Access Management (IAM) is a service that helps you manage access to your AWS resources by creating users, groups, roles, and policies3.Amazon CloudWatch is a service that helps
you monitor and troubleshoot your AWS resources and applications by collecting metrics, logs, events, and alarms4.
1: What Is Amazon Macie? - Amazon Macie
2: What Is Amazon Inspector? - Amazon Inspector
3: What Is IAM? - AWS Identity and Access Management
4: What Is Amazon CloudWatch? - Amazon CloudWatch

QUESTION 465
A company wants an AWS service to collect and process 10 TB of data locally and transfer the data to AWS. The company has intermittent connectivity.
A. AWS Database Migration Service (AWS DMS)

B. AWS DataSync
C. AWS Backup
Correct Answer: D
Section:
Explanation:
The correct answer is D. AWS Snowball Edge.
AWS Snowball Edge is a physical device that can be used to collect and process data locally and then transfer it to AWS. It is designed for situations where there is limited or intermittent network connectivity, or
where bandwidth costs are high. AWS Snowball Edge can store up to 80 TB of data and has compute and storage capabilities to run applications on the device1.
AWS Database Migration Service (AWS DMS) is a service that helps migrate databases to AWS. It does not collect or process data locally, nor does it work offline2.
AWS DataSync is a service that helps transfer data between on-premises storage systems and AWS storage services. It does not collect or process data locally, and it requires a network connection to work3.
AWS Backup is a service that helps automate and manage backups across AWS services. It does not collect or process data locally, nor does it transfer data to AWS. It only backs up data that is already in AWS4.
1: AWS Snowball Edge 2: AWS Database Migration Service (AWS DMS) 3: AWS DataSync 4: AWS Backup
QUESTION 466
Which options are AWS Cloud Adoption Framework (AWS CAF) people perspective capabilities? (Select TWO.)
A.
B.
Organizational alignment
Portfolio management
www.VCEplus.io
C. Organization design
D. Risk management
E. Modern application development
Section:
Explanation:
The AWS Cloud Adoption Framework (AWS CAF) people perspective capabilities are the organizational skills and processes that enable effective cloud adoption. According to the AWS CAF people perspective
whitepaper1, there are seven capabilities in this perspective, two of which are:
Organizational alignment: This capability helps you align your organizational structure, roles, and responsibilities to support your cloud transformation goals and objectives. It involves assessing your current and
desired state of alignment, identifying gaps and misalignments, and designing and implementing changes to optimize your cloud performance1.
Organization design: This capability helps you design and evolve your organization to enable agility, innovation, and collaboration in the cloud. It involves defining your cloud operating model, identifying the skills
and competencies needed for cloud roles, and creating career paths and development plans for your cloud workforce1.
The other options are not capabilities in the AWS CAF people perspective. Portfolio management, risk management, and modern application development are capabilities in the AWS CAF business perspective,
governance perspective, and platform perspective respectively2.
1: AWS Cloud Adoption Framework: People Perspective - AWS Cloud Adoption Framework: People Perspective
2: AWS Cloud Adoption Framework - AWS Cloud Adoption Framework
QUESTION 467
A company has 5 TB of data stored in Amazon S3. The company plans to occasionally run queries on the data for analysis.

Which AWS service should the company use to run these queries in the MOST cost-effective manner?
A. Amazon Redshift
B. Amazon Athena
C. Amazon Kinesis
D. Amazon RDS
Correct Answer: B
Section:
Explanation:
Amazon Athena is a serverless, interactive analytics service that allows users to run SQL queries on data stored in Amazon S3. It is ideal for occasional queries on large datasets, as it does not require any server
provisioning, configuration, or management. Users only pay for the queries they run, based on the amount of data scanned. Amazon Athena supports various data formats, such as CSV, JSON, Parquet, ORC, and
Avro, and integrates with AWS Glue Data Catalog to create and manage schemas.Amazon Athena also supports querying data from other sources, such as on-premises or other cloud systems, using data
connectors1.
Amazon Redshift is a fully managed data warehouse service that allows users to run complex analytical queries on petabyte-scale data. However, it requires users to provision and maintain clusters of nodes, and
pay for the storage and compute capacity they use.Amazon Redshift is more suitable for frequent and consistent queries on structured or semi-structured data2.
Amazon Kinesis is a platform for streaming data on AWS, enabling users to collect, process, and analyze real-time data. It is not designed for querying data stored in Amazon S3.Amazon Kinesis consists of four
services: Kinesis Data Streams, Kinesis Data Firehose, Kinesis Data Analytics, and Kinesis Video Streams3.
Amazon RDS is a relational database service that provides six database engines: Amazon Aurora, PostgreSQL, MySQL, MariaDB, Oracle Database, and SQL Server. It simplifies database administration tasks such as
backup, patching, scaling, and replication. However, it is not optimized for querying data stored in Amazon S3.Amazon RDS is more suitable for transactional workloads that require high performance and
availability4.
Interactive SQL - Serverless Query Service - Amazon Athena - AWS
[Amazon Redshift -- Data Warehouse Solution - AWS]
[Amazon Kinesis - Streaming Data Platform - AWS]
[Amazon Relational Database Service (RDS) -- AWS]
QUESTION 468
www.VCEplus.io
A company needs to search for text in documents that are stored in Amazon S3.
A. Amazon Kendra
C. Amazon Polly
D. Amazon Lex
Correct Answer: A
Section:
Explanation:
Amazon Kendra is a highly accurate and easy to use intelligent search service powered by machine learning. It enables users to easily find the content they are looking for, even when it is scattered across multiple
locations and content repositories within their organization.Amazon Kendra supports natural language queries, and can search for text in documents stored in Amazon S3, as well as other sources such as
SharePoint, OneDrive, Salesforce, ServiceNow, and more1.
Amazon Rekognition is a computer vision service that makes it easy to add image and video analysis to applications. It can detect objects, faces, text, scenes, activities, and emotions in images and videos.However,
it is not designed for searching for text in documents stored in Amazon S32.
Amazon Polly is a text-to-speech service that turns text into lifelike speech. It can create audio versions of books, articles, podcasts, and more.However, it is not designed for searching for text in documents stored
in Amazon S33.
Amazon Lex is a service for building conversational interfaces using voice and text. It can create chatbots that can interact with users using natural language.However, it is not designed for searching for text in
documents stored in Amazon S34.

Amazon Kendra -- Intelligent Search Service Powered by Machine Learning
Amazon Rekognition -- Video and Image - AWS
Amazon Polly -- Text-to-Speech Service - AWS
Amazon Lex -- Build Conversation Bots - AWS
QUESTION 469
A company wants to migrate a database from an on-premises environment to Amazon RDS.
After the migration is complete, which management task will the company still be responsible for?
A. Hardware lifecycle management

B. Application optimization
C. Server maintenance
D. Power, network, and cooling provisioning
Correct Answer: B
Section:
Explanation:
Amazon RDS is a managed database service that handles most of the common database administration tasks, such as hardware provisioning, server maintenance, backup and recovery, patching, scaling, and
replication. However, Amazon RDS does not optimize the application that interacts with the database.The company is still responsible for tuning the performance, security, and availability of the application
according to its business requirements and best practices12.
What is Amazon Relational Database Service (Amazon RDS)?
Perform common DBA tasks for Amazon RDS DB instances
QUESTION 470
www.VCEplus.io
A company is assessing its AWS Business Support plan to determine if the plan still meets the company's needs. The company is considering switching to
AWS Enterprise Support.
Which additional benefit will the company receive with AWS Enterprise Support?
A. A full set of AWS Trusted Advisor checks

B. Phone, email, and chat access to cloud support engineers 24 hours a day, 7 days a week
C. A designated technical account manager (TAM) to assist in monitoring and optimization
D. A consultative review and architecture guidance for the company's applications
Correct Answer: C
Section:
Explanation:
AWS Enterprise Support provides customers with a designated technical account manager (TAM) who is a single point of contact for all technical and operational issues. The TAM provides consultative architectural
and operational guidance delivered in the context of the customer's applications and use-cases to help them achieve the greatest value from AWS.The TAM also helps customers with proactive services, such as
strategic business reviews, security improvement programs, guided Well-Architected reviews, cost optimization workshops, and more1.
A full set of AWS Trusted Advisor checks is not an additional benefit of AWS Enterprise Support, as it is also included in the AWS Business Support plan2. AWS Trusted Advisor is a tool that provides best practice
recommendations for cost optimization, performance, security, fault tolerance, and service limits.
Phone, email, and chat access to cloud support engineers 24 hours a day, 7 days a week is not an additional benefit of AWS Enterprise Support, as it is also included in the AWS Business Support plan2. Cloud
support engineers can help customers with technical issues, such as troubleshooting, configuration, usage, and service features.
A consultative review and architecture guidance for the company's applications is not an additional benefit of AWS Enterprise Support, as it is also included in the AWS Business Support plan2. Customers can
request a consultative review from a solutions architect who will provide best practices and recommendations based on the customer's use-cases and goals.
QUESTION 471

Which AWS service converts text to lifelike voices?
A. Amazon Transcribe
C. Amazon Polly
D. Amazon Textract
Correct Answer: C
Section:
Explanation:
Amazon Polly is a service that turns text into lifelike speech, allowing you to create applications that talk, and build entirely new categories of speech-enabled products.Polly's Text-to-Speech (TTS) service uses
advanced deep learning technologies to synthesize natural sounding human speech1. Amazon Polly supports dozens of languages and a wide range of natural-sounding voices. You can customize and control the
speech output by using lexicons and SSML tags.You can also store and redistribute the speech output in standard audio formats like MP3 and OGG2.
Amazon Transcribe is a service that converts speech to text, enabling you to create text transcripts from audio or video files. It can recognize multiple speakers, different languages, accents, dialects, and
background noises. It can also add punctuation and formatting to the transcripts. Amazon Transcribe is useful for applications such as subtitling, captioning, transcription, and voice search.
Amazon Rekognition is a service that provides image and video analysis using computer vision and deep learning. It can detect objects, faces, text, scenes, activities, and emotions in images and videos. It can also
perform face recognition, face comparison, face search, celebrity recognition, and facial analysis. Amazon Rekognition is useful for applications such as security, social media, e-commerce, and media and
entertainment.
Amazon Textract is a service that extracts text and data from scanned documents using optical character recognition (OCR) and machine learning. It can identify the contents of fields in forms and tables, as well as
the relationships between them. It can also preserve the layout and structure of the original document. Amazon Textract is useful for applications such as data entry, document management, compliance, and
analytics.
Text to Speech Software -- Amazon Polly -- Amazon Web Services
What is Text to Speech -- Amazon Web Services (AWS)
AWS Amazon Polly - Text to Speech Converter - CodeCanyon
www.VCEplus.io
Amazon's Text-To-Speech AI Service Sounds More Natural And ... - Forbes
Working with AWS Amazon Polly Text-to-Speech (TTS) Service
[Automatic Speech Recognition - Amazon Transcribe - AWS]
[Amazon Rekognition -- Video and Image - AWS]
[Extract Text & Data - OCR - Amazon Textract - AWS]
QUESTION 472
A company wants to monitor its workload performance. The company wants to ensure that the cloud services are delivered at a level that meets its business needs.
Which AWS Cloud Adoption Framework (AWS CAF) perspective will meet these requirements?
A. Business
B. Governance
C. Platform
D. Operations
Correct Answer: D
Section:
Explanation:
The Operations perspective helps you monitor and manage your cloud workloads to ensure that they are delivered at a level that meets your business needs.Common stakeholders include chief operations officer
(COO), cloud director, cloud operations manager, and cloud operations engineers1.The Operations perspective covers capabilities such as workload health monitoring, incident management, change management,
release management, configuration management, and disaster recovery2.
The Business perspective helps ensure that your cloud investments accelerate your digital transformation ambitions and business outcomes. Common stakeholders include chief executive officer (CEO), chief
financial officer (CFO), chief information officer (CIO), and chief technology officer (CTO).The Business perspective covers capabilities such as business case development, value realization, portfolio management,

and stakeholder management3.
The Governance perspective helps you orchestrate your cloud initiatives while maximizing organizational benefits and minimizing transformation-related risks. Common stakeholders include chief transformation
officer, CIO, CTO, CFO, chief data officer (CDO), and chief risk officer (CRO).The Governance perspective covers capabilities such as governance framework, budget and cost management, compliance management,
and data governance4.
The Platform perspective helps you build an enterprise-grade, scalable, hybrid cloud platform, modernize existing workloads, and implement new cloud-native solutions. Common stakeholders include CTO,
technology leaders, architects, and engineers.The Platform perspective covers capabilities such as platform design and implementation, workload migration and modernization, cloud-native development, and
DevOps5.
AWS Cloud Adoption Framework: Operations Perspective
AWS Cloud Adoption Framework - Operations Perspective
AWS Cloud Adoption Framework: Business Perspective
AWS Cloud Adoption Framework: Governance Perspective
AWS Cloud Adoption Framework: Platform Perspective
QUESTION 473
A company needs an automated vulnerability management service that continually scans AWS workloads for software vulnerabilities.
A. Amazon GuardDuty
B. Amazon Inspector
C. AWS Security Hub
D. AWS Shield
Correct Answer: B
Section:
Explanation:
The correct answer is B. Amazon Inspector.
www.VCEplus.io
Amazon Inspector is an automated vulnerability management service that continually scans AWS workloads for software vulnerabilities and unintended network exposure. Amazon Inspector automatically
discovers workloads, such as Amazon EC2 instances, containers, and Lambda functions, and scans them for software vulnerabilities and unintended network exposure12.
Amazon GuardDuty is a threat detection service that monitors your AWS accounts and workloads for malicious or unauthorized activity. Amazon GuardDuty does not scan for software vulnerabilities, but rather
analyzes AWS CloudTrail, Amazon VPC Flow Logs, and DNS logs to detect threats such as compromised credentials, backdoors, or crypto mining3.
AWS Security Hub is a security and compliance service that aggregates and prioritizes security findings from multiple AWS services and partner solutions. AWS Security Hub does not scan for software
vulnerabilities, but rather provides a comprehensive view of your security posture across your AWS accounts4.
AWS Shield is a managed service that protects your web applications and network resources from distributed denial-of-service (DDoS) attacks. AWS Shield does not scan for software vulnerabilities, but rather
provides detection and mitigation of DDoS attacks at the network and application layers5.
1: Automated Software Vulnerability Management - Amazon Inspector - AWS 3: [Amazon GuardDuty -- Intelligent Threat Detection Made Easy] 2: AWS Re-Launches Amazon Inspector with New Architecture and
Features - InfoQ 4: [AWS Security Hub -- Unified Security and Compliance Center] 5: [AWS Shield -- Managed DDoS Protection]
QUESTION 474
A company is assessing its AWS Business Support plan to determine if the plan still meets the company's needs. The company is considering switching to AWS Enterprise Support.
Which additional benefit will the company receive with AWS Enterprise Support?
A. A full set of AWS Trusted Advisor checks

B. Phone, email, and chat access to cloud support engineers 24 hours a day, 7 days a week
C. A designated technical account manager (TAM) to assist in monitoring and optimization
D. A consultative review and architecture guidance for the company's applications
Correct Answer: C

Section:
Explanation:
The additional benefit that the company will receive with AWS Enterprise Support is C. A designated technical account manager (TAM) to assist in monitoring and optimization.
A TAM is a dedicated point of contact who works with the customer to understand their use cases, applications, and goals, and provides proactive guidance and best practices to help them optimize their AWS
environment. A TAM also helps the customer with case management, escalations, service updates, and feature requests12.
A full set of AWS Trusted Advisor checks is available for customers with Business, Enterprise On-Ramp, or Enterprise Support plans1. Phone, email, and chat access to cloud support engineers 24/7 is available for
customers with Business, Enterprise On-Ramp, or Enterprise Support plans1. A consultative review and architecture guidance for the company's applications is available for customers with Enterprise On-Ramp or
Enterprise Support plans1. Therefore, these benefits are not exclusive to AWS Enterprise Support.
1: AWS Support Plan Comparison | Developer, Business, Enterprise ...
QUESTION 475
A company wants a list of all users in its AWS account, the status of all of the users' access keys, and if multi-factor authentication (MFA) has been configured.
Which AWS service or feature will meet these requirements?

B. IAM Access Analyzer
C. IAM credential report
D. Amazon CloudWatch
Correct Answer: C
Section:
Explanation:
IAM credential report is a feature that allows you to generate and download a report that lists all IAM users in your AWS account and the status of their various credentials, including access keys and MFA
www.VCEplus.io
devices.You can use this report to audit the security status of your IAM users and ensure that they follow the best practices for using AWS1.
AWS Key Management Service (AWS KMS) is a service that allows you to create and manage encryption keys to protect your data.It does not provide information about IAM users or their credentials2.
IAM Access Analyzer is a feature that helps you identify the resources in your AWS account, such as S3 buckets or IAM roles, that are shared with an external entity.It does not provide information about IAM users
or their credentials3.
Amazon CloudWatch is a service that monitors and collects metrics, logs, and events from your AWS resources and applications.It does not provide information about IAM users or their credentials4.
Getting credential reports for your AWS account - AWS Identity and Access Management
AWS Key Management Service - Amazon Web Services
IAM Access Analyzer - AWS Identity and Access Management
Amazon CloudWatch - Amazon Web Services

Simulado CLF C02

Uploaded by

Copyright:

Available Formats

Simulado CLF C02

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Simulado CLF C02

Uploaded by

Copyright:

Available Formats

Amazon.Premium.AWS Certified Cloud Practitioner (CLF-C02).

Exam Code: CLF-C02

Exam Name: AWS Certified Cloud Practitioner

IT Certification Exams - Questions & Answers | VCEplus.io

A. Network infrastructure and virtualization of infrastructure

A. AWS Trusted Advisor

IT Certification Exams - Questions & Answers | VCEplus.io

A. Amazon Elastic Block Store (Amazon EBS)

A. Amazon EC2 Auto Scaling for the EC2 instances

IT Certification Exams - Questions & Answers | VCEplus.io

A. one or more data centers in a single location.

IT Certification Exams - Questions & Answers | VCEplus.io

IT Certification Exams - Questions & Answers | VCEplus.io

A. Network Load Balancer

IT Certification Exams - Questions & Answers | VCEplus.io

A. AWS Device Farm

IT Certification Exams - Questions & Answers | VCEplus.io

A. Generate an 1AM user credentials report.

IT Certification Exams - Questions & Answers | VCEplus.io

A. Set up multi-factor authentication (MFA) for each Workspaces user account.

IT Certification Exams - Questions & Answers | VCEplus.io

A. AWS Identity and Access Management (1AM)

IT Certification Exams - Questions & Answers | VCEplus.io

A. EC2 includes operating system patch management

IT Certification Exams - Questions & Answers | VCEplus.io

A. AWS Partner Network (APN) support at no cost

IT Certification Exams - Questions & Answers | VCEplus.io

A. AWS Pricing Calculator

A. AWS Health Dashboard

A. AWS Auto Scaling

IT Certification Exams - Questions & Answers | VCEplus.io

A. AWS Pricing Calculator

IT Certification Exams - Questions & Answers | VCEplus.io

A. Deploy MySQL database server clusters on Amazon EC2 instances.

A. AWS Auto Scaling

IT Certification Exams - Questions & Answers | VCEplus.io

IT Certification Exams - Questions & Answers | VCEplus.io

A. AWS Certificate Manager (ACM)

A. The number of unused AWS Lambda functions

A. Perform operations as code.

IT Certification Exams - Questions & Answers | VCEplus.io

IT Certification Exams - Questions & Answers | VCEplus.io

A. The eight instances will be charged as regular instances.

A. Elimination of expenses for running and maintaining data centers

IT Certification Exams - Questions & Answers | VCEplus.io

A. Right-size services based on capacity requirements.

A. AWS Trusted Advisor

IT Certification Exams - Questions & Answers | VCEplus.io

A. The deletion of 1AM users

A. Payment flexibility by reserving storage capacity

IT Certification Exams - Questions & Answers | VCEplus.io

A. Scaling the web application and services developed with Docker

A. Think of servers as non-disposable resources.

IT Certification Exams - Questions & Answers | VCEplus.io

A. AWS Identity and Access Management (1AM)

A. AWS Free Tier

A. AWS Serverless Application Model framework

IT Certification Exams - Questions & Answers | VCEplus.io

A. Management of the guest operating systems

A. Troubleshoot the performance of applications.