CLF-C02

AWS Certified Cloud Practitioner

Version 5.0

Topic 1, Exam Pool A

QUESTION NO: 379

Which database engine is compatible with Amazon RDS?

A. Apache Cassandra

B. MongoDB

C. Neo4j

D. PostgreSQL

Answer: D

Amazon RDS supports six database engines: Amazon Aurora, MySQL, MariaDB, PostgreSQL, Oracle,
and SQL Server. Apache Cassandra, MongoDB, and Neo4j are not compatible with Amazon RDS.
Therefore, the correct answer is D. You can learn more about Amazon RDS and its supported
database engines from this page.

QUESTION NO: 380

A company needs to run code in response to an event notification that occurs when objects are
uploaded to an Amazon S3 bucket.

Which AWS service will integrate directly with the event notification?

A. AWS Lambda
B. Amazon EC2

C. Amazon Elastic Container Registry (Amazon ECR)

D. AWS Elastic Beanstalk

Answer: A

AWS Lambda is a service that lets you run code without provisioning or managing servers. You can
use Lambda to process event notifications from Amazon S3 when objects are uploaded or deleted.
Lambda integrates directly with the event notification and invokes your code automatically.
Therefore, the correct answer is A.

QUESTION NO: 381

A company wants to centrally manage security policies and billing services within a multi-account AWS
environment. Which AWS service should the company use to meet these requirements?

A. AWS Identity and Access Management (IAM)

B. AWS Organizations

C. AWS Resource Access Manager (AWS RAM)

D. AWS Config

Answer: B

AWS Organizations is a service that helps you centrally manage and govern your environment as
you grow and scale your AWS resources. You can use AWS Organizations to create groups of
accounts and apply policies to them. You can also use AWS Organizations to consolidate billing for
multiple accounts. Therefore, the correct answer is B. You can learn more about AWS Organizations
and its features from this page.

QUESTION NO: 382

What are the characteristics of Availability Zones? (Select TWO.)

A. All Availability Zones in an AWS Region are interconnected with high-bandwidth, low-latency
networking

B. Availability Zones are physically separated by a minimum of distance of 150 km (100 miles).

C. All traffic between Availability Zones is encrypted.

D. Availability Zones within an AWS Region share redundant power, networking, and connectivity.

E. Every Availability Zone contains a single data center.

Answer: A, D

Availability Zones are physically separate locations within an AWS Region that are engineered to be
isolated from failures. Each Availability Zone has independent power, cooling, and physical security,
and is connected to other Availability Zones in the same Region by a low-latency network. Therefore,
the correct answers are A and D. You can learn more about Availability Zones and their
characteristics from this page.

QUESTION NO: 384

Which AWS Well-Architected Framework concept represents a system's ability to remain functional when
the system encounters operational problems?
A. Consistency

B. Elasticity

C. Durability

D. Latency

Answer: B

The AWS Well-Architected Framework is a set of best practices and guidelines for designing and
operating systems in the cloud. The framework consists of five pillars: operational excellence,
security, reliability, performance efficiency, and cost optimization. The concept of elasticity
represents a system’s ability to adapt to changes in demand by scaling resources up or down
automatically. Therefore, the correct answer is B. You can learn more about the AWS Well-
Architected Framework and its pillars from this page.

QUESTION NO: 385

Which AWS service or tool does AWS Control Tower use to create resources?

A. AWS CloudFormation

B. AWS Trusted Advisor

C. AWS Directory Service

D. AWS Cost Explorer

Answer: A

AWS Control Tower uses AWS CloudFormation to create resources in your landing zone. AWS
CloudFormation is a service that helps you model and set up your AWS resources using templates.
AWS Control Tower supports creating AWS::ControlTower::EnabledControl resources in AWS
CloudFormation. Therefore, the correct answer is A. You can learn more about AWS Control Tower
and AWS CloudFormation from this page.
QUESTION NO: 386

What are some advantages of using Amazon EC2 instances lo host applications in the AWS Cloud instead
of on premises? (Select TWO.)

A. EC2 includes operating system patch management

B. EC2 integrates with Amazon VPC. AWS CloudTrail, and AWS Identity and Access Management (IAM)

C. EC2 has a 100% service level agreement (SLA).

D. EC2 has a flexible, pay-as-you-go pricing model.

E. EC2 has automatic storage cost optimization.

Answer: B, D

Some of the advantages of using Amazon EC2 instances to host applications in the AWS Cloud
instead of on premises are:
• EC2 integrates with Amazon VPC, AWS CloudTrail, and AWS Identity and Access
Management (IAM). Amazon VPC lets you provision a logically isolated section of the AWS
Cloud where you can launch AWS resources in a virtual network that you define. AWS
CloudTrail enables governance, compliance, operational auditing, and risk auditing of your
AWS account. AWS IAM enables you to manage access to AWS services and resources
securely. Therefore, the correct answer is B. You can learn more about Amazon EC2 and its
integration with other AWS services from this page.
• EC2 has a flexible, pay-as-you-go pricing model. You only pay for the compute capacity you
use, and you can scale up and down as needed. You can also choose from different pricing
options, such as On-Demand, Savings Plans, Reserved Instances, and Spot Instances, to
optimize your costs. Therefore, the correct answer is D. You can learn more about Amazon
EC2 pricing from this page.

The other options are incorrect because:

• EC2 does not include operating system patch management. You are responsible for
managing and maintaining your own operating systems on EC2 instances. You can use AWS
Systems Manager to automate common maintenance tasks, such as applying patches, or
use Amazon EC2 Image Builder to create and maintain secure images. Therefore, the
incorrect answer is A.
• EC2 does not have a 100% service level agreement (SLA). The EC2 SLA guarantees 99.99%
availability for each EC2 Region, not for each individual instance. Therefore, the incorrect
answer is C.
• EC2 does not have automatic storage cost optimization. You are responsible for choosing
the right storage option for your EC2 instances, such as Amazon Elastic Block Store (EBS) or
Amazon Elastic File System (EFS), and monitoring and optimizing your storage costs. You
can use AWS Cost Explorer or AWS Trusted Advisor to analyze and reduce your storage
spending. Therefore, the incorrect answer is E.

QUESTION NO: 387

Which option is an advantage of AWS Cloud computing that minimizes variable costs?
A. High availability

B. Economies of scale

C. Global reach

D. Agility

Answer: B

One of the advantages of AWS Cloud computing is that it minimizes variable costs by leveraging
economies of scale. This means that AWS can achieve lower costs per unit of computing resources
by spreading the fixed costs of building and maintaining data centers over a large number of
customers. As a result, AWS can offer lower and more predictable prices to its customers, who only
pay for the resources they consume. Therefore, the correct answer is B. You can learn more about
AWS pricing and economies of scale from this page.

QUESTION NO: 388

Which pillar of the AWS Well-Architected Framework focuses on the ability to run workloads effectively,
gain insight into operations, and continuously improve supporting processes and procedures?

A. Cost optimization

B. Reliability

C. Operational excellence

D. Performance efficiency

Answer: C

The AWS Well-Architected Framework is a set of best practices and guidelines for designing and
operating systems in the cloud. The framework consists of five pillars: operational excellence,
security, reliability, performance efficiency, and cost optimization. The operational excellence pillar
focuses on the ability to run workloads effectively, gain insight into operations, and continuously
improve supporting processes and procedures. Therefore, the correct answer is C. You can learn
more about the AWS Well-Architected Framework and its pillars from this page.

QUESTION NO: 389

Which benefit is included with an AWS Enterprise Support plan?

A. AWS Partner Network (APN) support at no cost

B. Designated support from an AWS technical account manager (TAM)

C. On-site support from AWS engineers

D. AWS managed compliance as code with AWS Config

Answer: B

AWS offers different support plans to meet the needs of different customers. The AWS Enterprise
Support plan is the highest level of support that provides customers with concierge-like service,
where the main focus is helping them achieve their outcomes and find success in the cloud. One of
the benefits of the AWS Enterprise Support plan is that customers get designated support from an
AWS technical account manager (TAM), who provides consultative architectural and operational
guidance based on their applications and use cases. Therefore, the correct answer is B. You can
learn more about AWS support plans and their benefits from this page.

QUESTION NO: 390

A company plans to migrate to AWS and wants to create cost estimates for its AWS use cases.

Which AWS service or tool can the company use to meet these requirements?

A. AWS Pricing Calculator

B. Amazon CloudWatch

C. AWS Cost Explorer

D. AWS Budgets

Answer: A

AWS Pricing Calculator is a web-based planning tool that customers can use to create estimates for
their AWS use cases. They can use it to model their solutions before building them, explore the AWS
service price points, and review the calculations behind their estimates. Therefore, the correct
answer is A. You can learn more about AWS Pricing Calculator and how it works from this page.

QUESTION NO: 391

A developer needs to build an application for a retail company. The application must provide real-time
product recommendations that are based on machine learning.

Which AWS service should the developer use to meet this requirement?

A. AWS Health Dashboard

B. Amazon Personalize

C. Amazon Forecast

D. Amazon Transcribe

Answer: B
 Amazon Personalize is a fully managed machine learning service that customers can use to
generate personalized recommendations for their users. It can also generate user segments based
on the users’ affinity for certain items or item metadata. Amazon Personalize uses the customers’
data to train and deploy custom recommendation models that can be integrated into their
applications. Therefore, the correct answer is B. You can learn more about Amazon Personalize and
its use cases from this page.

QUESTION NO: 392

A company deploys its application on Amazon EC2 instances. The application occasionally experiences
sudden increases in demand. The company wants to ensure that its application can respond to changes
in demand at the lowest possible cost.

Which AWS service or tool will meet these requirements?

A. AWS Auto Scaling

B. AWS Compute Optimizer

C. AWS Cost Explorer

D. AWS Well-Architected Framework

Answer: A

AWS Auto Scaling is the AWS service or tool that will meet the requirements of ensuring that the
application can respond to changes in demand at the lowest possible cost. AWS Auto Scaling allows
users to automatically adjust the number of Amazon EC2 instances based on the application’s
performance and availability needs. AWS Auto Scaling can also optimize costs by helping users
select the most cost-effective EC2 instances for their application1

QUESTION NO: 393

Which AWS service or tool provides recommendations to help users get rightsized Amazon EC2
instances based on historical workload usage data?

A. AWS Pricing Calculator

B. AWS Compute Optimizer

C. AWS App Runner

D. AWS Systems Manager

Answer: B

AWS Compute Optimizer is the AWS service or tool that provides recommendations to help users
get rightsized Amazon EC2 instances based on historical workload usage data. AWS Compute
Optimizer analyzes the configuration and performance characteristics of the EC2 instances and
delivers recommendations for optimal instance types, sizes, and configurations. AWS Compute
Optimizer helps users improve performance, reduce costs, and eliminate underutilized resources

QUESTION NO: 394

A company wants to use a managed service to simplify the setup, operation, and scaling of its MySQL
database in the AWS Cloud.

Which AWS service will meet these requirements?

A. Amazon EMR

B. Amazon RDS

C. Amazon Redshift

D. Amazon DynamoDB

Answer: B

Amazon RDS is the AWS service that will meet the requirements of using a managed service to
simplify the setup, operation, and scaling of a MySQL database in the AWS Cloud. Amazon RDS is a
relational database service that supports MySQL and other popular database engines. Amazon RDS
handles routine database tasks such as provisioning, patching, backup, recovery, and
scaling. Amazon RDS also offers high availability, security, and compatibility features 3

QUESTION NO: 395

A company deploys its application to multiple AWS Regions and configures automatic failover between
those Regions.

Which cloud concept does this architecture represent?

A. Security

B. Reliability

C. Scalability

D. Cost optimization

Answer: B

Reliability is the cloud concept that this architecture represents. Reliability is the ability of a system
to recover from infrastructure or service disruptions, dynamically acquire computing resources to
meet demand, and mitigate disruptions such as misconfigurations or transient network
issues. Deploying an application to multiple AWS Regions and configuring automatic failover
between those Regions enhances the reliability of the application by reducing the impact of regional
failures and increasing the availability of the application 4

QUESTION NO: 396

A company's IT team is managing MySQL database server clusters. The IT team has to patch the
database and take backup snapshots of the data in the clusters. The company wants to move this
workload to AWS so that these tasks will be completed automatically.

What should the company do to meet these requirements?

A. Deploy MySQL database server clusters on Amazon EC2 instances.

B. Use Amazon RDS with a MySQL database.

C. Use an AWS Cloud Form at ion template to deploy MySQL database servers on Amazon EC2 instances.

D. Migrate all the MySQL database data to Amazon S3.

Answer: B

The company should use Amazon RDS with a MySQL database to meet the requirements of moving
its workload to AWS so that the tasks of patching the database and taking backup snapshots of the
data in the clusters will be completed automatically. Amazon RDS is a managed service that
simplifies the setup, operation, and scaling of relational databases in the AWS Cloud. Amazon RDS
automates common database administration tasks such as patching, backup, and
recovery. Amazon RDS also supports MySQL and other popular database engines 5

QUESTION NO: 397

A company recently migrated to the AWS Cloud. The company needs to determine whether its newly
imported Amazon EC2 instances are the appropriate size and type.

Which AWS services can provide this information to the company? {Select TWO.)

A. AWS Auto Scaling

B. AWS Control Tower

C. AWS Trusted Advisor

D. AWS Compute Optimizer

E. Amazon Forecast

Answer: C, D

AWS Trusted Advisor and AWS Compute Optimizer are the AWS services that can provide
information to the company about whether its newly imported Amazon EC2 instances are the
appropriate size and type. AWS Trusted Advisor is an online tool that provides best practices
recommendations in five categories: cost optimization, performance, security, fault tolerance, and
service limits. AWS Trusted Advisor can help users identify underutilized or idle EC2 instances, and
suggest ways to reduce costs and improve performance. AWS Compute Optimizer is a service that
analyzes the configuration and utilization metrics of EC2 instances and delivers recommendations
for optimal instance types, sizes, and configurations. AWS Compute Optimizer helps users improve
performance, reduce costs, and eliminate underutilized resources

QUESTION NO: 398

A company has a social media platform in which users upload and share photos with other users. The
company wants to identify and remove inappropriate photos. The company has no machine learning
(ML) scientists and must build this detection capability with no ML expertise.

Which AWS service should the company use to build this capability?

A. Amazon SageMaker

B. Amazon Textract

C. Amazon Rekognition

D. Amazon Comprehend

Answer: C

Amazon Rekognition is the AWS service that the company should use to build the capability of
identifying and removing inappropriate photos. Amazon Rekognition is a service that uses deep
learning technology to analyze images and videos for various purposes, such as face detection,
object recognition, text extraction, and content moderation. Amazon Rekognition can help users
detect unsafe or inappropriate content in images and videos, such as nudity, violence, or drugs, and
provide confidence scores for each label. Amazon Rekognition does not require any machine
learning expertise, and users can easily integrate it with other AWS services

QUESTION NO: 399

A company's user base needs to remotely access virtual desktop computers from the internet Which
AWS service provides this functionality?

A. Amazon Connect

B. Amazon Cognito

C. Amazon Workspaces

D. Amazon Upstream 2.0

Answer: C
Amazon Workspaces is the AWS service that provides the functionality of remotely accessing virtual
desktop computers from the internet. Amazon Workspaces is a fully managed, secure desktop-as-a-
service (DaaS) solution that allows users to provision cloud-based virtual desktops and access them
from anywhere, using any supported device. Amazon Workspaces helps users reduce the complexity
and cost of managing and maintaining physical desktops, and provides a consistent and secure user
experience

QUESTION NO: 400

Amazon Elastic File System (Amazon EFS) and Amazon FSx offer which type of storage?

A. File storage

B. Object storage

C. Block storage

D. Instance store

Answer: A

Amazon Elastic File System (Amazon EFS) and Amazon FSx offer file storage. File storage is a type
of storage that organizes data into files and folders, and allows multiple users or applications to
access and share the same files over a network. Amazon EFS is a fully managed, scalable, and
elastic file system that supports the Network File System (NFS) protocol and can be used with
Amazon EC2 instances and AWS Lambda functions. Amazon FSx is a fully managed service that
provides two file system options: Amazon FSx for Windows File Server, which supports the Server
Message Block (SMB) protocol and is compatible with Microsoft Windows applications; and
Amazon FSx for Lustre, which is a high-performance file system that is optimized for compute-
intensive workloads

QUESTION NO: 401

Which AWS service or feature is used to Troubleshoot network connectivity issues between Amazon EC2
instances?

A. AWS Certificate Manager (ACM)

B. Internet gateway

C. VPC Flow Logs

D. AWS CloudHSM

Answer: C

VPC Flow Logs is the AWS service or feature that is used to troubleshoot network connectivity
issues between Amazon EC2 instances. VPC Flow Logs is a feature that enables users to capture
information about the IP traffic going to and from network interfaces in their VPC. VPC Flow Logs
can help users monitor and diagnose network-related issues, such as traffic not reaching an
instance, or an instance not responding to requests. VPC Flow Logs can be published to Amazon
CloudWatch Logs, Amazon S3, or Amazon Kinesis Data Firehose for analysis and storage.

QUESTION NO: 402

Which factors affect costs in the AWS Cloud? (Select TWO.)

A. The number of unused AWS Lambda functions

B. The number of configured Amazon S3 buckets

C. Inbound data transfers without acceleration

D. Outbound data transfers without acceleration

E. Compute resources that are currently in use

Answer: D, E

Outbound data transfers without acceleration and compute resources that are currently in use are
the factors that affect costs in the AWS Cloud. Outbound data transfers without acceleration refer to
the amount of data that is transferred from AWS to the internet, without using any service that can
optimize the speed and cost of the data transfer, such as AWS Global Accelerator or Amazon
CloudFront. Outbound data transfers are charged at different rates depending on the source and
destination AWS Regions, and the volume of data transferred. Compute resources that are currently
in use refer to the AWS services and resources that provide computing capacity, such as Amazon
EC2 instances, AWS Lambda functions, or Amazon ECS tasks. Compute resources are charged
based on the type, size, and configuration of the resources, and the duration and frequency of their
usage.

QUESTION NO: 403

Which design principles support the reliability pillar of the AWS Well-Architected Framework? (Select
TWO.)

A. Perform operations as code.

B. Enable traceability.

C. Automatically scale to meet demand.

D. Deploy resources globally to improve response time.

E. Automatically recover from failure.

Answer: C, E

The design principles that support the reliability pillar of the AWS Well-Architected Framework are:
automatically scale to meet demand, and automatically recover from failure. These principles help
users design systems that can handle changes in load, avoid disruptions, and resume normal
operations quickly. Automatically scaling to meet demand means adjusting the capacity of the
system based on the current and anticipated workload, using services such as AWS Auto Scaling,
Amazon EC2, and AWS Lambda. Automatically recovering from failure means detecting and
resolving issues, using services such as Amazon CloudWatch, AWS CloudFormation, and AWS
CloudTrail

QUESTION NO: 404

Which of the following are user authentication services managed by AWS? (Select TWO.)

A. Amazon Cognito

B. AWS Lambda

C. AWS License Manager

D. AWS Identity and Access Management (IAM)

E. AWS CodeStar

Answer: A, D

The user authentication services managed by AWS are: Amazon Cognito and AWS Identity and
Access Management (IAM). These services help users securely manage and control access to their
AWS resources and applications. Amazon Cognito is a service that provides user sign-up, sign-in,
and access control for web and mobile applications. Amazon Cognito supports various identity
providers, such as Facebook, Google, and Amazon, as well as custom user pools. AWS IAM is a
service that enables users to create and manage users, groups, roles, and permissions for AWS
services and resources. AWS IAM supports various authentication methods, such as passwords,
access keys, and multi-factor authentication (MFA)

QUESTION NO: 405

company wants to protect its AWS Cloud information, systems, and assets while performing risk
assessment and mitigation tasks.

Which pillar of the AWS Well-Architected Framework is supported by these goals?

A. Reliability

B. Security
C. Operational excellence

D. Performance efficiency

Answer: B

The pillar of the AWS Well-Architected Framework that is supported by the goals of protecting AWS
Cloud information, systems, and assets while performing risk assessment and mitigation tasks is
security. Security is the ability to protect information, systems, and assets while delivering business
value through risk assessments and mitigation strategies. The security pillar covers topics such as
identity and access management, data protection, infrastructure protection, detective controls,
incident response, and compliance

QUESTION NO: 406

A company is configuring its AWS Cloud environment. The company's administrators need to group
users together and apply permissions to the group.

Which AWS service or feature can the company use to meet these requirements?

A. AWS Organizations

B. Resource groups

C. Resource tagging

D. AWS Identity and Access Management (IAM)

Answer: D

The AWS service or feature that the company can use to group users together and apply
permissions to the group is AWS Identity and Access Management (IAM). AWS IAM is a service that
enables users to create and manage users, groups, roles, and permissions for AWS services and
resources. Users can use IAM groups to organize multiple users that have similar access
requirements, and attach policies to the groups that define the permissions for the users in the
group. This simplifies the management and administration of user access

QUESTION NO: 407

A company has two AWS accounts in an organization in AWS Organizations for consolidated billing. All of
the company's AWS resources are hosted in one AWS Region.

Account A has purchased five Amazon EC2 Standard Reserved Instances (RIs) and has four EC2 instances

running. Account B has not purchased any RIs and also has four EC2 instances running.

Which statement is true regarding pricing for these eight instances?

A. The eight instances will be charged as regular instances.

B. Four instances will be charged as RIs, and four will be charged as regular instances.

C. Five instances will be charged as RIs, and three will be charged as regular instances.

D. The eight instances will be charged as RIs.

Answer: B

The statement that is true regarding pricing for these eight instances is: four instances will be
charged as RIs, and four will be charged as regular instances. Amazon EC2 Reserved Instances (RIs)
are a pricing model that allows users to reserve EC2 instances for a specific term and benefit from
discounted hourly rates and capacity reservation. RIs are purchased for a specific AWS Region, and
can be shared across multiple accounts in an organization in AWS Organizations for consolidated
billing. However, RIs are applied on a first-come, first-served basis, and there is no guarantee that all
instances in the organization will be charged at the RI rate. In this case, Account A has purchased
five RIs and has four instances running, so all four instances will be charged at the RI rate. Account B
has not purchased any RIs and also has four instances running, so all four instances will be charged
at the regular rate. The remaining RI in Account A will not be applied to any instance in Account B,
and will be wasted.

QUESTION NO: 408

Which of the following is an advantage that users experience when they move on-premises workloads
to the AWS Cloud?

A. Elimination of expenses for running and maintaining data centers

B. Price discounts that are identical to discounts from hardware providers

C. Distribution of all operational controls to AWS

D. Elimination of operational expenses

Answer: A

The advantage that users experience when they move on-premises workloads to the AWS Cloud is:
elimination of expenses for running and maintaining data centers. By moving on-premises
workloads to the AWS Cloud, users can reduce or eliminate the costs associated with owning and
operating physical servers, storage, network equipment, and facilities. These costs include hardware
purchase, maintenance, repair, power, cooling, security, and staff. Users can also benefit from the
pay-as-you-go pricing model of AWS, which allows them to pay only for the resources they use, and
scale up or down as needed.

QUESTION NO: 409

Which of the following is a cost efficiency principle related to the AWS Cloud?

A. Right-size services based on capacity requirements.

B. Use the Billing Dashboard to access information about monthly bills.

C. Use AWS Organizations to combine the expenses of multiple accounts into a single bill.

D. Tag all AWS resources.

Answer: A

One of the cost efficiency principles related to the AWS Cloud is to right-size services based on
capacity requirements. This means choosing the most appropriate type and size of AWS resources
to meet the performance and scalability needs of the applications, while avoiding over-provisioning
or under-provisioning. By right-sizing services, users can optimize the costs and benefits of using
the AWS Cloud1

QUESTION NO: 410

A cloud engineer needs to download AWS security and compliance documents for an upcoming audit.

Which AWS service can provide the documents?

A. AWS Trusted Advisor

B. AWS Artifact

C. AWS Well-Architected Tool

D. AWS Systems Manager

Answer: B

AWS Artifact is the AWS service that can provide security and compliance documents for an
upcoming audit. AWS Artifact is a self-service portal that allows users to access and download AWS
compliance reports and agreements. These documents provide evidence of AWS’s compliance with
global, regional, and industry-specific security standards and regulations

QUESTION NO: 411

A company has been storing monthly reports in an Amazon S3 bucket. The company exports the report
data into comma-separated values (.csv) files. A developer wants to write a simple query that can read
all of these files and generate a summary report.

Which AWS service or feature should the developer use to meet these requirements with the LEAST
amount of operational overhead?

A. Amazon S3 Select

B. Amazon Athena

C. Amazon Redshift
D. Amazon EC2

Answer: B

Amazon Athena is the AWS service that the developer should use to write a simple query that can
read all of the .csv files stored in an Amazon S3 bucket and generate a summary report. Amazon
Athena is an interactive query service that allows users to analyze data in Amazon S3 using
standard SQL. Amazon Athena does not require any server setup or management, and users only
pay for the queries they run. Amazon Athena can handle various data formats, including .csv, and
can integrate with other AWS services such as Amazon QuickSight for data visualization

QUESTION NO: 412

Which task requires the use of AWS account root user credentials?

A. The deletion of IAM users

B. The change to a different AWS Support plan

C. The creation of an organization in AWS Organizations

D. The deletion of Amazon EC2 instances

Answer: C

The creation of an organization in AWS Organizations requires the use of AWS account root user
credentials. The AWS account root user is the email address that was used to create the AWS
account. The root user has complete access to all AWS services and resources in the account, and
can perform sensitive tasks such as changing the account settings, closing the account, or creating
an organization. The root user credentials should be used sparingly and securely, and only for tasks
that cannot be performed by IAM users or roles 4

QUESTION NO: 413

Which feature of the AWS Cloud gives users the ability to pay based on current needs rather than
forecasted needs?

A. AWS Budgets

B. Pay-as-you-go pricing

C. Volume discounts

D. Savings Plans

Answer: B

Pay-as-you-go pricing is the feature of the AWS Cloud that gives users the ability to pay based on
current needs rather than forecasted needs. Pay-as-you-go pricing means that users only pay for the
AWS services and resources they use, without any upfront or long-term commitments. This allows
users to scale up or down their usage depending on their changing business requirements, and
avoid paying for idle or unused capacity. Pay-as-you-go pricing also enables users to benefit from
the economies of scale and lower costs of AWS as they grow their business 5

QUESTION NO: 414

What does the Amazon S3 Intelligent-Tiering storage class offer?

A. Payment flexibility by reserving storage capacity

B. Long-term retention of data by copying the data to an encrypted Amazon Elastic Block Store (Amazon

EBS) volume

C. Automatic cost savings by moving objects between tiers based on access pattern changes

D. Secure, durable, and lowest cost storage for data archival

Answer: C

The Amazon S3 Intelligent-Tiering storage class offers automatic cost savings by moving objects
between tiers based on access pattern changes. This storage class is designed for data with
unknown or changing access patterns. It has two access tiers: frequent access and infrequent
access. Objects are stored in the frequent access tier by default, and are moved to the infrequent
access tier after 30 consecutive days of no access. If an object in the infrequent access tier is
accessed, it is moved back to the frequent access tier. There are no retrieval fees in S3 Intelligent-
Tiering, and no additional tiering fees when objects are moved between access tiers within the S3
Intelligent-Tiering storage class1.

QUESTION NO: 415

Which AWS service gives users the ability to provision a dedicated and private network connection from
their internal

network to AWS?

A. AWS CloudHSM

B. AWS Direct Connect

C. AWS VPN

D. Amazon Connect

Answer: B

AWS Direct Connect gives users the ability to provision a dedicated and private network connection
from their internal network to AWS. AWS Direct Connect links the user’s internal network to an AWS
Direct Connect location over a standard Ethernet fiber-optic cable. One end of the cable is connected
to the user’s router, the other to an AWS Direct Connect router. With this connection in place, the
user can create virtual interfaces directly to the AWS cloud and Amazon Virtual Private Cloud
(Amazon VPC), bypassing internet service providers in the network path 2.

QUESTION NO: 416

A company is hosting a web application in a Docker container on Amazon EC2.

AWS is responsible for which of the following tasks?

A. Scaling the web application and services developed with Docker

B. Provisioning or scheduling containers to run on clusters and maintain their availability

C. Performing hardware maintenance in the AWS facilities that run the AWS Cloud

D. Managing the guest operating system, including updates and security patches

Answer: C

AWS is responsible for performing hardware maintenance in the AWS facilities that run the AWS
Cloud. This is part of the shared responsibility model, where AWS is responsible for the security of
the cloud, and the customer is responsible for security in the cloud. AWS is also responsible for the
global infrastructure that runs all of the services offered in the AWS Cloud, including the hardware,
software, networking, and facilities that run AWS Cloud services 3. The customer is responsible for
the guest operating system, including updates and security patches, as well as the web application
and services developed with Docker4.

QUESTION NO: 417

Which design principle should be considered when architecting in the AWS Cloud?

A. Think of servers as non-disposable resources.

B. Use synchronous integration of services.

C. Design loosely coupled components.

D. Implement the least permissive rules for security groups.

Answer: C

Designing loosely coupled components is a design principle that should be considered when
architecting in the AWS Cloud. Loose coupling is a way of designing systems to reduce
interdependencies and minimize the impact of changes. Loose coupling allows components to
interact with each other through well-defined interfaces, rather than direct references. This reduces
the risk of failures and errors propagating across the system, and enables greater scalability,
availability, and maintainability5.
QUESTION NO: 418

Which AWS service or tool helps to centrally manage billing and allow controlled access to resources
across AWS accounts?

A. AWS Identity and Access Management (IAM)

B. AWS Organizations

C. AWS Cost Explorer

D. AWS Budgets

Answer: B

AWS Organizations helps to centrally manage billing and allow controlled access to resources
across AWS accounts. AWS Organizations is a service that enables the user to consolidate multiple
AWS accounts into an organization that can be managed as a single unit. AWS Organizations allows
the user to create groups of accounts and apply policies to them, such as service control policies
(SCPs) that specify the services and actions that users and roles can access in the accounts. AWS
Organizations also enables the user to use consolidated billing, which combines the usage and
charges from all the accounts in the organization into a single bill.

QUESTION NO: 419

Which AWS service or feature can be used to estimate costs before deployment?

A. AWS Free Tier

B. AWS Pricing Calculator

C. AWS Billing and Cost Management

D. AWS Cost and Usage Report

Answer: B

AWS Pricing Calculator can be used to estimate costs before deployment. AWS Pricing Calculator is
a tool that helps the user to compare the cost of AWS services for different use cases and
configurations. The user can create estimates for various AWS services, such as Amazon EC2,
Amazon S3, Amazon RDS, and more. The user can also adjust the parameters, such as region,
instance type, storage size, and duration, to see how they affect the cost. AWS Pricing Calculator
provides a detailed breakdown of the estimated cost, as well as a summary of the key drivers of the
cost.

QUESTION NO: 420

Which of the following promotes AWS Cloud architectural best practices for designing and operating
reliable, secure, efficient, and cost-effective systems?

A. AWS Serverless Application Model framework

B. AWS Business Support

C. Principle of least privilege

D. AWS Well-Architected Framework

Answer: D

AWS Well-Architected Framework promotes AWS Cloud architectural best practices for designing
and operating reliable, secure, efficient, and cost-effective systems. AWS Well-Architected
Framework is a set of guidelines and best practices that help the user to evaluate and improve the
architecture of their applications and workloads on AWS. AWS Well-Architected Framework consists
of five pillars: operational excellence, security, reliability, performance efficiency, and cost
optimization. Each pillar provides a set of design principles, questions, and best practices that help
the user to achieve the desired outcomes for their systems.

QUESTION NO: 421

Which task is a customer's responsibility, according to the AWS shared responsibility model?

A. Management of the guest operating systems

B. Maintenance of the configuration of infrastructure devices

C. Management of the host operating systems and virtualization

D. Maintenance of the software that powers Availability Zones

A company has refined its workload to use specific AWS services to improve efficiency and reduce cost.

Answer: A

Management of the guest operating systems is a customer’s responsibility, according to the AWS
shared responsibility model. The AWS shared responsibility model defines the different security and
compliance responsibilities of AWS and the customer. AWS is responsible for the security of the
cloud, which includes the physical infrastructure, hardware, software, and facilities that run the AWS
Cloud. The customer is responsible for security in the cloud, which includes the configuration and
management of the guest operating systems, applications, data, and network traffic protection

QUESTION NO: 422

Which best practice for cost governance does this example show?

A. Resource controls
B. Cost allocation

C. Architecture optimization

D. Tagging enforcement

Answer: C

Architecture optimization is the best practice for cost governance that this example shows.
Architecture optimization is the process of designing and implementing AWS solutions that are
efficient, scalable, and cost-effective. By using specific AWS services to improve efficiency and
reduce cost, the company is following the architecture optimization best practice. Some of the
techniques for architecture optimization include using the right size and type of resources,
leveraging elasticity and scalability, choosing the most suitable storage class, and using serverless
and managed services2.

QUESTION NO: 423

Which activity can companies complete by using AWS Organizations?

A. Troubleshoot the performance of applications.

B. Manage service control policies (SCPs).

C. Migrate applications to microservices.

D. Monitor the performance of applications.

Answer: B

Managing service control policies (SCPs) is an activity that companies can complete by using AWS
Organizations. AWS Organizations is a service that enables the user to consolidate multiple AWS
accounts into an organization that can be managed as a single unit. AWS Organizations allows the
user to create groups of accounts and apply policies to them, such as service control policies
(SCPs) that specify the services and actions that users and roles can access in the accounts. AWS
Organizations also enables the user to use consolidated billing, which combines the usage and
charges from all the accounts in the organization into a single bill 3.

QUESTION NO: 424

Which AWS service or feature is used to send both text and email messages from distributed
applications?

A. Amazon Simple Notification Service (Amazon SNS)

B. Amazon Simple Email Service (Amazon SES)

C. Amazon CloudWatch alerts

D. Amazon Simple Queue Service (Amazon SQS)

Answer: A

Amazon Simple Notification Service (Amazon SNS) is the AWS service or feature that is used to
send both text and email messages from distributed applications. Amazon SNS is a fully managed
pub/sub messaging service that enables the user to send messages to multiple subscribers or
endpoints, such as email addresses, phone numbers, HTTP endpoints, AWS Lambda functions, and
more. Amazon SNS can be used to send notifications, alerts, confirmations, and reminders from
applications to users or other applications4.

QUESTION NO: 425

Which of the following is a benefit of decoupling an AWS Cloud architecture?

A. Reduced latency

B. Ability to upgrade components independently

C. Decreased costs

D. Fewer components to manage

Answer: B

A benefit of decoupling an AWS Cloud architecture is the ability to upgrade components

independently. Decoupling is a way of designing systems to reduce interdependencies and minimize
the impact of changes. Decoupling allows components to interact with each other through well-
defined interfaces, rather than direct references. This reduces the risk of failures and errors
propagating across the system, and enables greater scalability, availability, and maintainability. By
decoupling an AWS Cloud architecture, the user can upgrade or modify one component without
affecting the other components5.

QUESTION NO: 426

Which of the following describes an AWS Region?

A. A specific location within a geographic area that provides high availability

B. A set of data centers spanning multiple countries

C. A global picture of a user's cloud computing environment

D. A collection of databases that can be accessed from a specific geographic area only

Answer: A

An AWS Region is a specific location within a geographic area that provides high availability. An
AWS Region consists of two or more Availability Zones, which are isolated locations within the same
Region. Each Availability Zone has independent power, cooling, and physical security, and is
connected to the other Availability Zones in the same Region by low-latency, high-throughput, and
highly redundant networking. AWS services are available in multiple Regions around the world,
allowing the user to choose where to run their applications and store their data 1.

QUESTION NO: 427

A retail company is building a new mobile app. The company is evaluating whether to build the app at
an on-premises data center or in the AWS Cloud.

responsibility model?

A. Amazon FSx for Windows File Server

B. Amazon Workspaces virtual Windows desktop

C. AWS Directory Service for Microsoft Active Directory

D. Amazon RDS for Microsoft SQL Server

Answer: C

AWS Directory Service for Microsoft Active Directory is the AWS service that provides a managed
Microsoft Active Directory in the AWS Cloud. It enables the user to use their existing Active Directory
users, groups, and policies to access AWS resources, such as Amazon EC2 instances, Amazon S3
buckets, and AWS Single Sign-On. It also integrates with other Microsoft applications and services,
such as Microsoft SQL Server, Microsoft Office 365, and Microsoft SharePoint

QUESTION NO: 428

Which AWS service should a cloud practitioner use to receive real-time guidance for provisioning
resources, based on AWS best practices related to security, cost optimization, and service limits?

A. AWS Trusted Advisor

B. AWS Config

C. AWS Security Hub

D. AWS Systems Manager

Answer: A

AWS Trusted Advisor is the AWS service that provides real-time guidance for provisioning resources,
based on AWS best practices related to security, cost optimization, and service limits. AWS Trusted
Advisor inspects the user’s AWS environment and provides recommendations for improving
performance, security, and reliability, reducing costs, and following best practices. AWS Trusted
Advisor also alerts the user when they are approaching or exceeding their service limits, and helps
them request limit increases3.

QUESTION NO: 429

Which of the following are advantages of moving to the AWS Cloud? (Select TWO.)

A. The ability to turn over the responsibility for all security to AWS.

B. The ability to use the pay-as-you-go model.

C. The ability to have full control over the physical infrastructure.

D. No longer having to guess what capacity will be required.

E. No longer worrying about users access controls.

Answer: B, D

The advantages of moving to the AWS Cloud are the ability to use the pay-as-you-go model and no
longer having to guess what capacity will be required. The pay-as-you-go model allows the user to
pay only for the resources they use, without any upfront or long-term commitments. This reduces
the cost and risk of over-provisioning or under-provisioning resources. No longer having to guess
what capacity will be required means that the user can scale their resources up or down according
to the demand, without wasting money on idle resources or losing customers due to insufficient
capacity4.

QUESTION NO: 430

A company is migrating a relational database server to the AWS Cloud. The company wants to minimize

administrative overhead of database maintenance tasks.

Which AWS service will meet these requirements?

A. Amazon DynamoDB

B. Amazon EC2

C. Amazon Redshift

D. Amazon RDS

Answer: D

Amazon RDS is the AWS service that will meet the requirements of migrating a relational database
server to the AWS Cloud and minimizing administrative overhead of database maintenance tasks.
Amazon RDS is a fully managed relational database service that handles routine database tasks,
such as provisioning, patching, backup, recovery, failure detection, and repair. Amazon RDS supports
several database engines, such as MySQL, PostgreSQL, Oracle, SQL Server, and Amazon Aurora 5.

QUESTION NO: 431

A company is reviewing its operating policies.

Which policy complies with guidance in the security pillar of the AWS Well-Architected Framework?

A. Ensure that employees have access to all company data.

B. Expand employees' permissions as they gain more experience.

C. Grant all privileges and access to all users.

D. Apply security requirements at all layers of a process.

Answer: D

Applying security requirements at all layers of a process is a policy that complies with guidance in
the security pillar of the AWS Well-Architected Framework. The security pillar of the AWS Well-
Architected Framework provides best practices for securing the user’s data and systems in the AWS
Cloud. One of the design principles of the security pillar is to apply security at all layers, which
means that the user should implement defense-in-depth strategies and avoid relying on a single
security mechanism. For example, the user should use multiple security controls, such as
encryption, firewalls, identity and access management, and logging and monitoring, to protect their
data and resources at different layers.

QUESTION NO: 432

Which task is the responsibility of a company that is using Amazon RDS?

A. Provision the underlying infrastructure.

B. Create IAM policies to control administrative access to the service.

C. Install the cables to connect the hardware for compute and storage.

D. Install and patch the RDS operating system.

Answer: B

The correct answer is B because AWS IAM policies can be used to control administrative access to
the Amazon RDS service. The other options are incorrect because they are the responsibilities of
AWS, not the company that is using Amazon RDS. AWS manages the provisioning, cabling,
installation, and patching of the underlying infrastructure for Amazon RDS. Reference: Amazon RDS
FAQs

QUESTION NO: 433

A company is designing an identity access management solution for an application. The company wants
users to be able to use their social media, email, or online shopping accounts to access the application.

Which AWS service provides this functionality?

A. AWS IAM Identity Center (AWS Single Sign-On)

B. AWS Config

C. Amazon Cognito

D. AWS Identity and Access Management (IAM)

Answer: C

The correct answer is C because Amazon Cognito provides identity federation and user
authentication for web and mobile applications. Amazon Cognito allows users to sign in with their
social media, email, or online shopping accounts. The other options are incorrect because they do
not provide identity federation or user authentication. AWS IAM Identity Center (AWS Single Sign-On)
is a service that enables users to access multiple AWS accounts and applications with a single sign-
on experience. AWS Config is a service that enables users to assess, audit, and evaluate the
configurations of their AWS resources. AWS Identity and Access Management (IAM) is a service
that enables users to manage access to AWS resources using users, groups, roles, and policies.
Reference: Amazon Cognito FAQs

QUESTION NO: 434

Which AWS service aggregates, organizes, and prioritizes security alerts and findings from multiple AWS
services?

A. Amazon Detective

B. Amazon Inspector

C. Amazon Macie

D. AWS Security Hub

Answer: D

The correct answer is D because AWS Security Hub is a service that aggregates, organizes, and
prioritizes security alerts and findings from multiple AWS services, such as Amazon GuardDuty,
Amazon Inspector, Amazon Macie, AWS Firewall Manager, and AWS IAM Access Analyzer. The other
options are incorrect because they are not services that aggregate security alerts and findings from
multiple AWS services. Amazon Detective is a service that helps users analyze and visualize security
data to investigate and remediate potential issues. Amazon Inspector is a service that helps users
find security vulnerabilities and deviations from best practices in their Amazon EC2 instances.
Amazon Macie is a service that helps users discover, classify, and protect sensitive data stored in
Amazon S3. Reference: AWS Security Hub FAQs

QUESTION NO: 435

Which of the following are advantages of the AWS Cloud? (Select TWO.)

A. Trade variable expenses for capital expenses

B. High economies of scale

C. Launch globally in minutes

D. Focus on managing hardware infrastructure

E. Overprovision to ensure capacity

Answer: B, C

The correct answers are B and C because they are advantages of the AWS Cloud. High economies of
scale means that AWS can achieve lower variable costs than customers can get on their own.
Launch globally in minutes means that AWS has a global infrastructure that allows customers to
deploy their applications and data across multiple regions and availability zones. The other options
are incorrect because they are not advantages of the AWS Cloud. Trade variable expenses for
capital expenses means that customers have to invest heavily in data centers and servers before
they know how they will use them. Focus on managing hardware infrastructure means that
customers have to spend time and money on maintaining and upgrading their physical resources.
Overprovision to ensure capacity means that customers have to pay for more resources than they
actually need to avoid performance issues. Reference: What is Cloud Computing?

QUESTION NO: 436

Which AWS service is a key-value database that provides sub-millisecond latency on a large scale?

A. Amazon DynamoDB

B. Amazon Aurora

C. Amazon DocumentDB (with MongoDB compatibility)

D. Amazon Neptune

Answer: A

The correct answer is A because Amazon DynamoDB is a key-value database that provides sub-
millisecond latency on a large scale. Amazon DynamoDB is a fully managed, serverless, and scalable
NoSQL database service that supports both key-value and document data models. The other options
are incorrect because they are not key-value databases. Amazon Aurora is a relational database that
is compatible with MySQL and PostgreSQL. Amazon DocumentDB (with MongoDB compatibility) is a
document database that is compatible with MongoDB. Amazon Neptune is a graph database that
supports property graph and RDF models. Reference: Amazon DynamoDB FAQs

QUESTION NO: 437

Which AWS service or tool provides users with the ability to monitor AWS service quotas?

A. AWS CloudTrail

B. AWS Cost and Usage Reports

C. AWS Trusted Advisor

D. AWS Budgets

Answer: C

The correct answer is C because AWS Trusted Advisor is an AWS service or tool that provides users
with the ability to monitor AWS service quotas. AWS Trusted Advisor is an online tool that provides
users with real-time guidance to help them provision their resources following AWS best practices.
One of the categories of checks that AWS Trusted Advisor performs is service limits, which monitors
the usage of each AWS service and alerts users when they are close to reaching the default limit.
The other options are incorrect because they are not AWS services or tools that provide users with
the ability to monitor AWS service quotas. AWS CloudTrail is a service that enables users to track
user activity and API usage across their AWS account. AWS Cost and Usage Reports is a tool that
enables users to access comprehensive information about their AWS costs and usage. AWS
Budgets is a tool that enables users to plan their service usage, costs, and reservations. Reference:
[AWS Trusted Advisor FAQs]

QUESTION NO: 438

Which of the following is an advantage of AWS Cloud computing?

A. Trade security for elasticity.

B. Trade operational excellence for agility.

C. Trade fixed expenses for variable expenses.

D. Trade elasticity for performance.

Answer: C

The correct answer is C because AWS Cloud computing allows customers to trade fixed expenses
for variable expenses. This means that customers only pay for the resources they use, and can scale
up or down as needed. The other options are incorrect because they are not advantages of AWS
Cloud computing. Trade security for elasticity means that customers have to compromise on the
protection of their data and applications in order to adjust their capacity quickly. Trade operational
excellence for agility means that customers have to sacrifice the quality and reliability of their
operations in order to respond to changing needs faster. Trade elasticity for performance means
that customers have to limit their ability to scale up or down in order to achieve higher speed and
efficiency. Reference: What is Cloud Computing?

QUESTION NO: 439

A company is running applications on Amazon EC2 instances in the same AWS account for several
different projects. The company wants to track the infrastructure costs for each of the projects
separately. The company must conduct this tracking with the least possible impact to the existing
infrastructure and with no additional cost.

What should the company do to meet these requirements?

A. Use a different EC2 instance type for each project.

B. Publish project-specific custom Amazon CloudWatch metrics for each application.

C. Deploy EC2 instances for each project in a separate AWS account.

D. Use cost allocation tags with values that are specific to each project.

Answer: D

The correct answer is D because cost allocation tags are a way to track the infrastructure costs for
each of the projects separately. Cost allocation tags are key-value pairs that can be attached to AWS
resources, such as EC2 instances, and used to categorize and group them for billing purposes. The
other options are incorrect because they do not meet the requirements of the question. Use a
different EC2 instance type for each project does not help to track the costs for each project, and
may impact the performance and compatibility of the applications. Publish project-specific custom
Amazon CloudWatch metrics for each application does not help to track the costs for each project,
and may incur additional charges for using CloudWatch. Deploy EC2 instances for each project in a
separate AWS account does help to track the costs for each project, but it impacts the existing
infrastructure and incurs additional charges for using multiple accounts. Reference: Using Cost
Allocation Tags

QUESTION NO: 440

A company has an online shopping website and wants to store customers' credit card data. The
company must meet Payment Card Industry (PCI) standards.

Which service can the company use to access AWS compliance documentation?

A. Amazon Cloud Directory

B. AWS Artifact

C. AWS Trusted Advisor

D. Amazon Inspector

Answer: B

The correct answer is B because AWS Artifact is a service that provides access to AWS compliance
documentation, such as audit reports, security certifications, and agreements. AWS Artifact allows
customers to download, review, and accept the documents that are relevant to their use of AWS
services. The other options are incorrect because they are not services that provide access to AWS
compliance documentation. Amazon Cloud Directory is a service that enables customers to create
flexible cloud-native directories for organizing hierarchies of data. AWS Trusted Advisor is a service
that provides real-time guidance to help customers follow AWS best practices for security,
performance, cost optimization, and fault tolerance. Amazon Inspector is a service that helps
customers find security vulnerabilities and deviations from best practices in their Amazon EC2
instances. Reference: [AWS Artifact FAQs]

QUESTION NO: 441

Which of the following are components of an AWS Site-to-Site VPN connection? (Select TWO.)

A. AWS Storage Gateway

B. Virtual private gateway

C. NAT gateway

D. Customer gateway

E. Internet gateway

Answer: B, D

The correct answers are B and D because a virtual private gateway and a customer gateway are
components of an AWS Site-to-Site VPN connection. A virtual private gateway is the AWS side of the
VPN connection that attaches to the customer’s VPC. A customer gateway is the customer side of
the VPN connection that resides in the customer’s network. The other options are incorrect because
they are not components of an AWS Site-to-Site VPN connection. AWS Storage Gateway is a service
that connects on-premises software applications with cloud-based storage. NAT gateway is a
service that enables instances in a private subnet to connect to the internet or other AWS services,
but prevents the internet from initiating a connection with those instances. Internet gateway is a
service that enables communication between instances in a VPC and the internet. Reference: [What
is AWS Site-to-Site VPN?]

QUESTION NO: 442

A company runs thousands of simultaneous simulations using AWS Batch. Each simulation is stateless, is
fault tolerant, and runs for up to 3 hours.

Which pricing model enables the company to optimize costs and meet these requirements?
A. Reserved Instances

B. Spot Instances

C. On-Demand Instances

D. Dedicated Instances

Answer: B

The correct answer is B because Spot Instances enable the company to optimize costs and meet the
requirements. Spot Instances are spare EC2 instances that are available at up to 90% discount
compared to On-Demand prices. Spot Instances are suitable for stateless, fault-tolerant, and flexible
applications that can run for any duration. The other options are incorrect because they do not
enable the company to optimize costs and meet the requirements. Reserved Instances are EC2
instances that are reserved for a specific period of time (one or three years) in exchange for a lower
hourly rate. Reserved Instances are suitable for steady-state or predictable workloads that run for a
long duration. On-Demand Instances are EC2 instances that are launched and billed at a fixed hourly
rate. On-Demand Instances are suitable for short-term, irregular, or unpredictable workloads that
cannot be interrupted. Dedicated Instances are EC2 instances that run on hardware that is dedicated
to a single customer. Dedicated Instances are suitable for workloads that require regulatory
compliance or data isolation. Reference: [Amazon EC2 Instance Purchasing Options]

QUESTION NO: 443

A company has an application with robust hardware requirements. The application must be accessed by
students who are using lightweight, low-cost laptops.

Which AWS service will help the company deploy the application without investing in backend
infrastructure or high end client hardware?

A. Amazon AppStream 2.0

B. AWS AppSync

C. Amazon WorkLink

D. AWS Elastic Beanstalk

Answer: A

The correct answer is A because Amazon AppStream 2.0 is a service that will help the company
deploy the application without investing in backend infrastructure or high end client hardware.
Amazon AppStream 2.0 is a fully managed, secure application streaming service that allows
customers to stream desktop applications from AWS to any device running a web browser. Amazon
AppStream 2.0 handles the provisioning, scaling, patching, and maintenance of the backend
infrastructure, and delivers high performance and responsive user experience. The other options are
incorrect because they are not services that will help the company deploy the application without
investing in backend infrastructure or high end client hardware. AWS AppSync is a service that
enables customers to create flexible APIs for synchronizing data across multiple data sources.
Amazon WorkLink is a service that enables customers to provide secure, one-click access to internal
websites and web apps from mobile devices. AWS Elastic Beanstalk is a service that enables
customers to deploy and manage web applications using popular platforms such as Java, .NET,
PHP, and Node.js. Reference: [Amazon AppStream 2.0 FAQs]

QUESTION NO: 444

Which AWS service will help a company identify the user who deleted an Amazon EC2 instance
yesterday?

A. Amazon CloudWatch

B. AWS Trusted Advisor

C. AWS CloudTrail

D. Amazon Inspector

Answer: C

The correct answer is C because AWS CloudTrail is a service that will help a company identify the
user who deleted an Amazon EC2 instance yesterday. AWS CloudTrail is a service that enables users
to track user activity and API usage across their AWS account. AWS CloudTrail records the details of
every API call made to AWS services, such as the identity of the caller, the time of the call, the source
IP address of the caller, the parameters and responses of the call, and more. Users can use AWS
CloudTrail to audit, monitor, and troubleshoot their AWS resources and actions. The other options
are incorrect because they are not services that will help a company identify the user who deleted an
Amazon EC2 instance yesterday. Amazon CloudWatch is a service that enables users to collect,
analyze, and visualize metrics, logs, and events from their AWS resources and applications. AWS
Trusted Advisor is a service that provides real-time guidance to help users follow AWS best
practices for security, performance, cost optimization, and fault tolerance. Amazon Inspector is a
service that helps users find security vulnerabilities and deviations from best practices in their
Amazon EC2 instances. Reference: AWS CloudTrail FAQs

QUESTION NO: 445

Which AWS database service provides in-memory data storage?

A. Amazon DynamoDB

B. Amazon ElastiCache

C. Amazon RDS

D. Amazon Timestream
Answer: B

The correct answer is B because Amazon ElastiCache is a service that provides in-memory data
storage. Amazon ElastiCache is a fully managed, scalable, and high-performance service that
supports two popular open-source in-memory engines: Redis and Memcached. Amazon ElastiCache
allows users to store and retrieve data from fast, low-latency, and high-throughput in-memory
systems. Users can use Amazon ElastiCache to improve the performance of their applications by
caching frequently accessed data, reducing database load, and enabling real-time data processing.
The other options are incorrect because they are not services that provide in-memory data storage.
Amazon DynamoDB is a service that provides key-value and document data storage. Amazon RDS is
a service that provides relational data storage. Amazon Timestream is a service that provides time
series data storage. Reference: Amazon ElastiCache FAQs

QUESTION NO: 446

A company is using a third-party service to back up 10 TB of data to a tape library. The on-premises
backup server is running out of space. The company wants to use AWS services for the backups without
changing its existing

backup workflows.

Which AWS service should the company use to meet these requirements?

A. Amazon Elastic Block Store (Amazon EBS)

B. AWS Storage Gateway

C. Amazon Elastic Container Service (Amazon ECS)

D. AWS Lambda

Answer: B

The correct answer is B because AWS Storage Gateway is a service that should be used by the
company to meet the requirements. AWS Storage Gateway is a service that connects on-premises
software applications with cloud-based storage. AWS Storage Gateway supports three types of
gateways: file gateway, volume gateway, and tape gateway. The tape gateway type enables users to
back up and archive data to virtual tapes in AWS without changing their existing backup workflows.
Users can use their existing backup applications and tape libraries to store data on virtual tapes in
Amazon S3 or Amazon S3 Glacier. The other options are incorrect because they are not services that
should be used by the company to meet the requirements. Amazon Elastic Block Store (Amazon
EBS) is a service that provides block-level storage volumes for Amazon EC2 instances. Amazon
Elastic Container Service (Amazon ECS) is a service that enables users to run, scale, and secure
containerized applications on AWS. AWS Lambda is a service that enables users to run code without
provisioning or managing servers. Reference: AWS Storage Gateway FAQs

QUESTION NO: 447

Which AWS Support plan provides customers with access to an AWS technical account manager (TAM)?

A. AWS Basic Support

B. AWS Developer Support

C. AWS Business Support

D. AWS Enterprise Support

Answer: D

The correct answer is D because AWS Enterprise Support is the support plan that provides
customers with access to an AWS technical account manager (TAM). AWS Enterprise Support is the
highest level of support plan offered by AWS, and it provides customers with the most
comprehensive and personalized support experience. An AWS TAM is a dedicated technical
resource who works closely with customers to understand their business and technical needs,
provide proactive guidance, and coordinate support across AWS teams. The other options are
incorrect because they are not support plans that provide customers with access to an AWS TAM.
AWS Basic Support is the default and free support plan that provides customers with access to
online documentation, forums, and account information. AWS Developer Support is the lowest level
of paid support plan that provides customers with access to technical support during business
hours, general guidance, and best practice recommendations. AWS Business Support is the
intermediate level of paid support plan that provides customers with access to technical support
24/7, system health checks, architectural guidance, and case management. Reference: AWS Support
Plans

QUESTION NO: 448

A company is designing a web application that will run on Amazon EC2 instances.

Which AWS services and features will improve availability and reduce the impact of failures for this
application?

(Select TWO.)

A. Amazon EC2 Auto Scaling for the EC2 instances

B. VPC subnet ACLs to check the health of a service

C. Resources that are distributed across multiple Availability Zones

D. Configuration of AWS Server Migration Service (AWS SMS) to move the EC2 instances to a different

AWS Region

E. Resources that are distributed across multiple AWS points of presence

Answer: A, C

The correct answers are A and C because Amazon EC2 Auto Scaling and resources that are
distributed across multiple Availability Zones are AWS services and features that will improve
availability and reduce the impact of failures for the web application. Amazon EC2 Auto Scaling is a
service that enables users to automatically adjust the number of Amazon EC2 instances in response
to changes in demand or performance. Amazon EC2 Auto Scaling helps users to maintain optimal
availability and performance of their applications by adding or removing instances as needed.
Resources that are distributed across multiple Availability Zones are AWS features that enable users
to increase the fault tolerance and resilience of their applications. Availability Zones are isolated
locations within an AWS Region that have independent power, cooling, and networking. Users can
launch their resources, such as Amazon EC2 instances, in multiple Availability Zones to protect their
applications from the failure of a single location. The other options are incorrect because they are
not AWS services and features that will improve availability and reduce the impact of failures for the
web application. VPC subnet ACLs are AWS features that enable users to control the inbound and
outbound traffic to and from their subnets within a VPC. VPC subnet ACLs do not check the health
of a service, but rather filter the network traffic based on rules. Configuration of AWS Server
Migration Service (AWS SMS) is an AWS service that enables users to migrate their on-premises
servers to AWS. Configuration of AWS SMS does not help to move the Amazon EC2 instances to a
different AWS Region, but rather to migrate the servers from the source environment to AWS.
Resources that are distributed across multiple AWS points of presence are AWS features that enable
users to deliver content to their end users with low latency and high performance. AWS points of
presence are edge locations that are part of the AWS Global Infrastructure. Users can use services
such as Amazon CloudFront and AWS Global Accelerator to distribute their content across multiple
AWS points of presence. Reference: Amazon EC2 Auto Scaling, [Regions, Availability Zones, and
Local Zones]

QUESTION NO: 449

An Availability Zone consists of:

A. one or more data centers in a single location.

B. two or more data centers in multiple locations.

C. one or more physical hosts in a single data center.

D. two or more physical hosts in multiple data centers.

Answer: A

The correct answer is A because an Availability Zone consists of one or more data centers in a
single location. An Availability Zone is an isolated location within an AWS Region that has
independent power, cooling, and networking. Each Availability Zone has one or more data centers
that host the physical servers and storage devices that run the AWS services. The other options are
incorrect because they are not accurate descriptions of an Availability Zone. Two or more data
centers in multiple locations are not an Availability Zone, but rather multiple Availability Zones within
an AWS Region. One or more physical hosts in a single data center are not an Availability Zone, but
rather the components of a data center within an Availability Zone. Two or more physical hosts in
multiple data centers are not an Availability Zone, but rather the components of multiple data
centers within one or more Availability Zones. Reference: [Regions, Availability Zones, and Local
Zones]

QUESTION NO: 450

A company wants to ensure that two Amazon EC2 instances are in separate data centers with minimal

communication latency between the data centers.

How can the company meet this requirement?

A. Place the EC2 instances in two separate AWS Regions connected with a VPC peering connection.

B. Place the EC2 instances in two separate Availability Zones within the same AWS Region.

C. Place one EC2 instance on premises and the other in an AWS Region. Then connect them by using an

AWS VPN connection.

D. Place both EC2 instances in a placement group for dedicated bandwidth.

Answer: B

The correct answer is B because placing the EC2 instances in two separate Availability Zones within
the same AWS Region is the best way to meet the requirement. Availability Zones are isolated
locations within an AWS Region that have independent power, cooling, and networking. Users can
launch their resources, such as Amazon EC2 instances, in multiple Availability Zones to increase the
fault tolerance and resilience of their applications. Availability Zones within the same AWS Region
are connected with low-latency, high-throughput, and highly redundant networking. The other options
are incorrect because they are not the best ways to meet the requirement. Placing the EC2 instances
in two separate AWS Regions connected with a VPC peering connection is not the best way to meet
the requirement because AWS Regions are geographically dispersed and may have higher
communication latency between them than Availability Zones within the same AWS Region. VPC
peering connection is a networking connection between two VPCs that enables users to route traffic
between them using private IP addresses. Placing one EC2 instance on premises and the other in an
AWS Region, and then connecting them by using an AWS VPN connection is not the best way to
meet the requirement because on-premises and AWS Region are geographically dispersed and may
have higher communication latency between them than Availability Zones within the same AWS
Region. AWS VPN connection is a secure and encrypted connection between a user’s network and
their VPC. Placing both EC2 instances in a placement group for dedicated bandwidth is not the best
way to meet the requirement because a placement group is a logical grouping of instances within a
single Availability Zone that enables users to launch instances with specific performance
characteristics. A placement group does not ensure that the instances are in separate data centers,
and it does not provide low-latency communication between instances in different Availability
Zones. Reference: [Regions, Availability Zones, and Local Zones], [VPC Peering], [AWS VPN],
[Placement Groups]

QUESTION NO: 451

Which of the following acts as an instance-level firewall to control inbound and outbound access?

A. Network access control list

B. Security groups

C. AWS Trusted Advisor

D. Virtual private gateways

Answer: B

The correct answer is B because security groups are AWS features that act as instance-level
firewalls to control inbound and outbound access. Security groups are virtual firewalls that can be
attached to one or more Amazon EC2 instances. Users can configure rules for security groups to
allow or deny traffic based on protocols, ports, and source or destination IP addresses. The other
options are incorrect because they are not AWS features that act as instance-level firewalls to
control inbound and outbound access. Network access control list is an AWS feature that acts as a
subnet-level firewall to control inbound and outbound access. AWS Trusted Advisor is an AWS
service that provides real-time guidance to help users follow AWS best practices for security,
performance, cost optimization, and fault tolerance. Virtual private gateways are AWS features that
enable users to create a secure and encrypted connection between their VPC and their on-premises
network. Reference: Security Groups for Your VPC

QUESTION NO: 452

A company has an application that uses AWS services. During scaling events, the company wants to keep

application usage within AWS service quotas.

Which AWS services or tools can report on the quotas so that the company can improve the reliability of
the application? (Select TWO.)

A. Service Quotas console

B. AWS Trusted Advisor

C. AWS Systems Manager

D. AWS Shield

E. AWS Cost Explorer

Answer: A, B
The correct answers are A and B because Service Quotas console and AWS Trusted Advisor are
AWS services or tools that can report on the quotas so that the company can improve the reliability
of the application. Service Quotas console is an AWS tool that enables users to view and manage
their quotas for AWS services from a central location. Users can use Service Quotas console to
request quota increases, track quota usage, and set up alarms for approaching quota limits. AWS
Trusted Advisor is an AWS service that provides real-time guidance to help users follow AWS best
practices for security, performance, cost optimization, and fault tolerance. One of the categories of
checks that AWS Trusted Advisor performs is service limits, which monitors the usage of each AWS
service and alerts users when they are close to reaching the default limit. The other options are
incorrect because they are not AWS services or tools that can report on the quotas so that the
company can improve the reliability of the application. AWS Systems Manager is an AWS service
that enables users to automate operational tasks, manage configuration and compliance, and
monitor system health and performance. AWS Shield is an AWS service that protects users from
distributed denial of service (DDoS) attacks. AWS Cost Explorer is an AWS tool that enables users to
visualize, understand, and manage their AWS costs and usage. Reference: Service Quotas, AWS
Trusted Advisor FAQs

QUESTION NO: 453

Which of the following are AWS Cloud design principles? (Select TWO.)

A. Pay for compute resources in advance.

B. Make data-driven decisions to determine cloud architectural design.

C. Emphasize manual processes to allow for changes.

D. Test systems at production scale.

E. Refine operational procedures infrequently.

Answer: B, D

The correct answers are B and D because making data-driven decisions to determine cloud
architectural design and testing systems at production scale are AWS Cloud design principles.
Making data-driven decisions to determine cloud architectural design means that users should
collect and analyze data from their AWS resources and applications to optimize their performance,
availability, security, and cost. Testing systems at production scale means that users should
simulate real-world scenarios and load conditions to validate the functionality, reliability, and
scalability of their systems. The other options are incorrect because they are not AWS Cloud design
principles. Paying for compute resources in advance means that users have to invest heavily in data
centers and servers before they know how they will use them. This is not a cloud design principle,
but rather a traditional IT model. Emphasizing manual processes to allow for changes means that
users have to rely on human intervention and coordination to perform operational tasks and
updates. This is not a cloud design principle, but rather a source of inefficiency and error. Refining
operational procedures infrequently means that users have to stick to the same methods and
practices without adapting to the changing needs and feedback. This is not a cloud design principle,
but rather a hindrance to innovation and improvement. Reference: AWS Well-Architected Framework

QUESTION NO: 454

A company needs to migrate all of its development teams to a cloud-based integrated development
environment (IDE).

Which AWS service should the company use?

A. AWS CodeBuild

B. AWS Cloud9

C. AWS OpsWorks

D. AWS Cloud Development Kit (AWS CDK)

Answer: B

The correct answer is B because AWS Cloud9 is an AWS service that enables users to run their
existing custom, nonproduction workloads in the AWS Cloud quickly and cost-effectively. AWS
Cloud9 is a cloud-based integrated development environment (IDE) that allows users to write, run,
and debug code from a web browser. AWS Cloud9 supports multiple programming languages, such
as Python, Java, Node.js, and more. AWS Cloud9 also provides users with a terminal that can access
AWS services and resources, such as Amazon EC2 instances, AWS Lambda functions, and AWS
CloudFormation stacks. The other options are incorrect because they are not AWS services that
enable users to run their existing custom, nonproduction workloads in the AWS Cloud quickly and
cost-effectively. AWS CodeBuild is an AWS service that enables users to compile, test, and package
their code for deployment. AWS OpsWorks is an AWS service that enables users to configure and
manage their applications using Chef or Puppet. AWS Cloud Development Kit (AWS CDK) is an AWS
service that enables users to define and provision their cloud infrastructure using familiar
programming languages, such as TypeScript, Python, Java, and C#. Reference: AWS Cloud9 FAQs

QUESTION NO: 455

A company needs to run its existing custom, nonproduction workloads in the AWS Cloud quickly and
cost-effectively.

The workloads can recover from interruptions easily.

Which pricing model should the company use?

A. Reserved Instances

B. On-Demand Instances

C. Spot Instances
D. Dedicated Hosts

Answer: C

The correct answer is C because Spot Instances are the pricing model that enables the company to
run its existing custom, nonproduction workloads in the AWS Cloud quickly and cost-effectively.
Spot Instances are spare Amazon EC2 instances that are available at up to 90% discount compared
to On-Demand prices. Spot Instances are suitable for stateless, fault-tolerant, and flexible workloads
that can recover from interruptions easily. The other options are incorrect because they are not the
pricing model that enables the company to run its existing custom, nonproduction workloads in the
AWS Cloud quickly and cost-effectively. Reserved Instances are Amazon EC2 instances that are
reserved for a specific period of time (one or three years) in exchange for a lower hourly rate.
Reserved Instances are suitable for steady-state or predictable workloads that run for a long
duration. On-Demand Instances are Amazon EC2 instances that are launched and billed at a fixed
hourly rate. On-Demand Instances are suitable for short-term, irregular, or unpredictable workloads
that cannot be interrupted. Dedicated Hosts are physical servers that are dedicated to a single
customer. Dedicated Hosts are suitable for workloads that require regulatory compliance or data
isolation. Reference: Amazon EC2 Instance Purchasing Options

QUESTION NO: 456

According to the AWS shared responsibility model, which of the following are AWS responsibilities?
(Select TWO.)

A. Network infrastructure and virtualization of infrastructure

B. Security of application data

C. Guest operating systems

D. Physical security of hardware

E. Credentials and policies

Answer: A, D

The correct answers are A and D because network infrastructure and virtualization of infrastructure
and physical security of hardware are AWS responsibilities according to the AWS shared
responsibility model. The AWS shared responsibility model is a framework that defines the division
of responsibilities between AWS and the customer for security and compliance. AWS is responsible
for the security of the cloud, which includes the global infrastructure, such as the regions, availability
zones, and edge locations; the hardware, software, networking, and facilities that run the AWS
services; and the virtualization layer that separates the customer instances and storage. The
customer is responsible for the security in the cloud, which includes the customer data, the guest
operating systems, the applications, the identity and access management, the firewall configuration,
and the encryption. The other options are incorrect because they are not AWS responsibilities
according to the AWS shared responsibility model. Security of application data, guest operating
systems, and credentials and policies are customer responsibilities according to the AWS shared
responsibility model. Reference: [AWS Shared Responsibility Model]

QUESTION NO: 457

Which options does AWS make available for customers who want to learn about security in the cloud in
an instructor-led setting? (Select TWO.)

A. AWS Trusted Advisor

B. AWS Online Tech Talks

C. AWS Blog

D. AWS Forums

E. AWS Classroom Training

Answer: B, E

The correct answers are B and E because AWS Online Tech Talks and AWS Classroom Training are
options that AWS makes available for customers who want to learn about security in the cloud in an
instructor-led setting. AWS Online Tech Talks are live, online presentations that cover a broad range
of topics at varying technical levels. AWS Online Tech Talks are delivered by AWS experts and
feature live Q&A sessions with the audience. AWS Classroom Training are in-person or virtual
courses that are led by accredited AWS instructors. AWS Classroom Training offer hands-on labs,
exercises, and best practices to help customers gain confidence and skills on AWS. The other
options are incorrect because they are not options that AWS makes available for customers who
want to learn about security in the cloud in an instructor-led setting. AWS Trusted Advisor is an AWS
service that provides real-time guidance to help customers follow AWS best practices for security,
performance, cost optimization, and fault tolerance. AWS Blog is an AWS resource that provides
news, announcements, and insights from AWS experts and customers. AWS Forums are AWS
resources that enable customers to interact with other AWS users and get feedback and support.
Reference: AWS Online Tech Talks, AWS Classroom Training

QUESTION NO: 458

A company wants to host its relational databases on AWS. The databases have predefined schemas that
the company needs to replicate on AWS.

Which AWS services could the company use for the databases? (Select TWO.)

A. Amazon Aurora

B. Amazon RDS

C. Amazon DocumentDB (with MongoDB compatibility)

D. Amazon Neptune

E. Amazon DynamoDB

Answer: A, B

: The correct answers are A and B because Amazon Aurora and Amazon RDS are AWS services that
the company could use for the relational databases. Amazon Aurora is a relational database that is
compatible with MySQL and PostgreSQL. Amazon Aurora is a fully managed, scalable, and high-
performance service that offers up to five times the throughput of standard MySQL and up to three
times the throughput of standard PostgreSQL. Amazon RDS is a service that enables users to set up,
operate, and scale relational databases in the cloud. Amazon RDS supports six popular database
engines: MySQL, PostgreSQL, Oracle, SQL Server, MariaDB, and Amazon Aurora. The other options
are incorrect because they are not AWS services that the company could use for the relational
databases. Amazon DocumentDB (with MongoDB compatibility) is a document database that is
compatible with MongoDB. Amazon Neptune is a graph database that supports property graph and
RDF models. Amazon DynamoDB is a key-value and document database. Reference: Amazon
Aurora, Amazon RDS

QUESTION NO: 459

Which of the following are benefits that a company receives when it moves an on-premises production
workload to AWS? (Select TWO.)

A. AWS trains the company's staff on the use of all the AWS services.

B. AWS manages all security in the cloud.

C. AWS offers free support from technical account managers (TAMs).

D. AWS offers high availability.

E. AWS provides economies of scale.

Answer: D, E

The correct answers are D and E because AWS offers high availability and AWS provides economies
of scale are benefits that a company receives when it moves an on-premises production workload to
AWS. High availability means that AWS has a global infrastructure that allows customers to deploy
their applications and data across multiple regions and availability zones. This increases the fault
tolerance and resilience of their applications and reduces the impact of failures. Economies of scale
means that AWS can achieve lower variable costs than customers can get on their own. This allows
customers to pay only for the resources they use and scale up or down as needed. The other options
are incorrect because they are not benefits that a company receives when it moves an on-premises
production workload to AWS. AWS trains the company’s staff on the use of all the AWS services is
not a benefit that a company receives when it moves an on-premises production workload to AWS.
AWS does provide various learning resources and training courses for customers, but it does not
train the company’s staff on the use of all the AWS services. AWS manages all security in the cloud
is not a benefit that a company receives when it moves an on-premises production workload to
AWS. AWS is responsible for the security of the cloud, but the customer is responsible for the
security in the cloud. AWS offers free support from technical account managers (TAMs) is not a
benefit that a company receives when it moves an on-premises production workload to AWS. AWS
does offer support from TAMs, but only for customers who have the AWS Enterprise Support plan,
which is not free. Reference: What is Cloud Computing?, [AWS Shared Responsibility Model], [AWS
Support Plans]

QUESTION NO: 460

A company needs a content delivery network that provides secure delivery of data, videos, applications,
and APIs to users globally with low latency and high transfer speeds.

Which AWS service meets these requirements?

A. Amazon CloudFront

B. Elastic Load Balancing

C. Amazon S3

D. Amazon Elastic Transcoder

Answer: A

The correct answer is A because Amazon CloudFront is an AWS service that provides secure
delivery of data, videos, applications, and APIs to users globally with low latency and high transfer
speeds. Amazon CloudFront is a fast content delivery network (CDN) that integrates with other AWS
services, such as Amazon S3, Amazon EC2, AWS Lambda, and AWS Shield. Amazon CloudFront
delivers content through a worldwide network of edge locations that are located close to the end
users. The other options are incorrect because they are not AWS services that provide secure
delivery of data, videos, applications, and APIs to users globally with low latency and high transfer
speeds. Elastic Load Balancing is an AWS service that distributes incoming traffic across multiple
targets, such as Amazon EC2 instances, containers, and IP addresses. Amazon S3 is an AWS
service that provides object storage for data of any size and type. Amazon Elastic Transcoder is an
AWS service that converts media files from their original source format into different formats that
will play on various devices. Reference: Amazon CloudFront FAQs

QUESTION NO: 461

An application is running on multiple Amazon EC2 instances. The company wants to make the
application highly available by configuring a load balancer with requests forwarded to the EC2 instances
based on URL paths.

Which AWS load balancer will meet these requirements and take the LEAST amount of effort to deploy?
A. Network Load Balancer

B. Application Load Balancer

C. AWS OpsWorks Load Balancer

D. Custom Load Balancer on Amazon EC2

Answer: B

The correct answer is B because Application Load Balancer is an AWS load balancer that will meet
the requirements and take the least amount of effort to deploy. Application Load Balancer is a type
of Elastic Load Balancing that operates at the application layer (layer 7) of the OSI model and routes
requests to targets based on the content of the request. Application Load Balancer supports
advanced features, such as path-based routing, host-based routing, and HTTP header-based routing.
The other options are incorrect because they are not AWS load balancers that will meet the
requirements and take the least amount of effort to deploy. Network Load Balancer is a type of
Elastic Load Balancing that operates at the transport layer (layer 4) of the OSI model and routes
requests to targets based on the destination IP address and port. Network Load Balancer does not
support path-based routing. AWS OpsWorks Load Balancer is not an AWS load balancer, but rather a
feature of AWS OpsWorks that enables users to attach an Elastic Load Balancing load balancer to a
layer of their stack. Custom Load Balancer on Amazon EC2 is not an AWS load balancer, but rather a
user-defined load balancer that runs on an Amazon EC2 instance. Custom Load Balancer on
Amazon EC2 requires more effort to deploy and maintain than an AWS load balancer.
Reference: Elastic Load Balancing

QUESTION NO: 462

A company needs to use dashboards and charts to analyze insights from business data.

Which AWS service will provide the dashboards and charts for these insights?

A. Amazon Macie

B. Amazon Aurora

C. Amazon QuickSight

D. AWS CloudTrail

Answer: C

The correct answer is C because Amazon QuickSight is an AWS service that will provide the
dashboards and charts for the insights from business data. Amazon QuickSight is a fully managed,
scalable, and serverless business intelligence service that enables users to create and share
interactive dashboards and charts. Amazon QuickSight can connect to various data sources, such
as Amazon S3, Amazon RDS, Amazon Redshift, and more. Amazon QuickSight also provides users
with machine learning insights, such as anomaly detection, forecasting, and natural language
narratives. The other options are incorrect because they are not AWS services that will provide the
dashboards and charts for the insights from business data. Amazon Macie is an AWS service that
helps users discover, classify, and protect sensitive data stored in Amazon S3. Amazon Aurora is an
AWS service that provides a relational database that is compatible with MySQL and PostgreSQL.
AWS CloudTrail is an AWS service that enables users to track user activity and API usage across
their AWS account. Reference: Amazon QuickSight FAQs

QUESTION NO: 463

A large company has a workload that requires hardware to remain on premises. The company wants to
use the same management and control plane services that it currently uses on AWS.

Which AWS service should the company use to meet these requirements?

A. AWS Device Farm

B. AWS Fargate

C. AWS Outposts

D. AWS Ground Station

Answer: C

The correct answer is C because AWS Outposts is an AWS service that enables the company to
meet the requirements. AWS Outposts is a fully managed service that extends AWS infrastructure,
services, APIs, and tools to virtually any datacenter, co-location space, or on-premises facility. AWS
Outposts allows customers to run their workloads on the same hardware and software that AWS
uses in its cloud, while maintaining local access and control. The other options are incorrect
because they are not AWS services that enable the company to meet the requirements. AWS Device
Farm is an AWS service that enables customers to test their mobile and web applications on real
devices in the AWS Cloud. AWS Fargate is an AWS service that enables customers to run containers
without having to manage servers or clusters. AWS Ground Station is an AWS service that enables
customers to communicate with satellites and downlink data from orbit. Reference: AWS Outposts
FAQs

QUESTION NO: 464

When a user wants to utilize their existing per-socket, per-core, or per-virtual machine software licenses
for a Microsoft Windows server running on AWS, which Amazon EC2 instance type is required?

A. Spot Instances

B. Dedicated Instances

C. Dedicated Hosts

D. Reserved Instances
Answer: C

The correct answer is C because Dedicated Hosts are Amazon EC2 instances that are required when
a user wants to utilize their existing per-socket, per-core, or per-virtual machine software licenses for
a Microsoft Windows server running on AWS. Dedicated Hosts are physical servers that are
dedicated to a single customer. Dedicated Hosts allow customers to use their existing server-bound
software licenses, such as Windows Server, SQL Server, and SUSE Linux Enterprise Server, subject to
their license terms. The other options are incorrect because they are not Amazon EC2 instances that
are required when a user wants to utilize their existing per-socket, per-core, or per-virtual machine
software licenses for a Microsoft Windows server running on AWS. Spot Instances are spare
Amazon EC2 instances that are available at up to 90% discount compared to On-Demand prices.
Spot Instances are suitable for stateless, fault-tolerant, and flexible workloads that can recover from
interruptions easily. Dedicated Instances are Amazon EC2 instances that run on hardware that is
dedicated to a single customer, but not to a specific physical server. Dedicated Instances do not
allow customers to use their existing server-bound software licenses. Reserved Instances are
Amazon EC2 instances that are reserved for a specific period of time (one or three years) in
exchange for a lower hourly rate. Reserved Instances are suitable for steady-state or predictable
workloads that run for a long duration. Reserved Instances do not allow customers to use their
existing server-bound software licenses. Reference: Dedicated Hosts, Amazon EC2 Instance
Purchasing Options

QUESTION NO: 465

Which AWS service should a cloud engineer use to view API calls to AWS services?

A. Amazon CloudWatch

B. AWS CloudTrail

C. AWS Config

D. AWS Artifact

Answer: B

The correct answer is B because AWS CloudTrail is an AWS service that a cloud engineer can use to
view API calls to AWS services. AWS CloudTrail is a service that enables customers to track user
activity and API usage across their AWS account. AWS CloudTrail records the details of every API
call made to AWS services, such as the identity of the caller, the time of the call, the source IP
address of the caller, the parameters and responses of the call, and more. Customers can use AWS
CloudTrail to audit, monitor, and troubleshoot their AWS resources and actions. The other options
are incorrect because they are not AWS services that a cloud engineer can use to view API calls to
AWS services. Amazon CloudWatch is an AWS service that enables customers to collect, analyze,
and visualize metrics, logs, and events from their AWS resources and applications. AWS Config is an
AWS service that enables customers to assess, audit, and evaluate the configurations of their AWS
resources. AWS Artifact is an AWS service that provides customers with on-demand access to AWS
compliance reports and select online agreements. Reference: AWS CloudTrail FAQs
QUESTION NO: 466

What can a user accomplish using AWS CloudTrail?

A. Generate an IAM user credentials report.

B. Record API calls made to AWS services.

C. Assess the compliance of AWS resource configurations with policies and guidelines.

D. Ensure that Amazon EC2 instances are patched with the latest security updates.

A company uses Amazon Workspaces.

Answer: B

AWS CloudTrail is an AWS service that enables users to accomplish the task of recording API calls
made to AWS services. AWS CloudTrail is a service that tracks user activity and API usage across
the AWS account. AWS CloudTrail records the details of every API call made to AWS services, such
as the identity of the caller, the time of the call, the source IP address of the caller, the parameters
and responses of the call, and more. Users can use AWS CloudTrail to audit, monitor, and
troubleshoot their AWS resources and actions. The other options are incorrect because they are not
tasks that users can accomplish using AWS CloudTrail. Generating an IAM user credentials report is
a task that users can accomplish using IAM, which is an AWS service that enables users to manage
access and permissions to AWS resources and services. Assessing the compliance of AWS
resource configurations with policies and guidelines is a task that users can accomplish using AWS
Config, which is an AWS service that enables users to assess, audit, and evaluate the configurations
of their AWS resources. Ensuring that Amazon EC2 instances are patched with the latest security
updates is a task that users can accomplish using AWS Systems Manager, which is an AWS service
that enables users to automate operational tasks, manage configuration and compliance, and
monitor system health and performance. Reference: AWS CloudTrail FAQs

QUESTION NO: 467

Which task is the responsibility of AWS, according to the AWS shared responsibility model?

A. Set up multi-factor authentication (MFA) for each Workspaces user account.

B. Ensure the environmental safety and security of the AWS infrastructure that hosts Workspaces.

C. Provide security for Workspaces user accounts through AWS Identity and Access Management

(IAM).

D. Configure AWS CloudTrail to log API calls and user activity.

A company stores data in an Amazon S3 bucket. The company must control who has permission to read,
write,
or delete objects that the company stores in the S3 bucket.

Answer: B

The correct answer is B because ensuring the environmental safety and security of the AWS
infrastructure that hosts Workspaces is the responsibility of AWS, according to the AWS shared
responsibility model. The AWS shared responsibility model is a framework that defines the division
of responsibilities between AWS and the customer for security and compliance. AWS is responsible
for the security of the cloud, which includes the global infrastructure, such as the regions, availability
zones, and edge locations; the hardware, software, networking, and facilities that run the AWS
services; and the virtualization layer that separates the customer instances and storage. The
customer is responsible for the security in the cloud, which includes the customer data, the guest
operating systems, the applications, the identity and access management, the firewall configuration,
and the encryption. The other options are incorrect because they are the responsibility of the
customer, according to the AWS shared responsibility model. Setting up multi-factor authentication
(MFA) for each Workspaces user account, providing security for Workspaces user accounts through
AWS Identity and Access Management (IAM), configuring AWS CloudTrail to log API calls and user
activity, and encrypting data at rest and in transit are all tasks that the customer has to perform to
secure their Workspaces environment. Reference: AWS Shared Responsibility Model, Amazon
WorkSpaces Security

QUESTION NO: 468

Which AWS features will meet these requirements? (Select TWO.)

A. Security groups

B. Network ACLs

C. S3 bucket policies

D. IAM user policies

E. S3 bucket versioning

Answer: C, D

The correct answers are C and D because S3 bucket policies and IAM user policies are AWS
features that will meet the requirements. S3 bucket policies are access policies that can be attached
to Amazon S3 buckets to grant or deny permissions to the bucket and the objects it contains. S3
bucket policies can be used to control who has permission to read, write, or delete objects that the
company stores in the S3 bucket. IAM user policies are access policies that can be attached to IAM
users to grant or deny permissions to AWS resources and actions. IAM user policies can be used to
control who has permission to read, write, or delete objects that the company stores in the S3
bucket. The other options are incorrect because they are not AWS features that will meet the
requirements. Security groups and network ACLs are AWS features that act as firewalls to control
inbound and outbound traffic to and from Amazon EC2 instances and subnets. Security groups and
network ACLs do not control who has permission to read, write, or delete objects that the company
stores in the S3 bucket. S3 bucket versioning is an AWS feature that enables users to keep multiple
versions of the same object in the same bucket. S3 bucket versioning can be used to recover from
accidental overwrites or deletions of objects, but it does not control who has permission to read,
write, or delete objects that the company stores in the S3 bucket. Reference: Using Bucket Policies
and User Policies, Security Groups for Your VPC, Network ACLs, [Using Versioning]

QUESTION NO: 469

Which of the following is a recommended design principle of the AWS Well-Architected Framework?

A. Reduce downtime by making infrastructure changes infrequently and in large increments.

B. Invest the time to configure infrastructure manually.

C. Learn to improve from operational failures.

D. Use monolithic application design for centralization.

Answer: C

The correct answer is C because learning to improve from operational failures is a recommended
design principle of the AWS Well-Architected Framework. The AWS Well-Architected Framework is a
set of best practices and guidelines for designing and operating reliable, secure, efficient, and cost-
effective systems in the cloud. The AWS Well-Architected Framework consists of five pillars:
operational excellence, security, reliability, performance efficiency, and cost optimization. Each pillar
has a set of design principles that describe the characteristics of a well-architected system.
Learning to improve from operational failures is a design principle of the operational excellence
pillar, which focuses on running and monitoring systems to deliver business value and continually
improve supporting processes and procedures. The other options are incorrect because they are not
recommended design principles of the AWS Well-Architected Framework. Reducing downtime by
making infrastructure changes infrequently and in large increments is not a design principle of the
AWS Well-Architected Framework, but rather a source of risk and inefficiency. A well-architected
system should implement changes frequently and in small increments to minimize the impact and
scope of failures. Investing the time to configure infrastructure manually is not a design principle of
the AWS Well-Architected Framework, but rather a source of human error and inconsistency. A well-
architected system should automate manual tasks to improve the speed and accuracy of
operations. Using monolithic application design for centralization is not a design principle of the
AWS Well-Architected Framework, but rather a source of complexity and rigidity. A well-architected
system should use loosely coupled and distributed components to enable scalability and resilience.
Reference: [AWS Well-Architected Framework]

QUESTION NO: 470

A security engineer wants a single-tenant AWS solution to create, control, and manage their own
cryptographic keys to meet regulatory compliance requirements for data security.

Which AWS service should the engineer use?

A. AWS Key Management Service (AWS KMS)

B. AWS Certificate Manager (ACM)

C. AWS CloudHSM

D. AWS Systems Manager

Answer: C

The correct answer is C because AWS CloudHSM is an AWS service that enables the security
engineer to meet the requirements. AWS CloudHSM is a service that provides customers with
dedicated hardware security modules (HSMs) to create, control, and manage their own
cryptographic keys in the AWS Cloud. AWS CloudHSM allows customers to meet strict regulatory
compliance requirements for data security, such as FIPS 140-2 Level 3, PCI-DSS, and HIPAA. The
other options are incorrect because they are not AWS services that enable the security engineer to
meet the requirements. AWS Key Management Service (AWS KMS) is a service that provides
customers with a fully managed, scalable, and integrated key management system to create and
control encryption keys for AWS services and applications. AWS KMS does not provide customers
with single-tenant or dedicated HSMs. AWS Certificate Manager (ACM) is a service that provides
customers with a simple and secure way to provision, manage, and deploy public and private Secure
Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services and
internal connected resources. ACM does not provide customers with HSMs or cryptographic keys.
AWS Systems Manager is a service that provides customers with a unified user interface to view
operational data from multiple AWS services and automate operational tasks across their AWS
resources. AWS Systems Manager does not provide customers with HSMs or cryptographic keys.
Reference: AWS CloudHSM FAQs

QUESTION NO: 471

Which tasks are the responsibility of AWS, according to the AWS shared responsibility model? (Select
TWO.)

A. Patch AWS network devices.

B. Set user password rules.

C. Provide physical security for compute resources.

D. Configure security groups.

E. Patch the operating system of an Amazon EC2 instance.

Answer: A, C

The correct answers are A and C because patching AWS network devices and providing physical
security for compute resources are tasks that are the responsibility of AWS, according to the AWS
shared responsibility model. The AWS shared responsibility model is a framework that defines the
division of responsibilities between AWS and the customer for security and compliance. AWS is
responsible for the security of the cloud, which includes the global infrastructure, such as the
regions, availability zones, and edge locations; the hardware, software, networking, and facilities that
run the AWS services; and the virtualization layer that separates the customer instances and
storage. The customer is responsible for the security in the cloud, which includes the customer data,
the guest operating systems, the applications, the identity and access management, the firewall
configuration, and the encryption. The other options are incorrect because they are tasks that are
the responsibility of the customer, according to the AWS shared responsibility model. Setting user
password rules, configuring security groups, and patching the operating system of an Amazon EC2
instance are all tasks that the customer has to perform to secure their AWS environment.
Reference: AWS Shared Responsibility Model

QUESTION NO: 472

Which AWS service or feature captures information about the network traffic to and from an Amazon
EC2 instance?

A. VPC Reachability Analyzer

B. Amazon Athena

C. VPC Flow Logs

D. AWS X-Ray

Answer: C

The correct answer is C because VPC Flow Logs is an AWS service or feature that captures
information about the network traffic to and from an Amazon EC2 instance. VPC Flow Logs is a
feature that enables customers to capture information about the IP traffic going to and from
network interfaces in their VPC. VPC Flow Logs can help customers to monitor and troubleshoot
connectivity issues, such as traffic not reaching an instance or traffic being rejected by a security
group. The other options are incorrect because they are not AWS services or features that capture
information about the network traffic to and from an Amazon EC2 instance. VPC Reachability
Analyzer is an AWS service or feature that enables customers to perform connectivity testing
between resources in their VPC and identify configuration issues that prevent connectivity. Amazon
Athena is an AWS service that enables customers to query data stored in Amazon S3 using standard
SQL. AWS X-Ray is an AWS service that enables customers to analyze and debug distributed
applications, such as those built using a microservices architecture. Reference: VPC Flow Logs

QUESTION NO: 473

Which of the following are pillars of the AWS Well-Architected Framework? (Select TWO.)

A. Availability

B. Reliability

C. Scalability

D. Responsive design

E. Operational excellence

Answer: B, E

The correct answers to the questions are B and E because reliability and operational excellence are
pillars of the AWS Well-Architected Framework. The AWS Well-Architected Framework is a set of
best practices and guidelines for designing and operating reliable, secure, efficient, and cost-
effective systems in the cloud. The AWS Well-Architected Framework consists of five pillars:
operational excellence, security, reliability, performance efficiency, and cost optimization. Each pillar
has a set of design principles that describe the characteristics of a well-architected system.
Reliability is the pillar that focuses on the ability of a system to recover from failures and meet
business and customer demand. Operational excellence is the pillar that focuses on the ability of a
system to run and monitor processes that support business outcomes and continually improve. The
other options are incorrect because they are not pillars of the AWS Well-Architected Framework.
Availability, scalability, and responsive design are important aspects of cloud architecture, but they
are not separate pillars in the framework. Availability and scalability are related to the reliability and
performance efficiency pillars, while responsive design is related to the customer experience and
user interface. Reference: AWS Well-Architected Framework

QUESTION NO: 474

Which tasks are customer responsibilities according to the AWS shared responsibility model? (Select
TWO.)

A. Determine application dependencies with operating systems.

B. Provide user access with AWS Identity and Access Management (IAM).

C. Secure the data center in an Availability Zone.

D. Patch the hypervisor.

E. Provide network availability in Availability Zones.

Answer: B

The correct answer to the question is B because providing user access with AWS Identity and
Access Management (IAM) is a customer responsibility according to the AWS shared responsibility
model. The AWS shared responsibility model is a framework that defines the division of
responsibilities between AWS and the customer for security and compliance. AWS is responsible for
the security of the cloud, which includes the global infrastructure, such as the regions, availability
zones, and edge locations; the hardware, software, networking, and facilities that run the AWS
services; and the virtualization layer that separates the customer instances and storage. The
customer is responsible for the security in the cloud, which includes the customer data, the guest
operating systems, the applications, the identity and access management, the firewall configuration,
and the encryption. IAM is an AWS service that enables customers to manage access and
permissions to AWS resources and services. Customers are responsible for creating and managing
IAM users, groups, roles, and policies, and ensuring that they follow the principle of least privilege.
Reference: AWS Shared Responsibility Model

QUESTION NO: 475

A user wants to identify any security group that is allowing unrestricted incoming SSH traffic.

Which AWS service can be used to accomplish this goal?

A. Amazon Cognito

B. AWS Shield

C. Amazon Macie

D. AWS Trusted Advisor

Answer: D

The correct answer to the question is D because AWS Trusted Advisor is an AWS service that can be
used to accomplish the goal of identifying any security group that is allowing unrestricted incoming
SSH traffic. AWS Trusted Advisor is a service that provides customers with recommendations that
help them follow AWS best practices. Trusted Advisor evaluates the customer’s AWS environment
and identifies ways to optimize their AWS infrastructure, improve security and performance, reduce
costs, and monitor service quotas. One of the checks that Trusted Advisor performs is the Security
Groups - Specific Ports Unrestricted check, which flags security groups that allow unrestricted
access to specific ports, such as port 22 for SSH. Customers can use this check to review and
modify their security group rules to restrict SSH access to only authorized sources.
Reference: Security Groups - Specific Ports Unrestricted

QUESTION NO: 476

Which AWS feature or resource is a deployable Amazon EC2 instance template that is prepackaged with

software and security requirements?

A. Amazon Elastic Block Store (Amazon EBS) volume

B. AWS CloudFormation template

C. Amazon Elastic Block Store (Amazon EBS) snapshot

D. Amazon Machine Image (AMI)

Answer: D

: An Amazon Machine Image (AMI) is a deployable Amazon EC2 instance template that is
prepackaged with software and security requirements. It provides the information required to launch
an instance, which is a virtual server in the cloud. You can use an AMI to launch as many instances
as you need. You can also create your own custom AMIs or use AMIs shared by other AWS users 1.

QUESTION NO: 477

Which AWS service is a highly available and scalable DNS web service?

A. Amazon VPC

B. Amazon CloudFront

C. Amazon Route 53

D. Amazon Connect

Answer: C

Amazon Route 53 is a highly available and scalable DNS web service. It is designed to give
developers and businesses an extremely reliable and cost-effective way to route end users to
Internet applications by translating domain names into the numeric IP addresses that computers
use to connect to each other2. Amazon Route 53 also offers other features such as health checks,
traffic management, domain name registration, and DNSSEC3.

QUESTION NO: 478

Which of the following is a characteristic of the AWS account root user?

A. The root user is the only user that can be configured with multi-factor authentication (MFA).

B. The root user is the only user that can access the AWS Management Console.

C. The root user is the first sign-in identity that is available when an AWS account is created.

D. The root user has a password that cannot be changed.

Answer: C

The AWS account root user is the first sign-in identity that is available when an AWS account is
created. It has complete access to all AWS services and resources in the account. The root user
email address and password are the same credentials that are used to sign in to the AWS
Management Console4. The root user should be used only to perform a few account and service
management tasks. For day-to-day tasks, it is recommended to use AWS Identity and Access
Management (IAM) users or roles instead.

QUESTION NO: 479

Which AWS service provides the ability to host a NoSQL database in the AWS Cloud?

A. Amazon Aurora

B. Amazon DynamoDB

C. Amazon RDS

D. Amazon Redshift

Answer: B

Amazon DynamoDB is a fully managed NoSQL database service that provides fast and predictable
performance with seamless scalability. It supports both key-value and document data models, and
allows you to create tables that can store and retrieve any amount of data, and serve any level of
request traffic. You can also use DynamoDB Streams to capture data modification events in
DynamoDB tables.

QUESTION NO: 480

What is the total amount of storage offered by Amazon S3?

A. WOMB

B. 5 GB

C. 5 TB

D. Unlimited

Answer: D

Amazon S3 offers unlimited storage for any amount of data. You can store as many objects as you
want, and each object can be as large as 5 terabytes. You pay only for the storage space that you
actually use, and there are no minimum commitments or upfront fees. Amazon S3 also provides
high durability, availability, scalability, and security for your data.

QUESTION NO: 481

Which AWS network services or features allow Cl DR block notation when providing an IP address
range?

(Select TWO.)
A. Security groups

B. Amazon Machine Image (AMI)

C. Network access control list (network ACL)

D. AWS Budgets

E. Amazon Elastic Block Store (Amazon EBS)

Answer: A, C

Security groups and network access control lists (network ACLs) are two AWS network services or
features that allow CIDR block notation when providing an IP address range. Security groups act as
a firewall for associated Amazon EC2 instances, controlling both inbound and outbound traffic at the
instance level. Network ACLs act as a firewall for associated subnets, controlling both inbound and
outbound traffic at the subnet level. Both security groups and network ACLs use CIDR block notation
to specify the IP address ranges that are allowed or denied

QUESTION NO: 482

A company has a workload that requires data to be collected, analyzed, and stored on premises. The
company wants to extend the use of AWS services to run on premises with access to the company
network and the company's VPC.

Which AWS service meets this requirement?

A. AWS Outposts

B. AWS Storage Gateway

C. AWS Direct Connect

D. AWS Snowball

Answer: A

AWS Outposts is an AWS service that meets the requirement of running AWS services on premises
with access to the company network and the company’s VPC. AWS Outposts is a fully managed
service that extends AWS infrastructure, AWS services, APIs, and tools to virtually any datacenter,
co-location space, or on-premises facility for a truly consistent hybrid experience. AWS Outposts is
ideal for workloads that require low latency access to on-premises systems, local data processing,
or local data storage2.

QUESTION NO: 483

A company wants to deploy and manage a Docker-based application on AWS.

Which solution meets these requirements with the LEAST amount of operational overhead?
A. An open-source Docker orchestrator on Amazon EC2 instances

B. AWS AppSync

C. Amazon Elastic Container Registry (Amazon ECR)

D. Amazon Elastic Container Service (Amazon ECS)

Answer: D

Amazon Elastic Container Service (Amazon ECS) is a solution that meets the requirements of
deploying and managing a Docker-based application on AWS with the least amount of operational
overhead. Amazon ECS is a fully managed container orchestration service that makes it easy to run,
scale, and secure Docker container applications on AWS. Amazon ECS eliminates the need for you
to install, operate, and scale your own cluster management infrastructure. With simple API calls, you
can launch and stop container-enabled applications, query the complete state of your cluster, and
access many familiar features like security groups, Elastic Load Balancing, EBS volumes, and IAM
roles3.

QUESTION NO: 484

When designing AWS workloads to be operational even when there are component failures, what is an
AWS best practice?

A. Perform quarterly disaster recovery tests.

B. Place the main component on the us-east-1 Region.

C. Design for automatic failover to healthy resources.

D. Design workloads to fit on a single Amazon EC2 instance.

Answer: C

Designing for automatic failover to healthy resources is an AWS best practice when designing AWS
workloads to be operational even when there are component failures. This means that you should
architect your system to handle the loss of one or more components without impacting the
availability or performance of your application. You can use various AWS services and features to
achieve this, such as Auto Scaling, Elastic Load Balancing, Amazon Route 53, Amazon
CloudFormation, and AWS CloudFormation4.

QUESTION NO: 485

Which AWS service provides highly durable object storage?

A. Amazon S3

B. Amazon Elastic File System (Amazon EFS)

C. Amazon Elastic Block Store (Amazon EBS)

D. Amazon FSx

Answer: A

Amazon S3 is the AWS service that provides highly durable object storage. Amazon S3 is designed
to provide 99.999999999% durability of objects over a given year. This means that you can store
your data with high confidence that it will not be lost. Amazon S3 also provides high availability,
scalability, security, and performance for your data. You can use Amazon S3 to store and retrieve
any amount of data, at any time, from anywhere on the web 5.

QUESTION NO: 486

Which pillar of the AWS Well-Architected Framework includes a design principle about measuring the
overall efficiency of workloads in terms of business value?

A. Operational excellence

B. Security

C. Reliability

D. Cost optimization

Answer: A

The operational excellence pillar of the AWS Well-Architected Framework includes a design
principle about measuring the overall efficiency of workloads in terms of business value. This
principle states that you should monitor and measure key performance indicators (KPIs) and set
targets and thresholds that align with your business goals. You should also use feedback loops to
continuously improve your processes and procedures 1 .

QUESTION NO: 487

Who enables encryption of data at rest for Amazon Elastic Block Store (Amazon EBS)?

A. AWS Support

B. AWS customers

C. AWS Key Management Service (AWS KMS)

D. AWS Trusted Advisor

Answer: B

AWS customers are responsible for enabling encryption of data at rest for Amazon Elastic Block
Store (Amazon EBS). Amazon EBS encryption offers a simple encryption solution for your EBS
volumes that does not require you to build, maintain, and secure your own key management
infrastructure. You can encrypt both the boot and data volumes of your EC2 instances. You can use
AWS Key Management Service (AWS KMS) customer master keys (CMKs) or your own CMKs to
encrypt your volumes2.

QUESTION NO: 488

Who is responsible for decommissioning end-of-life underlying storage devices that are used to host
data on AWS?

A. Customer

B. AWS

C. Account creator

D. Auditing team

Answer: B

AWS is responsible for decommissioning end-of-life underlying storage devices that are used to host
data on AWS. AWS follows strict and audited data destruction processes to ensure that customer
data is not exposed to unauthorized individuals or devices when an AWS storage device reaches the
end of its useful life. AWS uses techniques detailed in DoD 5220.22-M (“National Industrial Security
Program Operating Manual”) or NIST 800-88 (“Guidelines for Media Sanitization”) to destroy data as
part of the decommissioning process3.

QUESTION NO: 489

A company wants to manage access and permissions for its third-party software as a service (SaaS)

applications. The company wants to use a portal where end users can access assigned AWS accounts
and AWS Cloud applications.

Which AWS service should the company use to meet these requirements?

A. Amazon Cognito

B. AWS IAM Identity Center (AWS Single Sign-On)

C. AWS Identity and Access Management (IAM)

D. AWS Directory Service for Microsoft Active Directory

Answer: B

AWS IAM Identity Center (AWS Single Sign-On) is the AWS service that the company should use to
meet the requirements of managing access and permissions for its third-party SaaS applications.
AWS Single Sign-On is a cloud-based service that makes it easy to centrally manage single sign-on
(SSO) access to multiple AWS accounts and business applications. You can use AWS Single Sign-On
to enable your users to sign in to a user portal with their existing corporate credentials and access
all of their assigned accounts and applications from one place 4.

QUESTION NO: 490

A large company wants to track the combined AWS usage costs of all of its linked accounts.

How can this be accomplished?

A. Use AWS Trusted Advisor to generate customized summary reports.

B. Use AWS Organizations to generate consolidated billing reports.

C. Use AWS Budgets to set utilization targets and receive summary reports.

D. Use the AWS Control Tower dashboard to get a summary report of all linked account costs.

Answer: B

The company can use AWS Organizations to track the combined AWS usage costs of all of its linked
accounts. AWS Organizations is a service that enables you to consolidate multiple AWS accounts
into an organization that you can manage centrally. You can use AWS Organizations to create a
consolidated billing report that shows the charges incurred by each account in your organization as
well as the total charges across all accounts. You can also use AWS Organizations to apply policies
and controls to your accounts to help you manage costs and security 5.

QUESTION NO: 491

A company wants its Amazon EC2 instances to operate in a highly available environment, even if there is
a

natural disaster in a particular geographic area.

Which solution achieves this goal?

A. Use EC2 instances in a single Availability Zone.

B. Use EC2 instances in multiple AWS Regions.

C. Use EC2 instances in multiple edge locations.

D. Use Amazon CloudFront with the EC2 instances configured as the source.

Answer: B

To achieve high availability in the event of a natural disaster, the company should use EC2 instances
in multiple AWS Regions. AWS Regions are geographically isolated areas that consist of multiple
Availability Zones. Availability Zones are physically separate locations within an AWS Region that are
engineered to be isolated from failures. By using EC2 instances in multiple AWS Regions, the
company can ensure that its applications can continue to run even if one Region is affected by a
disaster. AWS Global InfrastructureAWS Well-Architected Framework

QUESTION NO: 492

Using Amazon Elastic Container Service (Amazon ECS) to break down a monolithic architecture into
microservices is an example of:

A. a loosely coupled architecture.

B. a tightly coupled architecture.

C. a stateless architecture.

D. a stateful architecture.

Answer: A

Using Amazon Elastic Container Service (Amazon ECS) to break down a monolithic architecture into
microservices is an example of a loosely coupled architecture. A loosely coupled architecture is one
where the components are independent and can communicate with each other through well-defined
interfaces. This allows for greater scalability, flexibility, and resilience. A tightly coupled architecture
is one where the components are interdependent and rely on each other for functionality. This can
lead to increased complexity, fragility, and difficulty in changing or scaling the system. Amazon ECS
OverviewAWS Well-Architected Framework

QUESTION NO: 493

Which of the following are design principles for reliability in the AWS Cloud? (Select TWO.)

A. Build architectures with tightly coupled resources.

B. Use AWS Trusted Advisor to meet security best practices.

C. Use automation to recover immediately from failure.

D. Rightsize Amazon EC2 instances to ensure optimal performance.

E. Simulate failures to test recovery processes.

Answer: C, E

The design principles for reliability in the AWS Cloud are:

• Test recovery procedures. The best way to ensure that systems can recover from failures is
to regularly test them using simulated scenarios. This can help identify gaps and improve
the recovery process.
 • Automatically recover from failure. By using automation, systems can detect and correct
failures without human intervention. This can reduce the impact and duration of failures and
improve the availability of the system.
• Scale horizontally to increase aggregate system availability. By adding more redundant
resources to the system, the impact of individual resource failures can be reduced. This can
also improve the performance and scalability of the system.
• Stop guessing capacity. By using monitoring and automation, systems can adjust the
capacity based on the demand and performance metrics. This can prevent failures due to
insufficient or excessive capacity and optimize the cost and efficiency of the system.
• Manage change in automation. By using automation, changes to the system can be applied
in a consistent and controlled manner. This can reduce the risk of human errors and
configuration drifts that can cause failures. AWS Well-Architected Framework

QUESTION NO: 494

Which statements represent the cost-effectiveness of the AWS Cloud? (Select TWO.)

A. Users can trade fixed expenses for variable expenses.

B. Users can deploy all over the world in minutes.

C. AWS offers increased speed and agility.

D. AWS is responsible for patching the infrastructure.

E. Users benefit from economies of scale.

Answer: A, E

The statements that represent the cost-effectiveness of the AWS Cloud are:
• Users can trade fixed expenses for variable expenses. By using the AWS Cloud, users can
pay only for the resources they use, instead of investing in fixed and upfront costs for
hardware and software. This can lower the total cost of ownership and increase the return
on investment.
• Users benefit from economies of scale. By using the AWS Cloud, users can leverage the
massive scale and efficiency of AWS to access lower prices and higher performance. AWS
passes the cost savings to the users through price reductions and innovations. AWS Cloud
Value Framework

QUESTION NO: 495

A company wants to migrate its on-premises data warehouse to AWS. The information in the data
warehouse is

used to populate analytics dashboards.

Which AWS service should the company use for the data warehouse?

A. Amazon ElastiCache

B. Amazon Aurora

C. Amazon RDS

D. Amazon Redshift

Answer: D

The AWS service that the company should use for the data warehouse is Amazon Redshift. Amazon
Redshift is a fully managed, petabyte-scale data warehouse service that is optimized for analytical
queries. It can integrate with various data sources and business intelligence tools to provide fast
and cost-effective insights. Amazon Redshift also offers high availability, scalability, security, and
compliance features. [Amazon Redshift Overview]

QUESTION NO: 496

Which benefit does Amazon Rekognition provide?

A. The ability to place watermarks on images

B. The ability to detect objects that appear in pictures

C. The ability to resize millions of images automatically

D. The ability to bid on object detection jobs

Answer: B

Amazon Rekognition is a service that provides deep learning-based image and video analysis. One
of the benefits of Amazon Rekognition is the ability to detect objects that appear in pictures, such as
faces, landmarks, animals, text, and scenes. This can enable applications to perform tasks such as
face recognition, face verification, face comparison, face search, celebrity recognition, emotion
detection, age range estimation, gender identification, facial analysis, facial expression recognition,
and more. Amazon Rekognition OverviewAWS Certified Cloud Practitioner - aws.amazon.com

QUESTION NO: 497

Which AWS service uses a combination of publishers and subscribers?

A. AWS Lambda

B. Amazon Simple Notification Service (Amazon SNS)

C. Amazon CloudWatch

D. AWS CloudFormation

Answer: B

Amazon Simple Notification Service (Amazon SNS) is a service that provides fully managed pub/sub
messaging. Pub/sub messaging is a pattern that uses a combination of publishers and subscribers.
Publishers are entities that produce messages and send them to topics. Subscribers are entities that
receive messages from topics. Topics are logical access points that act as communication
channels between publishers and subscribers. Amazon SNS enables applications to decouple, scale,
and coordinate the delivery of messages to multiple endpoints, such as email, SMS, mobile push
notifications, Lambda functions, SQS queues, and HTTP/S endpoints. Amazon SNS OverviewAWS
Certified Cloud Practitioner - aws.amazon.com

QUESTION NO: 498

A company is developing an application that uses multiple AWS services. The application needs to use

temporary, limited-privilege credentials for authentication with other AWS APIs.

Which AWS service or feature should the company use to meet these authentication requirements?

A. Amazon API Gateway

B. IAM users

C. AWS Security Token Service (AWS STS)

D. IAM instance profiles

Answer: C

AWS Security Token Service (AWS STS) is a service that enables applications to request temporary,
limited-privilege credentials for authentication with other AWS APIs. AWS STS can be used to grant
access to AWS resources to users who are federated (using IAM roles), switched (using IAM users),
or cross-account (using IAM roles). AWS STS can also be used to assume a role within the same
account or a different account. The credentials issued by AWS STS are short-term and have a limited
scope, which can enhance the security and compliance of the application. AWS STS OverviewAWS
Certified Cloud Practitioner - aws.amazon.com

QUESTION NO: 499

A company is migrating an application that includes an Oracle database to AWS. The company cannot
rewrite the application.

To which AWS service could the company migrate the database?

A. Amazon Athena
B. Amazon DynamoDB

®C. Amazon RDS

D. Amazon DocumentDB (with MongoDB compatibility)

Answer: C

Amazon Relational Database Service (Amazon RDS) is a service that provides fully managed
relational database engines. Amazon RDS supports several database engines, including Oracle,
MySQL, PostgreSQL, MariaDB, SQL Server, and Amazon Aurora. Amazon RDS can be used to migrate
an application that includes an Oracle database to AWS without rewriting the application, as long as
the application is compatible with the Oracle version and edition supported by Amazon RDS.
Amazon RDS can also provide benefits such as high availability, scalability, security, backup and
restore, and performance optimization. [Amazon RDS Overview] AWS Certified Cloud Practitioner -
aws.amazon.com

QUESTION NO: 500

Which of the following is an AWS value proposition that describes a user's ability to scale infrastructure
based on demand?

A. Speed of innovation

B. Resource elasticity

C. Decoupled architecture

D. Global deployment

Answer: B

Resource elasticity is an AWS value proposition that describes a user’s ability to scale infrastructure
based on demand. Resource elasticity means that the user can provision or deprovision resources
quickly and easily, without any upfront commitment or long-term contract. Resource elasticity can
help the user optimize the cost and performance of the application, as well as respond to changing
business needs and customer expectations. Resource elasticity can be achieved by using services
such as Amazon EC2, Amazon S3, Amazon RDS, Amazon DynamoDB, Amazon ECS, and AWS
Lambda. [AWS Cloud Value Framework] AWS Certified Cloud Practitioner - aws.amazon.com

QUESTION NO: 501

A company needs to continuously monitor its environment to analyze network and account activity and
identify potential security threats.

Which AWS service should the company use to meet these requirements?
A. AWS Artifact

B. Amazon Macie

C. AWS Identity and Access Management (IAM)

D. Amazon GuardDuty

Answer: D

Amazon GuardDuty is a service that provides intelligent threat detection and continuous monitoring
for the AWS environment. It analyzes network and account activity using machine learning and
threat intelligence to identify potential security threats, such as unauthorized access, compromised
credentials, malicious hosts, and reconnaissance activities. It also generates detailed and actionable
findings that can be viewed on the AWS Management Console or sent to other AWS services, such
as Amazon CloudWatch Events and AWS Lambda, for further analysis or remediation. Amazon
GuardDuty OverviewAWS Certified Cloud Practitioner - aws.amazon.com

QUESTION NO: 502

Which AWS service can report how AWS resource configurations have changed over time?

A. AWS CloudTrail

B. Amazon CloudWatch

C. AWS Config

D. Amazon Inspector

Answer: C

AWS Config is a service that enables users to assess, audit, and evaluate the configurations of AWS
resources. It continuously monitors and records the configuration changes of the resources and
evaluates them against desired configurations and best practices. It also provides a detailed view of
the resource configuration history and relationships, as well as compliance reports and notifications.
AWS Config can help users maintain consistent and secure configurations, troubleshoot issues, and
simplify compliance auditing. AWS Config OverviewAWS Certified Cloud Practitioner -
aws.amazon.com

QUESTION NO: 503

Which AWS benefit is demonstrated by on-demand technology services that enable companies to
replace upfront fixed expenses with variable expenses?

A. High availability

B. Economies of scale
C. Pay-as-you-go pricing

D. Global reach

Answer: C

Pay-as-you-go pricing is an AWS benefit that demonstrates the ability of users to replace upfront
fixed expenses with variable expenses. With pay-as-you-go pricing, users only pay for the resources
they consume, without any long-term contracts or commitments. This can lower the total cost of
ownership and increase the return on investment. Pay-as-you-go pricing also provides flexibility and
scalability, as users can adjust their resource usage according to their changing needs and
demands. AWS Cloud Value FrameworkAWS Certified Cloud Practitioner - aws.amazon.com

QUESTION NO: 504

A company is using AWS Lambda functions to build an application.

Which tasks are the company's responsibility, according to the AWS shared responsibility model? (Select
TWO.)

A. Patch the servers where the Lambda functions are deployed.

B. Establish the IAM permissions that define who can run the Lambda functions.

C. Write the code for the Lambda functions to define the application logic.

D. Deploy Amazon EC2 instances to support the Lambda functions.

E. Scale out the Lambda functions when the load increases.

Answer: B, C

According to the AWS shared responsibility model, AWS is responsible for the security of the cloud,
while the user is responsible for the security in the cloud. This means that AWS manages the
security and maintenance of the underlying infrastructure, such as the servers, networks, and
operating systems, while the user manages the security and configuration of the resources and
applications that run on AWS. For AWS Lambda functions, the tasks that are the user’s responsibility
are:
• Establish the IAM permissions that define who can run the Lambda functions. IAM is a
service that enables users to manage access and permissions for AWS resources and users.
Users can create IAM policies, roles, and users to grant or deny permissions to run Lambda
functions, invoke other AWS services, or access AWS resources from Lambda functions.
[AWS Lambda Permissions] AWS Certified Cloud Practitioner - aws.amazon.com
• Write the code for the Lambda functions to define the application logic. Lambda functions
are units of code that can be written in any supported programming language, such as
Python, Node.js, Java, or Go. Users can write the code for the Lambda functions using the
AWS Management Console, the AWS Command Line Interface (AWS CLI), the AWS SDKs, or
any code editor of their choice. Users can also use AWS Lambda Layers to share and
 manage common code and dependencies across multiple functions. [AWS Lambda
Overview] AWS Certified Cloud Practitioner - aws.amazon.com

QUESTION NO: 505

Which services can be used to deploy applications on AWS? (Select TWO.)

A. AWS Elastic Beanstalk

B. AWS Config

C. AWS OpsWorks

Q D. AWS Application Discovery Service

E. Amazon Kinesis

Answer: A, C

The services that can be used to deploy applications on AWS are:

• AWS Elastic Beanstalk. This is a service that simplifies the deployment and management of
web applications on AWS. Users can upload their application code and Elastic Beanstalk
automatically handles the provisioning, scaling, load balancing, monitoring, and health
checking of the resources needed to run the application. Users can also retain full control
and access to the underlying resources and customize their configuration settings. Elastic
Beanstalk supports multiple platforms, such as Java, .NET, PHP, Node.js, Python, Ruby, Go,
and Docker. [AWS Elastic Beanstalk Overview] AWS Certified Cloud Practitioner -
aws.amazon.com
• AWS OpsWorks. This is a service that provides configuration management and automation
for AWS resources. Users can define the application architecture and the configuration of
each resource using Chef or Puppet, which are popular open-source automation platforms.
OpsWorks then automatically creates and configures the resources according to the user’s
specifications. OpsWorks also provides features such as auto scaling, monitoring, and
integration with other AWS services. OpsWorks has two offerings: OpsWorks for Chef
Automate and OpsWorks for Puppet Enterprise. [AWS OpsWorks Overview] AWS Certified
Cloud Practitioner - aws.amazon.com

QUESTION NO: 506

Which statement describes a characteristic of the AWS global infrastructure?

A. Edge locations contain multiple AWS Regions.

B. AWS Regions contain multiple Regional edge caches.

C. Availability Zones contain multiple data centers.

D. Each data center contains multiple edge locations.

Answer: C

Availability Zones contain multiple data centers. This is a characteristic of the AWS global
infrastructure, which consists of AWS Regions, Availability Zones, and edge locations. AWS Regions
are geographically isolated areas that contain multiple Availability Zones. Availability Zones are
physically separate locations within an AWS Region that are engineered to be isolated from failures
and connected by low-latency, high-throughput, and highly redundant networking. Each Availability
Zone contains one or more data centers that house the servers and storage devices that run AWS
services. Edge locations are sites that are located closer to the end users and provide caching and
content delivery services. AWS Global InfrastructureAWS Certified Cloud Practitioner -
aws.amazon.com

QUESTION NO: 507

Which of the following is available to a company that has an AWS Business Support plan?

A. AWS Support concierge

B. AWS DDoS Response Team (DRT)

C. AWS technical account manager (TAM)

D. AWS Health API

Answer: D

AWS Health API is available to a company that has an AWS Business Support plan. The AWS Health
API provides programmatic access to the AWS Health information that is presented in the AWS
Personal Health Dashboard. The AWS Health API can help users get timely and personalized
information about events that can affect the availability and performance of their AWS resources,
such as scheduled maintenance, network issues, or service disruptions. The AWS Health API can
also integrate with other AWS services, such as Amazon CloudWatch Events and AWS Lambda, to
enable automated actions and notifications. AWS Health API OverviewAWS Support Plans

QUESTION NO: 508

Which pillar of the AWS Well-Architected Framework focuses on the return on investment of moving
into the AWS Cloud?

A. Sustainability

B. Cost optimization

C. Operational excellence

D. Reliability
Answer: B

Cost optimization is the pillar of the AWS Well-Architected Framework that focuses on the return on
investment of moving into the AWS Cloud. Cost optimization means that users can achieve the
desired business outcomes at the lowest possible price point, while maintaining high performance
and reliability. Cost optimization can be achieved by using various AWS features and best practices,
such as pay-as-you-go pricing, right-sizing, elasticity, reserved instances, spot instances, cost
allocation tags, cost and usage reports, and AWS Trusted Advisor. [AWS Well-Architected
Framework] AWS Certified Cloud Practitioner - aws.amazon.com

QUESTION NO: 509

Which AWS service or feature offers HTTP attack protection to users running public-facing web
applications?

A. Security groups

B. Network ACLs

C. AWS Shield Standard

D. AWS WAF

Answer: D

AWS WAF is the AWS service or feature that offers HTTP attack protection to users running public-
facing web applications. AWS WAF is a web application firewall that helps users protect their web
applications from common web exploits, such as SQL injection, cross-site scripting, and bot attacks.
Users can create custom rules to define the web traffic that they want to allow, block, or count.
Users can also use AWS Managed Rules, which are pre-configured rules that are curated and
maintained by AWS or AWS Marketplace Sellers. AWS WAF can be integrated with other AWS
services, such as Amazon CloudFront, Amazon API Gateway, and Application Load Balancer, to
provide comprehensive security for web applications. [AWS WAF Overview] AWS Certified Cloud
Practitioner - aws.amazon.com

QUESTION NO: 510

What is an Availability Zone?

A. A location where users can deploy compute, storage, database, and other select AWS services

where no AWS Region currently exists

B. One or more discrete data centers with redundant power, networking, and connectivity

C. One or more clusters of servers where new workloads can be deployed

D. A fast content delivery network (CDN) service that securely delivers data, videos, applications, and

APIs to users globally

Answer: B

An Availability Zone is one or more discrete data centers with redundant power, networking, and
connectivity. Availability Zones are part of the AWS global infrastructure, which consists of AWS
Regions, Availability Zones, and edge locations. Availability Zones are physically separate locations
within an AWS Region that are engineered to be isolated from failures and connected by low-latency,
high-throughput, and highly redundant networking. Each Availability Zone contains one or more data
centers that house the servers and storage devices that run AWS services. Availability Zones enable
users to design and operate fault-tolerant and high-availability applications on AWS. AWS Global
InfrastructureAWS Certified Cloud Practitioner - aws.amazon.com

QUESTION NO: 511

Which of the following is a cloud benefit that AWS offers to its users?

A. The ability to configure AWS data center hypervisors

B. The ability to purchase hardware in advance of increased traffic

C. The ability to deploy to AWS on a global scale

D. Compliance audits for user IT environments

Answer: C

The ability to deploy to AWS on a global scale is a cloud benefit that AWS offers to its users. AWS
has a global infrastructure that consists of AWS Regions, Availability Zones, and edge locations.
Users can choose from multiple AWS Regions around the world to deploy their applications and data
closer to their end users, while also meeting their compliance and regulatory requirements. Users
can also leverage AWS services, such as Amazon CloudFront, Amazon Route 53, and AWS Global
Accelerator, to improve the performance and availability of their global applications. AWS also
provides tools and guidance to help users optimize their global deployments, such as AWS Well-
Architected Framework, AWS CloudFormation, and AWS Migration Hub. AWS Global
Infrastructure [AWS Cloud Value Framework] AWS Certified Cloud Practitioner - aws.amazon.com

QUESTION NO: 512

Which AWS service can a company use to perform complex analytical queries?

A. Amazon RDS

B. Amazon DynamoDB

C. Amazon Redshift

D. Amazon ElastiCache

Answer: C

Amazon Redshift is a fully managed, petabyte-scale data warehouse service in the cloud. You can
start with just a few hundred gigabytes of data and scale to a petabyte or more. This enables you to
use your data to acquire new insights for your business and customers. Amazon Redshift is
designed for complex analytical queries that often involve aggregations and joins across very large
tables. Amazon Redshift supports standard SQL and integrates with many existing business
intelligence tools1.

QUESTION NO: 513

A company wants to track its AWS account's service costs. The company also wants to receive
notifications when costs are forecasted to reach a specific level.

Which AWS service or tool provides this functionality?

A. AWS Budgets

B. AWS Cost Explorer

C. Savings Plans

D. AWS Billing Conductor

Answer: A

AWS Budgets gives you the ability to set custom budgets that alert you when your costs or usage
exceed (or are forecasted to exceed) your budgeted amount. You can also use AWS Budgets to set
reservation utilization or coverage targets and receive alerts when your utilization drops below the
threshold you define2.

QUESTION NO: 514

An ecommerce company has migrated its IT infrastructure from an on-premises data center to the AWS
Cloud.
Which AWS service is used to track, record, and audit configuration changes made to AWS resources?

A. AWS Shield

B. AWS Config

C. AWS IAM

D. Amazon Inspector

Answer: B

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your
AWS resources. AWS Config continuously monitors and records your AWS resource configurations
and allows you to automate the evaluation of recorded configurations against desired
configurations. With AWS Config, you can review changes in configurations and relationships
between AWS resources, dive into detailed resource configuration histories, and determine your
overall compliance against the configurations specified in your internal guidelines 3.

QUESTION NO: 515

A company needs to test a new application that was written in Python. The code will activate when new
images are stored in an Amazon S3 bucket. The application will put a watermark on each image and then
will store the images in a different S3 bucket.

Which AWS service should the company use to conduct the test with the LEAST amount of operational

overhead?

A. Amazon EC2

B. AWS CodeDeploy

C. AWS Lambda

D. Amazon Lightsail

Answer: C

AWS Lambda is a compute service that lets you run code without provisioning or managing servers.
AWS Lambda executes your code only when needed and scales automatically, from a few requests
per day to thousands per second. You pay only for the compute time you consume - there is no
charge when your code is not running. With AWS Lambda, you can run code for virtually any type of
application or backend service - all with zero administration. AWS Lambda runs your code on a high-
availability compute infrastructure and performs all of the administration of the compute resources,
including server and operating system maintenance, capacity provisioning and automatic scaling,
code monitoring and logging

QUESTION NO: 516

Which of the following are customer responsibilities under the AWS shared responsibility model? (Select
TWO.)

A. Physical security of AWS facilities

B. Configuration of security groups

Q C. Encryption of customer data on AWS

D. Management of AWS Lambda infrastructure

Q E. Management of network throughput of each AWS Region

Answer: B, C

The AWS shared responsibility model describes how AWS and the customer share responsibility for
security and compliance of the AWS environment. AWS is responsible for the security of the cloud,
which includes the physical security of AWS facilities, the infrastructure, hardware, software, and
networking that run AWS services. The customer is responsible for security in the cloud, which
includes the configuration of security groups, the encryption of customer data on AWS, the
management of AWS Lambda infrastructure, and the management of network throughput of each
AWS Region.

QUESTION NO: 517

Which AWS service or tool can be used to consolidate payments for a company with multiple AWS
accounts?

A. AWS Cost and Usage Report

B. AWS Organizations

C. Cost Explorer

D. AWS Budgets

Answer: B

AWS Organizations is an account management service that enables you to consolidate multiple
AWS accounts into an organization that you create and centrally manage. AWS Organizations
includes consolidated billing and account management capabilities that enable you to better meet
the budgetary, security, and compliance needs of your business 1.
QUESTION NO: 518

How can an AWS user conduct security assessments of Amazon EC2 instances, NAT gateways, and
Elastic

Load Balancers in a way that is approved by AWS?

A. Flood a target with requests.

B. Use Amazon Inspector.

C. Perform penetration testing.

D. Use the AWS Service Health Dashboard.

Answer: B

Amazon Inspector is an automated security assessment service that helps improve the security and
compliance of applications deployed on AWS. Amazon Inspector automatically assesses
applications for exposure, vulnerabilities, and deviations from best practices. After performing an
assessment, Amazon Inspector produces a detailed list of security findings prioritized by level of
severity2.

QUESTION NO: 519

Which AWS service will help protect applications running on AWS from DDoS attacks?

A. Amazon GuardDuty

B. AWS WAF

C. AWS Shield

D. Amazon Inspector

Answer: C

AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards
applications running on AWS. AWS Shield provides always-on detection and automatic inline
mitigations that minimize application downtime and latency, so there is no need to engage AWS
Support to benefit from DDoS protection3.

QUESTION NO: 520

A cloud engineer wants to know the percentage of the allocated compute units that are in use for a
specific Amazon EC2 instance.
Which AWS service can provide this information?

A. AWS CloudTrail

B. AWS Config

C. Amazon CloudWatch

D. AWS Artifact

Answer: C

Amazon CloudWatch is a monitoring and observability service built for DevOps engineers,
developers, site reliability engineers (SREs), and IT managers. CloudWatch provides you with data
and actionable insights to monitor your applications, respond to system-wide performance changes,
optimize resource utilization, and get a unified view of operational health. CloudWatch collects
monitoring and operational data in the form of logs, metrics, and events, providing you with a unified
view of AWS resources, applications, and services that run on AWS and on-premises servers

QUESTION NO: 521

Which activity is a customer responsibility in the AWS Cloud according to the AWS shared responsibility
model?

A. Ensuring network connectivity from AWS to the internet

B. Patching and fixing flaws within the AWS Cloud infrastructure

C. Ensuring the physical security of cloud data centers

D. Ensuring Amazon EBS volumes are backed up

Answer: D

The AWS shared responsibility model describes how AWS and the customer share responsibility for
security and compliance of the AWS environment. AWS is responsible for the security of the cloud,
which includes the physical security of AWS facilities, the infrastructure, hardware, software, and
networking that run AWS services. The customer is responsible for security in the cloud, which
includes the configuration of security groups, the encryption of customer data on AWS, the
management of AWS Lambda infrastructure, and the management of network throughput of each
AWS Region. One of the customer responsibilities is to ensure that Amazon EBS volumes are
backed up.

QUESTION NO: 522

Which AWS service meets this requirement?

A. AWS CloudFormation

B. AWS Elastic Beanstalk

C. AWS Cloud9

D. AWS CloudShell

Answer: A

AWS CloudFormation is a service that gives developers and businesses an easy way to create a
collection of related AWS and third-party resources, and provision and manage them in an orderly
and predictable fashion. You can use AWS CloudFormation’s sample templates or create your own
templates to describe the AWS and third-party resources, and any associated dependencies or
runtime parameters, required to run your application.

QUESTION NO: 523

A company wants to use the AWS Cloud as an offsite backup location for its on-premises infrastructure.

Which AWS service will meet this requirement MOST cost-effectively?

A. Amazon S3

B. Amazon Elastic File System (Amazon EFS)

C. Amazon FSx

D. Amazon Elastic Block Store (Amazon EBS)

Answer: A

Amazon S3 is the most cost-effective service for storing offsite backups of on-premises
infrastructure. Amazon S3 offers low-cost, durable, and scalable storage that can be accessed from
anywhere over the internet. Amazon S3 also supports lifecycle policies, versioning, encryption, and
cross-region replication to optimize the backup and recovery process. Amazon EFS, Amazon FSx,
and Amazon EBS are more suitable for storing data that requires high performance, low latency, and
frequent access12

QUESTION NO: 524

A company is building a serverless architecture that connects application data from multiple data
sources. The company needs a solution that does not require additional code.

Which AWS service meets these requirements?

A. AWS Lambda

B. Amazon Simple Queue Service (Amazon SQS)

C. Amazon CloudWatch

D. Amazon EventBridge

Answer: D

Amazon EventBridge is the service that meets the requirements of building a serverless architecture
that connects application data from multiple data sources without requiring additional code.
Amazon EventBridge is a serverless event bus service that allows you to easily connect your
applications with data from AWS services, SaaS applications, and your own applications. You can
use Amazon EventBridge to create rules that match events and route them to targets such as AWS
Lambda functions, Amazon SNS topics, Amazon SQS queues, or other AWS services. Amazon
EventBridge handles the event ingestion, delivery, security, authorization, and error handling for you 34

QUESTION NO: 525

A company needs to use standard SQL to query and combine exabytes of structured and semi-
structured data across a data warehouse, operational database, and data lake.

Which AWS service meets these requirements?

A. Amazon DynamoDB

B. Amazon Aurora

C. Amazon Athena

D. Amazon Redshift

Answer: D

Amazon Redshift is the service that meets the requirements of using standard SQL to query and
combine exabytes of structured and semi-structured data across a data warehouse, operational
database, and data lake. Amazon Redshift is a fully managed, petabyte-scale data warehouse
service that allows you to run complex analytic queries using standard SQL and your existing
business intelligence tools. Amazon Redshift also supports Redshift Spectrum, a feature that allows
you to directly query and join data stored in Amazon S3 using the same SQL syntax. Amazon
Redshift can scale up or down to handle any volume of data and deliver fast query performance 5

QUESTION NO: 526

A company's information security manager is supervising a move to AWS and wants to ensure that AWS
best practices are followed. The manager has concerns about the potential misuse of AWS account root
user credentials.

Which of the following is an AWS best practice for using the AWS account root user credentials?

A. Allow only the manager to use the account root user credentials for normal activities.
B. Use the account root user credentials only for Amazon EC2 instances from the AWS Free Tier.

C. Use the account root user credentials only when they alone must be used to perform a required

function.

D. Use the account root user credentials only for the creation of private VPC subnets.

Answer: C

The AWS best practice for using the AWS account root user credentials is to use them only when
they alone must be used to perform a required function. The AWS account root user credentials
have full access to all the resources in the account, and therefore pose a security risk if
compromised or misused. You should create individual IAM users with the minimum necessary
permissions for everyday tasks, and use AWS Organizations to manage multiple accounts. You
should also enable multi-factor authentication (MFA) and rotate the password for the root user
regularly. Some of the functions that require the root user credentials are changing the account
name, closing the account, changing the support plan, and restoring an IAM user’s access.

QUESTION NO: 527

A company needs to store data across multiple Availability Zones in an AWS Region. The data will not be

accessed regularly but must be immediately retrievable.

Which Amazon Elastic File System (Amazon EFS) storage class meets these requirements MOST cost
effectively?

A. EFS Standard

B. EFS Standard-Infrequent Access(EFS Standard-IA)

C. EFS One Zone

D. EFS One Zone-Infrequent Access (EFS One Zone-IA)

Answer: B

EFS Standard-Infrequent Access (EFS Standard-IA) is the storage class that meets the requirements
of storing data across multiple Availability Zones in an AWS Region, that will not be accessed
regularly but must be immediately retrievable, most cost-effectively. EFS Standard-IA is designed for
files that are accessed less frequently, but still require the same high performance, low latency, and
high availability as EFS Standard. EFS Standard-IA has a lower storage cost than EFS Standard, but
charges a small additional fee for each access. EFS One Zone and EFS One Zone-IA store data in a
single Availability Zone, which reduces the availability and durability compared to EFS Standard and
EFS Standard-IA.

QUESTION NO: 528

A company wants to establish a security layer in its VPC that will act as a firewall to control subnet
traffic.

Which AWS service or feature will meet this requirement?

A. Routing tables

B. Network access control lists (network ACLs)

C. Security groups

D. Amazon GuardDuty

Answer: C

Security groups are the service or feature that meets the requirement of establishing a security layer
in a VPC that will act as a firewall to control subnet traffic. Security groups are stateful firewalls that
control the inbound and outbound traffic at the instance level. You can assign one or more security
groups to each instance in a VPC, and specify the rules that allow or deny traffic based on the
protocol, port, and source or destination. Security groups are associated with network interfaces,
and therefore apply to all the instances in the subnets that use those network interfaces. Routing
tables are used to direct traffic between subnets and gateways, not to filter traffic. Network ACLs
are stateless firewalls that control the inbound and outbound traffic at the subnet level, but they are
less granular and more cumbersome to manage than security groups. Amazon GuardDuty is a threat
detection service that monitors your AWS account and workloads for malicious or unauthorized
activity, not a firewall service.

QUESTION NO: 529

A newly created IAM user has no IAM policy attached.

What will happen when the user logs in and attempts to view the AWS resources in the account?

A. All AWS services will be read-only access by default.

B. Access to all AWS resources will be denied.

C. Access to the AWS billing services will be allowed.

D. Access to AWS resources will be allowed through the AWS CLL

Answer: B

Access to all AWS resources will be denied if a newly created IAM user has no IAM policy attached
and logs in and attempts to view the AWS resources in the account. IAM policies are the way to
grant permissions to IAM users, groups, and roles to access and manage AWS resources. By default,
IAM users have no permissions, unless they are explicitly granted by an IAM policy. Therefore, a
newly created IAM user without any IAM policy attached will not be able to view or perform any
actions on the AWS resources in the account. Access to the AWS billing services and AWS CLI will
also be denied, unless the user has the necessary permissions.

QUESTION NO: 530

A cloud practitioner is analyzing Amazon EC2 instance performance and usage to provide
recommendations for potential cost savings.

Which cloud concept does this analysis demonstrate?

A. Auto scaling

B. Rightsizing

C. Load balancing

D. High availability

Answer: B

Rightsizing is the cloud concept that this analysis demonstrates. Rightsizing is the process of
optimizing the performance and cost of your AWS resources by selecting the most appropriate type,
size, and configuration based on your workload requirements and usage patterns. Rightsizing can
help you achieve potential cost savings by reducing the over-provisioning or under-utilization of your
resources. You can use various AWS tools and services, such as AWS Cost Explorer, AWS Compute
Optimizer, and AWS Trusted Advisor, to analyze your resource utilization and performance metrics,
and receive recommendations for rightsizing.

QUESTION NO: 531

An auditor needs to find out whether a specific AWS service is compliant with specific compliance
frameworks.

Which AWS service will provide this information?

A. AWS Artifact

B. AWS Trusted Advisor

C. Amazon GuardDuty

D. AWS Certificate Manager (ACM)

Answer: A

AWS Artifact is the service that will provide the information about whether a specific AWS service is
compliant with specific compliance frameworks. AWS Artifact is a self-service portal that allows you
to access, review, and download AWS security and compliance reports and agreements. You can
use AWS Artifact to verify the compliance status of AWS services across various regions and
compliance programs, such as ISO, PCI, SOC, FedRAMP, HIPAA, and more 12

QUESTION NO: 532

Which duties are the responsibility of a company that is using AWS Lambda? (Select TWO.)

A. Security inside of code

B. Selection of CPU resources

C. Patching of operating system

D. Writing and updating of code

E. Security of underlying infrastructure

Answer: A, D

The duties that are the responsibility of a company that is using AWS Lambda are security inside of
code and writing and updating of code. AWS Lambda is a serverless compute service that allows
you to run code without provisioning or managing servers, scaling, or patching. AWS Lambda takes
care of the security of the underlying infrastructure, such as the operating system, the network, and
the firewall. However, the company is still responsible for the security of the code itself, such as
encrypting sensitive data, validating input, and handling errors. The company is also responsible for
writing and updating the code that defines the Lambda function, and choosing the runtime
environment, such as Node.js, Python, or Java. AWS Lambda does not require the selection of CPU
resources, as it automatically allocates them based on the memory configuration 34

QUESTION NO: 533

Which AWS services and features are provided to all customers at no charge? (Select TWO.)

A. Amazon Aurora

B. VPC

C. Amazon SageMaker

D. AWS Identity and Access Management (IAM)

E. Amazon Polly

Answer: B, D

The AWS services and features that are provided to all customers at no charge are VPC and AWS
Identity and Access Management (IAM). VPC is a service that allows you to launch AWS resources
in a logically isolated virtual network that you define. You can create and use a VPC at no additional
charge, and you only pay for the resources that you launch in the VPC, such as EC2 instances or EBS
volumes. IAM is a service that allows you to manage access and permissions to AWS resources.
You can create and use IAM users, groups, roles, and policies at no additional charge, and you only
pay for the AWS resources that the IAM entities access. Amazon Aurora, Amazon SageMaker, and
Amazon Polly are not free services, and they charge based on the usage and features that you
choose5

QUESTION NO: 534

Which AWS services or features can control VPC traffic? (Select TWO.)

A. Security groups

B. AWS Direct Connect

C. Amazon GuardDuty

D. Network ACLs

E. Amazon Connect

Answer: A, D

The AWS services or features that can control VPC traffic are security groups and network ACLs.
Security groups are stateful firewalls that control the inbound and outbound traffic at the instance
level. You can assign one or more security groups to each instance in a VPC, and specify the rules
that allow or deny traffic based on the protocol, port, and source or destination. Network ACLs are
stateless firewalls that control the inbound and outbound traffic at the subnet level. You can
associate one network ACL with each subnet in a VPC, and specify the rules that allow or deny
traffic based on the protocol, port, and source or destination. AWS Direct Connect, Amazon
GuardDuty, and Amazon Connect are not services or features that can control VPC traffic. AWS
Direct Connect is a service that establishes a dedicated network connection between your premises
and AWS. Amazon GuardDuty is a service that monitors your AWS account and workloads for
malicious or unauthorized activity. Amazon Connect is a service that provides a cloud-based contact
center solution.

QUESTION NO: 535

A company needs to identify the last time that a specific user accessed the AWS Management Console.

Which AWS service will provide this information?

A. Amazon Cognito

B. AWS CloudTrail

C. Amazon Inspector

D. Amazon GuardDuty
Answer: B

AWS CloudTrail is the service that will provide the information about the last time that a specific
user accessed the AWS Management Console. AWS CloudTrail is a service that records the API calls
and events made by or on behalf of your AWS account. You can use AWS CloudTrail to view, search,
and download the history of AWS console sign-in events, which include the user name, date, time,
source IP address, and other details of the sign-in activity. Amazon Cognito, Amazon Inspector, and
Amazon GuardDuty are not services that will provide this information. Amazon Cognito is a service
that provides user authentication and authorization for web and mobile applications. Amazon
Inspector is a service that assesses the security and compliance of your applications running on
AWS. Amazon GuardDuty is a service that monitors your AWS account and workloads for malicious
or unauthorized activity.

QUESTION NO: 536

A company's application stores data in an Amazon S3 bucket. The company has an AWS Lambda
function that processes data in the S3

bucket. The company needs to invoke the function once a day at a specific time.

Which AWS service should the company use to meet this requirement?

A. AWS Managed Services (AMS)

B. AWS CodeStar

C. Amazon EventBridge

D. AWS Step Functions

Answer: C

Amazon EventBridge is the service that the company should use to meet the requirement of
invoking the Lambda function once a day at a specific time. Amazon EventBridge is a serverless
event bus service that allows you to easily connect your applications with data from AWS services,
SaaS applications, and your own applications. You can use Amazon EventBridge to create rules that
match events and route them to targets such as AWS Lambda functions, Amazon SNS topics,
Amazon SQS queues, or other AWS services. You can also use Amazon EventBridge to create
scheduled rules that trigger your targets at a specific time or interval, such as once a day. AWS
Managed Services (AMS), AWS CodeStar, and AWS Step Functions are not services that the
company should use to meet this requirement. AMS is a service that provides operational
management for your AWS infrastructure and applications. AWS CodeStar is a service that provides
a unified user interface for managing software development projects on AWS. AWS Step Functions
is a service that coordinates multiple AWS services into serverless workflows.

QUESTION NO: 537

A company uses Amazon Aurora as its database service. The company wants to encrypt its databases
and database backups.

Which party manages the encryption of the database clusters and database snapshots, according to the
AWS shared responsibility

model?

A. AWS

B. The company

C. AWS Marketplace partners

D. Third-party partners

Answer: A

AWS manages the encryption of the database clusters and database snapshots for Amazon Aurora,
as well as the encryption keys. This is part of the AWS shared responsibility model, where AWS is
responsible for the security of the cloud, and the customer is responsible for the security in the
cloud. Encryption is one of the security features that AWS provides to protect the data at rest and in
transit. For more information, see Amazon Aurora FAQs and AWS Shared Responsibility Model.

QUESTION NO: 538

Which AWS solution gives companies the ability to use protocols such as NFS to store and retrieve
objects in Amazon S3?

A. Amazon FSx for Lustre

B. AWS Storage Gateway volume gateway

C. AWS Storage Gateway file gateway

D. Amazon Elastic File System (Amazon EFS)

Answer: C

AWS Storage Gateway file gateway allows companies to use protocols such as NFS and SMB to
store and retrieve objects in Amazon S3. File gateway provides a seamless integration between on-
premises applications and Amazon S3, and enables low-latency access to data through local
caching. File gateway also supports encryption, compression, and lifecycle management of the
objects in Amazon S3. For more information, see What is AWS Storage Gateway? and File Gateway.

QUESTION NO: 539

A company is launching a new application in the AWS Cloud. The application will run on an Amazon EC2
instance. More EC2 instances will be needed when the workload increases.
Which AWS service or tool can the company use to launch the number of EC2 instances that will be
needed to handle the workload?

A. Elastic Load Balancing

B. Amazon EC2 Auto Scaling

C. AWS App2Container (A2C)

D. AWS Systems Manager

Answer: B

Amazon EC2 Auto Scaling is the AWS service or tool that can help the company launch the number
of EC2 instances that will be needed to handle the workload. Amazon EC2 Auto Scaling
automatically adjusts the capacity of the EC2 instances based on the demand and the predefined
scaling policies. Amazon EC2 Auto Scaling also helps to improve availability and reduce costs by
scaling in and out as needed. For more information, see What is Amazon EC2 Auto Scaling? and
[Getting Started with Amazon EC2 Auto Scaling].

QUESTION NO: 540

Which design principle is achieved by following the reliability pillar of the AWS Well-Architected
Framework?

A. Vertical scaling

B. Manual failure recovery

C. Testing recovery procedures

D. Changing infrastructure manually

Answer: C

: Testing recovery procedures is the design principle that is achieved by following the reliability pillar
of the AWS Well-Architected Framework. The reliability pillar focuses on the ability of a system to
recover from failures and prevent disruptions. Testing recovery procedures helps to ensure that the
system can handle different failure scenarios and restore normal operations as quickly as possible.
Testing recovery procedures also helps to identify and mitigate any risks or gaps in the system
design and implementation. For more information, see [Reliability Pillar] and [Testing for Reliability].

QUESTION NO: 541

What is a benefit of moving to the AWS Cloud in terms of improving time to market?
A. Decreased deployment speed

B. Increased application security

C. Increased business agility

D. Increased backup capabilities

Answer: C

Increased business agility is a benefit of moving to the AWS Cloud in terms of improving time to
market. Business agility refers to the ability of a company to adapt to changing customer needs,
market conditions, and competitive pressures. Moving to the AWS Cloud enables business agility by
providing faster access to resources, lower upfront costs, and greater scalability and flexibility. By
using the AWS Cloud, companies can launch new products and services, experiment with new ideas,
and respond to customer feedback more quickly and efficiently. For more information, see [Benefits
of Cloud Computing] and [Business Agility].

QUESTION NO: 542

In which of the following AWS services should database credentials be stored for maximum security?

A. AWS Identity and Access Management (IAM)

B. AWS Secrets Manager

C. Amazon S3

D. AWS Key Management Service (AWS KMS)

Answer: B

AWS Secrets Manager is the AWS service where database credentials should be stored for
maximum security. AWS Secrets Manager helps to protect the secrets, such as database
credentials, passwords, API keys, and tokens, that are used to access applications, services, and
resources. AWS Secrets Manager enables secure storage, encryption, rotation, and retrieval of the
secrets. AWS Secrets Manager also integrates with other AWS services, such as AWS Identity and
Access Management (IAM), AWS Key Management Service (AWS KMS), and AWS Lambda. For more
information, see [What is AWS Secrets Manager?] and [Getting Started with AWS Secrets Manager].

QUESTION NO: 543

A company needs to configure rules to identify threats and protect applications from malicious network
access.

Which AWS service should the company use to meet these requirements?
A. AWS Identity and Access Management (IAM)

B. Amazon QuickSight

C. AWS WAF

D. Amazon Detective

Answer: C

AWS WAF is the AWS service that the company should use to configure rules to identify threats and
protect applications from malicious network access. AWS WAF is a web application firewall that
helps to filter, monitor, and block malicious web requests based on customizable rules. AWS WAF
can be integrated with other AWS services, such as Amazon CloudFront, Amazon API Gateway, and
Application Load Balancer. For more information, see What is AWS WAF? and How AWS WAF
Works.

QUESTION NO: 544

Which option is an advantage of AWS Cloud computing that minimizes variable costs?

A. High availability

B. Economies of scale

C. Global reach

D. Agility

Answer: B

Economies of scale is the advantage of AWS Cloud computing that minimizes variable costs.
Economies of scale refers to the reduction in the cost per unit as the output increases. AWS Cloud
computing leverages economies of scale by providing a large pool of shared resources that can be
accessed on demand and paid for as needed. AWS Cloud computing also passes the cost savings
to the customers by offering lower prices and discounts. For more information, see Economies of
Scale and AWS Pricing.

QUESTION NO: 545

A company moves its infrastructure from on premises to the AWS Cloud. The company can now
provision additional Amazon EC2 instances whenever the instances are required. With this ability, the
company can launch new marketing campaigns in 3 days instead of 3 weeks.

Which benefit of the AWS Cloud does this scenario demonstrate?

A. Cost savings

B. Improved operational resilience

C. Increased business agility

D. Enhanced security

Answer: C

Increased business agility is the benefit of the AWS Cloud that this scenario demonstrates.
Business agility refers to the ability of a company to adapt to changing customer needs, market
conditions, and competitive pressures. Moving to the AWS Cloud enables business agility by
providing faster access to resources, lower upfront costs, and greater scalability and flexibility. By
using the AWS Cloud, the company can launch new marketing campaigns in 3 days instead of 3
weeks, which shows that it can respond to customer feedback more quickly and efficiently. For
more information, see Benefits of Cloud Computing and [Business Agility].

QUESTION NO: 546

A retail company is migrating its IT infrastructure applications from on premises to the AWS Cloud.

Which costs will the company eliminate with this migration? (Select TWO.)

A. Cost of data center operations

B. Cost of application licensing

C. Cost of marketing campaigns

D. Cost of physical server hardware

E. Cost of network management

Answer: A, D

The costs that the company will eliminate with this migration are the cost of application licensing
and the cost of physical server hardware. The cost of application licensing is the fee that the
company has to pay to use the software applications on its on-premises servers. The cost of
physical server hardware is the expense that the company has to incur to purchase, maintain, and
upgrade the servers and related equipment. By migrating to the AWS Cloud, the company can avoid
these costs by using the AWS services and resources that are already licensed and managed by
AWS. For more information, see [Cloud Economics] and [AWS Total Cost of Ownership (TCO)
Calculator].

QUESTION NO: 547

Which AWS Support plan assigns an AWS concierge agent to a company's account?

A. AWS Basic Support

B. AWS Developer Support

C. AWS Business Support

D. AWS Enterprise Support

Answer: D

AWS Enterprise Support is the AWS Support plan that assigns an AWS concierge agent to a
company’s account. AWS Enterprise Support is the highest level of support that AWS offers, and it
provides the most comprehensive and personalized assistance. An AWS concierge agent is a
dedicated technical account manager who acts as a single point of contact for the company and
helps to optimize the AWS environment, resolve issues, and access AWS experts. For more
information, see [AWS Support Plans] and [AWS Concierge Support].

QUESTION NO: 548

A company hosts an application on an Amazon EC2 instance. The EC2 instance needs to access several
AWS resources, including Amazon S3 and Amazon DynamoDB.

What is the MOST operationally efficient solution to delegate permissions?

A. Create an IAM role with the required permissions. Attach the role to the EC2 instance.

B. Create an IAM user and use its access key and secret access key in the application.

C. Create an IAM user and use its access key and secret access key to create a CLI profile in the EC2
instance.

D. Create an IAM role with the required permissions. Attach the role to the administrativeIAM user.

Answer: A

Creating an IAM role with the required permissions and attaching the role to the EC2 instance is the
most operationally efficient solution to delegate permissions. An IAM role is an entity that defines a
set of permissions for making AWS service requests. An IAM role can be assumed by an EC2
instance to access other AWS resources, such as Amazon S3 and Amazon DynamoDB, without
having to store any credentials on the instance. This solution is more secure and scalable than using
IAM users and their access keys. For more information, see [IAM Roles for Amazon EC2] and [Using
an IAM Role to Grant Permissions to Applications Running on Amazon EC2 Instances].

Topic 2, Exam Pool B

QUESTION NO: 549

Which encryption types can be used to protect objects at rest in Amazon S3? (Select TWO.)

A. Server-side encryption with AmazonS3 managed encryption keys (SSE-S3)

B. Server-side encryption with AWS KMSmanaged keys (SSE-KMS)

C. TLS

D. SSL

E. Transparent Data Encryption (TDE)

Answer: A, B

Server-side encryption with Amazon S3 managed encryption keys (SSE-S3) and server-side
encryption with AWS KMS managed keys (SSE-KMS) are the encryption types that can be used to
protect objects at rest in Amazon S3. Server-side encryption means that Amazon S3 encrypts the
objects before saving them on disks and decrypts them when they are downloaded. SSE-S3 uses
one master key per bucket that is managed by Amazon S3. SSE-KMS uses a customer master key
(CMK) that is stored in AWS Key Management Service (AWS KMS) and provides additional benefits,
such as audit trails and key rotation. For more information, see Protecting Data Using Server-Side
Encryption and Protecting Data Using Encryption.

QUESTION NO: 550

A company is building an application that will receive millions of database queries each second. The
company needs the data store for the application to scale to meet these needs.

Which AWS service will meet this requirement?

A. Amazon DynamoDB

B. AWS Cloud9

C. Amazon ElastiCache for Memcached

D. Amazon Neptune

Answer: A

Amazon DynamoDB is the AWS service that will meet the requirement of building an application that
will receive millions of database queries each second. Amazon DynamoDB is a fully managed
NoSQL database service that provides fast and consistent performance, scalability, and durability.
Amazon DynamoDB can handle any level of request traffic and automatically scale up or down the
capacity based on the demand. Amazon DynamoDB also supports in-memory caching with Amazon
DynamoDB Accelerator (DAX) to improve the response time and reduce the cost. For more
information, see What is Amazon DynamoDB? and Amazon DynamoDB Features.

QUESTION NO: 551

An application runs on multiple Amazon EC2 instances that access a shared file system simultaneously.

Which AWS storage service should be used?

A. Amazon EBS

B. Amazon EFS

C. Amazon S3

D. AWS Artifact

Answer: B

Amazon Elastic File System (Amazon EFS) is the AWS storage service that should be used for an
application that runs on multiple Amazon EC2 instances that access a shared file system
simultaneously. Amazon EFS is a fully managed service that provides a scalable, elastic, and highly
available file system for Linux-based workloads. Amazon EFS supports the Network File System
version 4 (NFSv4) protocol and allows multiple EC2 instances to read and write data to the same file
system concurrently. Amazon EFS also integrates with other AWS services, such as AWS Backup,
AWS CloudFormation, and AWS CloudTrail. For more information, see What is Amazon Elastic File
System? and [Amazon EFS Use Cases].

QUESTION NO: 552

Which of the following is entirely the responsibility of AWS, according to the AWS shared responsibility
model?

A. Security awareness and training

B. Development of an IAM password policy

C. Patching of the guest operating system

D. Physical and environmental controls

Answer: D

Physical and environmental controls are entirely the responsibility of AWS, according to the AWS
shared responsibility model. The AWS shared responsibility model defines the division of
responsibilities between AWS and the customer for security and compliance. AWS is responsible for
the security of the cloud, which includes the physical and environmental controls of the AWS global
infrastructure, such as power, cooling, fire suppression, and physical access. The customer is
responsible for the security in the cloud, which includes the configuration and management of the
AWS resources and applications. For more information, see [AWS Shared Responsibility Model] and
[AWS Cloud Security].

QUESTION NO: 553

A company does not want to rely on elaborate forecasting to determine its usage of compute resources.
Instead, the company wants to pay only for the resources that it uses. The company also needs the
ability to increase or decrease its resource usage to meet business requirements.

Which pillar of the AWS Well-Architected Framework aligns with these requirements?

A. Operational excellence

B. Security

C. Reliability

D. Cost optimization

Answer: D

Cost optimization is the pillar of the AWS Well-Architected Framework that aligns with the
requirements of not relying on elaborate forecasting and paying only for the resources that are used.
The cost optimization pillar focuses on the ability of a system to deliver business value at the lowest
price point. Cost optimization involves using the right AWS services and resources for the workload,
measuring and monitoring the cost and usage, and continuously improving the cost efficiency. Cost
optimization also leverages the benefits of the AWS Cloud, such as pay-as-you-go pricing, elasticity,
and scalability. For more information, see [Cost Optimization Pillar] and [Cost Optimization].

QUESTION NO: 554

A company wants to use Amazon EC2 instances to run a stateless and restartable process after business
hours.

Which AWS service provides DNS resolution?

A. Amazon CloudFront

B. Amazon VPC

C. Amazon Route 53

D. AWS Direct Connect

Answer: C

Amazon Route 53 is the AWS service that provides DNS resolution. DNS (Domain Name System) is a
service that translates domain names into IP addresses. Amazon Route 53 is a highly available and
scalable cloud DNS service that offers domain name registration, DNS routing, and health checking.
Amazon Route 53 can route the traffic to various AWS services, such as Amazon EC2, Amazon S3,
and Amazon CloudFront. Amazon Route 53 can also integrate with other AWS services, such as
AWS Certificate Manager, AWS Shield, and AWS WAF. For more information, see [What is Amazon
Route 53?] and [Amazon Route 53 Features].
QUESTION NO: 555

Which group shares responsibility with AWS for security and compliance of AWS accounts and
resources?

A. Third-party vendors

B. Customers

C. Reseller partners

D. Internet providers

Answer: B

Customers share responsibility with AWS for security and compliance of AWS accounts and
resources. This is part of the AWS shared responsibility model, which defines the division of
responsibilities between AWS and the customer for security and compliance. AWS is responsible for
the security of the cloud, which includes the physical and environmental controls of the AWS global
infrastructure, such as power, cooling, fire suppression, and physical access. The customer is
responsible for the security in the cloud, which includes the configuration and management of the
AWS resources and applications, such as identity and access management, encryption, firewall, and
backup. For more information, see AWS Shared Responsibility Model and AWS Cloud Security.

QUESTION NO: 556

A company wants to migrate its Microsoft SQL Server database management system from on premises
to the AWS Cloud.

Which AWS service should the company use to reduce management overhead for this environment?

A. Amazon Elastic Container Service (Amazon ECS)

B. Amazon SageMaker

C. Amazon RDS

D. Amazon Athena

Answer: C

Amazon Relational Database Service (Amazon RDS) is the AWS service that the company should
use to migrate its Microsoft SQL Server database management system from on premises to the
AWS Cloud. Amazon RDS is a fully managed service that provides a scalable, secure, and high-
performance relational database platform. Amazon RDS supports several database engines,
including Microsoft SQL Server. Amazon RDS reduces the management overhead for the database
environment by taking care of tasks such as provisioning, patching, backup, recovery, and
monitoring. For more information, see What is Amazon Relational Database Service (Amazon
RDS)? and Amazon RDS for SQL Server.

QUESTION NO: 557

A company moves a workload to AWS to run on Amazon EC2 instances. The company needs to run the
workload in the most cost-effective way.

What can the company do to meet this requirement?

A. Use AWS Key Management Service (AWS KMS).

B. Use multiple AWS accounts and consolidated billing.

C. Use AWS CloudFormation to deploy the infrastructure.

D. Rightsized all the EC2 instances that are used in the deployment.

Answer: D

Rightsizing all the EC2 instances that are used in the deployment is the best way to run the workload
in the most cost-effective way. Rightsizing means choosing the optimal instance type and size for
the workload based on the performance and capacity requirements. Rightsizing helps to avoid over-
provisioning or under-provisioning of the EC2 instances, which can result in wasted resources or
poor performance. Rightsizing also helps to take advantage of the different pricing models and
features that AWS offers, such as On-Demand, Reserved, and Spot Instances, and Auto Scaling. For
more information, see Rightsizing Your Instances and [Cost Optimization with AWS].

QUESTION NO: 558

A company needs to launch an Amazon EC2 instance.

Which of the following can the company use during the launch process to configure the root volume of
the EC2 instance?

A. Amazon EC2 Auto Scaling

B. Amazon Data Lifecycle Manager (Amazon DLM)

C. Amazon Machine Image (AMI)

D. Amazon Elastic Block Store (Amazon EBS) volume

Answer: C

Amazon Machine Image (AMI) is the option that the company can use during the launch process to
configure the root volume of the EC2 instance. An AMI is a template that contains the software
configuration, such as the operating system, applications, and settings, required to launch an EC2
instance. An AMI also specifies the volume size and type of the root device for the instance. The
company can choose an AMI provided by AWS, the AWS Marketplace, or the AWS community, or
create a custom AMI. For more information, see [Amazon Machine Images (AMI)] and [Launching an
Instance Using the Launch Instance Wizard].

QUESTION NO: 559

A company plans to migrate its on-premises workload to AWS. Before the migration, the company needs
to estimate its future AWS service costs.

Which AWS service or tool should the company use to meet this requirement?

A. AWS Trusted Advisor

B. AWS Budgets

C. AWS Pricing Calculator

D. AWS Cost Explorer

Answer: C

AWS Pricing Calculator is the AWS service or tool that the company should use to estimate its future
AWS service costs before the migration. AWS Pricing Calculator is a web-based tool that allows the
company to create cost estimates for various AWS services and scenarios. AWS Pricing Calculator
helps the company to compare the costs of running the workload on premises versus on AWS, and
to optimize the costs by choosing the best options for the workload. AWS Pricing Calculator also
provides a detailed breakdown of the cost components and a downloadable report. For more
information, see [AWS Pricing Calculator] and [Getting Started with AWS Pricing Calculator].

QUESTION NO: 560

A company suspects that its AWS resources are being used for illegal activities.

Which AWS group or team should the company notify?

A. AWS Abuse team

B. AWS Support team

C. AWS technical account managers

D. AWS Professional Services team

Answer: A

AWS Abuse team is the AWS group or team that the company should notify if it suspects that its
AWS resources are being used for illegal activities. AWS Abuse team is a dedicated team that
handles reports of abuse, such as spam, phishing, malware, denial-of-service attacks, and
unauthorized access, involving AWS resources. The company can contact the AWS Abuse team by
filling out the [Report Abuse of AWS Resources form] or sending an email to
[email protected]. The company should provide as much information as possible, such as
the source and destination IP addresses, timestamps, log files, and screenshots, to help the AWS
Abuse team investigate and take appropriate actions. For more information, see [Reporting Abuse]
and [AWS Acceptable Use Policy].

QUESTION NO: 561

A company wants an in-memory data store that is compatible with open source in the cloud.

Which AWS service should the company use?

A. Amazon DynamoDB

B. Amazon ElastiCache

C. Amazon Elastic Block Store (Amazon EBS)

D. Amazon Redshift

Answer: B

Amazon ElastiCache is a fully managed in-memory data store service that is compatible with open
source engines such as Redis and Memcached1. It provides fast and scalable performance for
applications that require high throughput and low latency 1. Amazon DynamoDB is a fully managed
NoSQL database service that provides consistent and single-digit millisecond latency at any
scale2. Amazon EBS is a block storage service that provides persistent and durable storage volumes
for Amazon EC2 instances3. Amazon Redshift is a fully managed data warehouse service that allows
users to run complex analytic queries using SQL 4.

QUESTION NO: 562

A company wants to improve its security and audit posture by limiting Amazon EC2 inbound access.

According to the AWS shared responsibility model, which task is the responsibility of the customer?

A. Protect the global infrastructure that runs all of the services offered in the AWS Cloud.

B. Configure logical access controls for resources, and protect account credentials.

C. Configure the security used by managed services.

D. Patch and back up Amazon Aurora.

Answer: B
 According to the AWS shared responsibility model, the customer is responsible for configuring
logical access controls for resources, and protecting account credentials. This includes managing
IAM user permissions, security group rules, network ACLs, encryption keys, and other aspects of
access management1. AWS is responsible for protecting the global infrastructure that runs all of the
services offered in the AWS Cloud, such as the hardware, software, networking, and facilities. AWS is
also responsible for configuring the security used by managed services, such as Amazon RDS,
Amazon DynamoDB, and Amazon Aurora2.

QUESTION NO: 563

Which task is the responsibility of AWS when using AWS services?

A. Management of IAM user permissions

B. Creation of security group rules for outbound access

C. Maintenance of physical and environmental controls

D. Application of Amazon EC2 operating system patches

Answer: C

AWS is responsible for maintaining the physical and environmental controls of the AWS Cloud, such
as power, cooling, fire suppression, and physical security 1. The customer is responsible for
managing the IAM user permissions, creating security group rules for outbound access, applying
Amazon EC2 operating system patches, and other aspects of security in the cloud 1.

QUESTION NO: 564

A company wants to push VPC Flow Logs to an Amazon S3 bucket.

A company wants to optimize long-term compute costs of AWS Lambda functions and Amazon EC2
instances.

Which AWS purchasing option should the company choose to meet these requirements?

A. Dedicated Hosts

B. Compute Savings Plans

C. Reserved Instances

D. Spot Instances

Answer: B

Compute Savings Plans are a flexible and cost-effective way to optimize long-term compute costs of
AWS Lambda functions and Amazon EC2 instances. With Compute Savings Plans, customers can
commit to a consistent amount of compute usage (measured in $/hour) for a 1-year or 3-year term
and receive a discount of up to 66% compared to On-Demand prices3. Dedicated Hosts are physical
servers with EC2 instance capacity fully dedicated to the customer’s use. They are suitable for
customers who have specific server-bound software licenses or compliance requirements 4.
Reserved Instances are a pricing model that provides a significant discount (up to 75%) compared to
On-Demand pricing and a capacity reservation for EC2 instances. They are available in 1-year or 3-
year terms and different payment options 5. Spot Instances are spare EC2 instances that are
available at up to 90% discount compared to On-Demand prices. They are suitable for customers
who have flexible start and end times, can withstand interruptions, and can handle excess capacity.

QUESTION NO: 565

Which task can a company perform by using security groups in the AWS Cloud?

A. Allow access to an Amazon EC2 instance through only a specific port.

B. Deny access to malicious IP addresses at a subnet level.

C. Protect data that is cached by Amazon CloudFront.

D. Apply a stateless firewall to an Amazon EC2 instance.

Answer: A

Security groups are virtual firewalls that control the inbound and outbound traffic for Amazon EC2
instances. They can be used to allow access to an Amazon EC2 instance through only a specific
port, such as port 22 for SSH or port 80 for HTTP. Security groups cannot deny access to malicious
IP addresses at a subnet level, as they only allow or deny traffic based on the rules defined by the
customer. To block malicious IP addresses, customers can use network ACLs, which are stateless
firewalls that can be applied to subnets. Security groups cannot protect data that is cached by
Amazon CloudFront, as they only apply to EC2 instances. To protect data that is cached by Amazon
CloudFront, customers can use encryption, signed URLs, or signed cookies. Security groups are not
stateless firewalls, as they track the state of the traffic and automatically allow the response traffic
to flow back to the source. Stateless firewalls do not track the state of the traffic and require rules
for both inbound and outbound traffic.

QUESTION NO: 566

A company needs to centralize its operational data. The company also needs to automate tasks across
all of its Amazon EC2 instances.

Which AWS service can the company use to meet these requirements?

A. AWS Trusted Advisor

B. AWS Systems Manager

C. AWS CodeDeploy
D. AWS Elastic Beanstalk

Answer: B

AWS Systems Manager is a service that enables users to centralize and automate the management
of their AWS resources. It provides a unified user interface to view operational data, such as
inventory, patch compliance, and performance metrics. It also allows users to automate common
and repetitive tasks, such as patching, backup, and configuration management, across all of their
Amazon EC2 instances1. AWS Trusted Advisor is a service that provides best practices and
recommendations to optimize the performance, security, and cost of AWS resources 2. AWS
CodeDeploy is a service that automates the deployment of code and applications to Amazon EC2
instances or other compute services3. AWS Elastic Beanstalk is a service that simplifies the
deployment and management of web applications using popular platforms, such as Java, PHP, and
Node.js4.

QUESTION NO: 567

A company needs Amazon EC2 instances for a workload that can tolerate interruptions.

Which EC2 instance purchasing option meets this requirement with the LARGEST discount compared to
On-Demand prices?

A. Spot Instances

B. Convertible Reserved Instances

C. Standard Reserved Instances

D. Dedicated Hosts

Answer: A

Spot Instances are spare Amazon EC2 instances that are available at up to 90% discount compared
to On-Demand prices. They are suitable for workloads that can tolerate interruptions, such as batch
processing, data analysis, and testing. Spot Instances are allocated based on the current supply and
demand, and can be reclaimed by AWS with a two-minute notice when the demand exceeds the
supply5. Convertible Reserved Instances are a type of Reserved Instances that provide a significant
discount (up to 54%) compared to On-Demand prices and a capacity reservation for Amazon EC2
instances. They are available in 1-year or 3-year terms and allow users to change the instance family,
size, operating system, or tenancy during the term. Standard Reserved Instances are another type of
Reserved Instances that provide a larger discount (up to 75%) compared to On-Demand prices and a
capacity reservation for Amazon EC2 instances. They are available in 1-year or 3-year terms and do
not allow users to change the instance attributes during the term. Dedicated Hosts are physical
servers with Amazon EC2 instance capacity fully dedicated to the user’s use. They are suitable for
users who have specific server-bound software licenses or compliance requirements.

QUESTION NO: 568

Which AWS service can defend against DDoS attacks?

A. AWS Firewall Manager

B. AWS Shield Standard

C. AWS WAF

D. Amazon Inspector

Answer: B

AWS Shield Standard is a service that provides protection against Distributed Denial of Service
(DDoS) attacks for all AWS customers at no additional charge. It automatically detects and mitigates
the most common and frequently occurring network and transport layer DDoS attacks that target
AWS resources, such as Amazon EC2 instances, Elastic Load Balancers, Amazon CloudFront
distributions, and Amazon Route 53 hosted zones. AWS Firewall Manager is a service that allows
users to centrally configure and manage firewall rules across their AWS accounts and resources,
such as AWS WAF web ACLs, AWS Shield Advanced protections, and Amazon VPC security groups.
AWS WAF is a web application firewall that helps protect web applications from common web
exploits, such as SQL injection, cross-site scripting, and bot attacks. Amazon Inspector is an
automated security assessment service that helps improve the security and compliance of
applications deployed on AWS. It analyzes the behavior of the applications and checks for
vulnerabilities, exposures, and deviations from best practices.

QUESTION NO: 569

A company wants its Amazon EC2 instances to share the same geographic area but use redundant
underlying power sources.

Which solution will meet these requirements?

A. Use EC2 instances across multiple Availability Zones in the same AWS Region.

B. Use Amazon CloudFront as the database for the EC2 instances.

C. Use EC2 instances in the same edge location and the same Availability Zone.

D. Use EC2 instances in AWS OpsWorks stacks in different AWS Regions.

Answer: A

Using EC2 instances across multiple Availability Zones in the same AWS Region is a solution that
meets the requirements of sharing the same geographic area but using redundant underlying power
sources. Availability Zones are isolated locations within an AWS Region that have independent
power, cooling, and physical security. They are connected through low-latency, high-throughput, and
highly redundant networking. By launching EC2 instances in different Availability Zones, users can
increase the fault tolerance and availability of their applications. Amazon CloudFront is a content
delivery network (CDN) service that speeds up the delivery of web content and media to end users by
caching it at the edge locations closer to them. It is not a database service and cannot be used to
store operational data for EC2 instances. Edge locations are sites that are part of the Amazon
CloudFront network and are located in many cities around the world. They are not the same as
Availability Zones and do not provide redundancy for EC2 instances. AWS OpsWorks is a
configuration management service that allows users to automate the deployment and management
of applications using Chef or Puppet. It can be used to create stacks that span multiple AWS
Regions, but this would not meet the requirement of sharing the same geographic area.

QUESTION NO: 570

A company needs to design a solution for the efficient use of compute resources for an enterprise
workload. The company needs to make informed decisions as its technology needs evolve.

Which pillar of the AWS Well-Architected Framework do these requirements represent?

A. Operational excellence

B. Performance efficiency

C. Cost optimization

D. Reliability

Answer: B

Performance efficiency is the pillar of the AWS Well-Architected Framework that represents the
requirements of designing a solution for the efficient use of compute resources for an enterprise
workload and making informed decisions as the technology needs evolve. It focuses on using the
right resources and services for the workload, monitoring performance, and continuously improving
the efficiency of the solution. Operational excellence is the pillar of the AWS Well-Architected
Framework that represents the ability to run and monitor systems to deliver business value and to
continually improve supporting processes and procedures. Cost optimization is the pillar of the AWS
Well-Architected Framework that represents the ability to run systems to deliver business value at
the lowest price point. Reliability is the pillar of the AWS Well-Architected Framework that represents
the ability of a system to recover from infrastructure or service disruptions, dynamically acquire
computing resources to meet demand, and mitigate disruptions such as misconfigurations or
transient network issues.

QUESTION NO: 571

What does "security of the cloud" refer to in the AWS shared responsibility model?

A. Availability of AWS services such as Amazon EC2

B. Security of the cloud infrastructure that runs all the AWS services

C. Implementation of password policies for IAM users

D. Security of customer environments by using AWS Network Firewall partners

Answer: B

Security of the cloud refers to the security of the cloud infrastructure that runs all the AWS services.
This includes the hardware, software, networking, and facilities that AWS operates and manages.
AWS is responsible for protecting the security of the cloud as part of the AWS shared responsibility
model. Availability of AWS services such as Amazon EC2 refers to the ability of the services to be up
and running and to meet the expected performance. Availability is part of the reliability pillar of the
AWS Well-Architected Framework and is a shared responsibility between AWS and the customer .
Implementation of password policies for IAM users refers to the security of the customer data and
applications in the cloud. This includes the configuration and management of IAM user permissions,
encryption keys, security group rules, network ACLs, and other aspects of access management. The
customer is responsible for protecting the security in the cloud as part of the AWS shared
responsibility model. Security of customer environments by using AWS Network Firewall partners
refers to the security of the customer data and applications in the cloud. AWS Network Firewall is a
managed service that provides network protection for Amazon VPCs. It allows customers to use
AWS Marketplace partners to implement firewall rules and policies. The customer is responsible for
protecting the security in the cloud as part of the AWS shared responsibility model .

QUESTION NO: 572

Which AWS service or tool should a company use to forecast AWS spending?

A. Amazon DevPay

B. AWS Organizations

C. AWS Trusted Advisor

D. Cost Explorer

Answer: D

Cost Explorer is an AWS service or tool that can be used to forecast AWS spending. It allows users
to analyze their AWS costs and usage using interactive graphs and tables. It also provides features
such as filtering, grouping, and forecasting to help users plan their future spending. Amazon DevPay
is an AWS service that allows developers to sell applications that are built on AWS services. It
handles the billing and metering for the customers of the applications and collects payments from
them. It is not a tool for forecasting AWS spending. AWS Organizations is an AWS service that
allows users to centrally manage and govern their AWS accounts. It provides features such as
creating groups of accounts, applying policies, and automating account creation. It is not a tool for
forecasting AWS spending. AWS Trusted Advisor is an AWS service that provides best practices and
recommendations to optimize the performance, security, and cost of AWS resources. It can help
users identify opportunities to reduce their AWS costs, but it is not a tool for forecasting AWS
spending
QUESTION NO: 573

Which AWS service is always free of charge for users?

A. Amazon S3

B. Amazon Aurora

C. Amazon EC2

D. AWS Identity and Access Management (IAM)

Answer: D

AWS Identity and Access Management (IAM) is a service that allows users to manage access to
AWS resources and services. It enables users to create and manage users, groups, roles, and
policies that control who can do what in AWS. IAM is always free of charge for users, as there is no
additional cost for using IAM with any AWS service1. Amazon S3 is a storage service that provides
scalable, durable, and secure object storage. Amazon S3 has a free tier that offers 5 GB of storage,
20,000 GET requests, and 2,000 PUT requests per month for one year. However, users are charged
for any additional usage beyond the free tier limits 2. Amazon Aurora is a relational database service
that is compatible with MySQL and PostgreSQL. Amazon Aurora has a free tier that offers 750 hours
of Aurora Single-AZ db.t2.small database usage and 20 GB of storage per month for one
year. However, users are charged for any additional usage beyond the free tier limits 3. Amazon EC2
is a compute service that provides resizable virtual servers. Amazon EC2 has a free tier that offers
750 hours of Linux and Windows t2.micro instances per month for one year. However, users are
charged for any additional usage beyond the free tier limits 4.

QUESTION NO: 574

A company has multiple AWS accounts that include compute workloads that cannot be interrupted. The
company wants to obtain billing discounts that are based on the company's use of AWS services.

Which AWS feature or purchasing option will meet these requirements?

A. Resource tagging

B. Consolidated billing

C. Pay-as-you-go pricing

D. Spot Instances

Answer: B

Consolidated billing is an AWS feature that allows users to combine the usage and costs of multiple
AWS accounts into a single bill. This enables users to obtain billing discounts that are based on the
company’s use of AWS services, such as volume pricing tiers, Reserved Instance discounts, and
Savings Plans discounts5. Resource tagging is an AWS feature that allows users to assign metadata
to AWS resources, such as EC2 instances, S3 buckets, and Lambda functions. This enables users to
organize, track, and manage their AWS resources, such as filtering, grouping, and reporting. Pay-as-
you-go pricing is an AWS pricing model that allows users to pay only for the resources and services
they use, without any upfront or long-term commitments. This enables users to lower their costs by
scaling up or down as needed, and avoiding over-provisioning or under-utilization. Spot Instances
are spare EC2 instances that are available at up to 90% discount compared to On-Demand prices.
They are suitable for workloads that can tolerate interruptions, such as batch processing, data
analysis, and testing. Spot Instances are allocated based on the current supply and demand, and can
be reclaimed by AWS with a two-minute notice when the demand exceeds the supply.

QUESTION NO: 575

A company has an environment that includes Amazon EC2 instances, Amazon Lightsail, and on-premises
servers. The company wants to automate the security updates for its operating systems and
applications.

Which solution will meet these requirements with the LEAST operational effort?

A. Use AWS Shield to identify and manage security events.

B. Connect to each server by using a remote desktop connection. Run an update script.

C. Use the AWS Systems Manager Patch Manager capability.

D. Schedule Amazon GuardDuty to run on a nightly basis.

Answer: C

AWS Systems Manager Patch Manager is a capability that allows users to automate the security
updates for their operating systems and applications. It enables users to scan their instances for
missing patches, define patch baselines, schedule patching windows, and monitor patch
compliance. It supports Amazon EC2 instances, Amazon Lightsail instances, and on-premises
servers. AWS Shield is a service that provides protection against Distributed Denial of Service
(DDoS) attacks for AWS resources and services. It does not automate the security updates for
operating systems and applications. Connecting to each server by using a remote desktop
connection and running an update script is a manual and time-consuming solution that requires a lot
of operational effort. It is not a recommended best practice for automating the security updates for
operating systems and applications. Amazon GuardDuty is a service that provides intelligent threat
detection and continuous monitoring for AWS accounts and resources. It does not automate the
security updates for operating systems and applications.

QUESTION NO: 576

A company that is planning to migrate to the AWS Cloud is based in an isolated area that has limited
internet connectivity. The company needs to perform local data processing on premises. The company
needs a solution that can operate without a stable internet connection.
Which AWS service will meet these requirements?

A. Amazon S3

B. AWS Snowball Edge

C. AWS StorageGateway

D. AWS Backup

Answer: B

AWS Snowball Edge is a service that provides a physical device that can store up to 100 TB of data
and perform local data processing on premises. It enables users to transfer data to and from the
AWS Cloud in areas with limited or no internet connectivity. It also supports AWS Greengrass, which
allows users to run AWS Lambda functions and other AWS services locally without a stable internet
connection. Amazon S3 is a storage service that provides scalable, durable, and secure object
storage. It requires a stable internet connection to transfer data to and from the AWS Cloud. AWS
Storage Gateway is a service that provides a hybrid storage solution that connects on-premises
applications to AWS Cloud storage services, such as Amazon S3, Amazon S3 Glacier, and Amazon
EBS. It requires a stable internet connection to synchronize data between the on-premises and cloud
storage. AWS Backup is a service that provides a centralized and automated solution to back up
data across AWS services and on-premises resources. It requires a stable internet connection to
transfer data to and from the AWS Cloud.

QUESTION NO: 577

A company wants to migrate its applications to the AWS Cloud. The company plans to identify and
prioritize any

business transformation opportunities and evaluate its AWS Cloud readiness.

Which AWS service or tool should the company use to meet these requirements?

A. AWS Cloud Adoption Framework (AWS CAF)

B. AWS Managed Services (AMS)

C. AWS Well-Architected Framework

D. AWS Migration Hub

Answer: A

AWS Cloud Adoption Framework (AWS CAF) is a service or tool that helps users migrate their
applications to the AWS Cloud. It provides guidance and best practices to identify and prioritize any
business transformation opportunities and evaluate their AWS Cloud readiness. It also helps users
align their business and technical perspectives, create an actionable roadmap, and measure their
progress. AWS Managed Services (AMS) is a service that provides operational services for AWS
infrastructure and applications. It helps users reduce their operational overhead and risk, and focus
on their core business. It does not help users identify and prioritize any business transformation
opportunities and evaluate their AWS Cloud readiness. AWS Well-Architected Framework is a tool
that helps users design and implement secure, high-performing, resilient, and efficient solutions on
AWS. It provides a set of questions and best practices across five pillars: operational excellence,
security, reliability, performance efficiency, and cost optimization. It does not help users identify and
prioritize any business transformation opportunities and evaluate their AWS Cloud readiness. AWS
Migration Hub is a service that provides a single location to track and manage the migration of
applications to AWS. It helps users discover their on-premises servers, group them into applications,
and choose the right migration tools. It does not help users identify and prioritize any business
transformation opportunities and evaluate their AWS Cloud readiness.

QUESTION NO: 578

Which controls are the responsibility of both AWS and AWS customers, according to the AWS shared
responsibility model? (Select TWO.)

A. Physical and environmental controls

B. Patch management

C. Configuration management

D. Account structures

E. Choice of the AWS Region where data is stored

Answer: B, C

Patch management and configuration management are controls that are the responsibility of both
AWS and AWS customers, according to the AWS shared responsibility model. Patch management is
the process of applying updates to software and applications to fix vulnerabilities, bugs, or
performance issues. Configuration management is the process of defining and maintaining the
settings and parameters of systems and applications to ensure their consistency and reliability.
AWS is responsible for patching and configuring the software and services that it manages, such as
the AWS global infrastructure, the hypervisor, and the AWS managed services. The customer is
responsible for patching and configuring the software and services that they manage, such as the
guest operating system, the applications, and the AWS customer-managed services. Physical and
environmental controls are the responsibility of AWS, according to the AWS shared responsibility
model. Physical and environmental controls are the measures that protect the physical security and
availability of the AWS global infrastructure, such as power, cooling, fire suppression, and access
control. AWS is responsible for maintaining these controls and ensuring the resilience and reliability
of the AWS Cloud. Account structures are the responsibility of the customer, according to the AWS
shared responsibility model. Account structures are the ways that customers organize and manage
their AWS accounts and resources, such as using AWS Organizations, IAM users and roles, resource
tagging, and billing preferences. The customer is responsible for creating and configuring these
structures and ensuring the security and governance of their AWS environment. Choice of the AWS
Region where data is stored is the responsibility of the customer, according to the AWS shared
responsibility model. AWS Regions are geographic areas that consist of multiple isolated Availability
Zones. Customers can choose which AWS Region to store their data and run their applications,
depending on their latency, compliance, and cost requirements. The customer is responsible for
selecting the appropriate AWS Region and ensuring the data sovereignty and regulatory compliance
of their data.

QUESTION NO: 579

A company wants to implement controls (guardrails) in a newly created AWS Control Tower landing
zone.

Which AWS services or features can the company use to create and define these controls (guardrails)?
(Select TWO.)

A. AWS Config

B. Service control policies (SCPs)

C. Amazon GuardDuty

D. AWS Identity and Access Management (IAM)

E. Security groups

Answer: A, B

AWS Config and service control policies (SCPs) are AWS services or features that the company can
use to create and define controls (guardrails) in a newly created AWS Control Tower landing zone.
AWS Config is a service that enables users to assess, audit, and evaluate the configurations of their
AWS resources. It can be used to create rules that check for compliance with the desired
configurations and report any deviations. AWS Control Tower provides a set of predefined AWS
Config rules that can be enabled as guardrails to enforce compliance across the landing zone 1.
Service control policies (SCPs) are a type of policy that can be used to manage permissions in AWS
Organizations. They can be used to restrict the actions that the users and roles in the member
accounts can perform on the AWS resources. AWS Control Tower provides a set of predefined SCPs
that can be enabled as guardrails to prevent access to certain services or regions across the landing
zone2. Amazon GuardDuty is a service that provides intelligent threat detection and continuous
monitoring for AWS accounts and resources. It is not a feature that can be used to create and define
controls (guardrails) in a landing zone. AWS Identity and Access Management (IAM) is a service that
allows users to manage access to AWS resources and services. It can be used to create users,
groups, roles, and policies that control who can do what in AWS. It is not a feature that can be used
to create and define controls (guardrails) in a landing zone. Security groups are virtual firewalls that
control the inbound and outbound traffic for Amazon EC2 instances. They can be used to allow or
deny access to an EC2 instance based on the port, protocol, and source or destination. They are not
a feature that can be used to create and define controls (guardrails) in a landing zone.
QUESTION NO: 580

A developer wants to use an Amazon S3 bucket to store application logs that contain sensitive data.

Which AWS service or feature should the developer use to restrict read and write access to the S3
bucket?

A. Security groups

B. Amazon CloudWatch

C. AWS CloudTrail

D. ACLs

Answer: D

ACLs are an AWS service or feature that the developer can use to restrict read and write access to
the S3 bucket. ACLs are access control lists that grant basic permissions to other AWS accounts or
predefined groups. They can be used to grant read or write access to an S3 bucket or an object 3.
Security groups are virtual firewalls that control the inbound and outbound traffic for Amazon EC2
instances. They are not a service or feature that can be used to restrict access to an S3 bucket.
Amazon CloudWatch is a service that provides monitoring and observability for AWS resources and
applications. It can be used to collect and analyze metrics, logs, events, and alarms. It is not a
service or feature that can be used to restrict access to an S3 bucket. AWS CloudTrail is a service
that provides governance, compliance, and audit for AWS accounts and resources. It can be used to
track and record the API calls and user activity in AWS. It is not a service or feature that can be used
to restrict access to an S3 bucket.

QUESTION NO: 581

Which AWS service or tool helps companies measure the environmental impact of their AWS usage?

A. AWS customer carbon footprint tool

B. AWS Compute Optimizer

C. Sustainability pillar

D. OS-Climate (Open Source Climate Data Commons)

Answer: A

AWS customer carbon footprint tool is an AWS service or tool that helps companies measure the
environmental impact of their AWS usage. It allows users to estimate the carbon emissions
associated with their AWS resources and services, such as EC2, S3, and Lambda. It also provides
recommendations and best practices to reduce the carbon footprint and improve the sustainability
of their AWS workloads4. AWS Compute Optimizer is an AWS service that helps users optimize the
performance and cost of their EC2 instances and Auto Scaling groups. It provides recommendations
for optimal instance types, sizes, and configurations based on the workload characteristics and
utilization metrics. It does not help users measure the environmental impact of their AWS usage.
Sustainability pillar is a concept that refers to the ability of a system to operate in an environmentally
friendly and socially responsible manner. It is not an AWS service or tool that helps users measure
the environmental impact of their AWS usage. OS-Climate (Open Source Climate Data Commons) is
an initiative that aims to provide open source data, tools, and platforms to accelerate climate action
and innovation. It is not an AWS service or tool that helps users measure the environmental impact
of their AWS usage.

QUESTION NO: 582

Which option is a perspective that includes foundational capabilities of the AWS Cloud Adoption
Framework (AWS CAF)?

A. Sustainability

B. Operations

C. Performance efficiency

D. Reliability

Answer: B

Operations is an option that is a perspective that includes foundational capabilities of the AWS
Cloud Adoption Framework (AWS CAF). Operations is one of the six perspectives of the AWS CAF,
along with business, people, governance, platform, and security. Operations focuses on the
processes and procedures to support the ongoing management and maintenance of the cloud-
based IT assets. It covers topics such as monitoring, backup and recovery, change management,
incident management, and automation5. Sustainability is not a perspective of the AWS CAF, but a
concept that refers to the ability of a system to operate in an environmentally friendly and socially
responsible manner. Performance efficiency is not a perspective of the AWS CAF, but a pillar of the
AWS Well-Architected Framework. It focuses on using the right resources and services for the
workload, monitoring performance, and continuously improving the efficiency of the solution.
Reliability is not a perspective of the AWS CAF, but a pillar of the AWS Well-Architected Framework.
It focuses on the ability of a system to recover from infrastructure or service disruptions,
dynamically acquire computing resources to meet demand, and mitigate disruptions such as
misconfigurations or transient network issues.

QUESTION NO: 583

Which AWS service can a company use to securely store and encrypt passwords for a database?

A. AWS Shield

B. AWS Secrets Manager

C. AWS Identity and Access Management (IAM)

D. Amazon Cognito

Answer: B

AWS Secrets Manager is an AWS service that can be used to securely store and encrypt passwords
for a database. It allows users to manage secrets, such as database credentials, API keys, and
tokens, in a centralized and secure way. It also provides features such as automatic rotation, fine-
grained access control, and auditing. AWS Shield is an AWS service that provides protection against
Distributed Denial of Service (DDoS) attacks for AWS resources and services. It does not store or
encrypt passwords for a database. AWS Identity and Access Management (IAM) is an AWS service
that allows users to manage access to AWS resources and services. It can be used to create users,
groups, roles, and policies that control who can do what in AWS. It does not store or encrypt
passwords for a database. Amazon Cognito is an AWS service that provides user identity and data
synchronization for web and mobile applications. It can be used to authenticate and authorize users,
manage user profiles, and sync user data across devices. It does not store or encrypt passwords for
a database.

QUESTION NO: 584

Which of the following is the customer's responsibility, according to the AWS shared responsibility
model?

A. Identity and access management

B. Hard drive initialization

C. Protection of data center hardware

D. Security of Availability Zones

Answer: A

Identity and access management is the customer’s responsibility, according to the AWS shared
responsibility model. This means that the customer is responsible for managing user access to the
AWS resources, using tools such as AWS Identity and Access Management (IAM), AWS Single Sign-
On (SSO), and AWS Organizations. The customer is also responsible for securing their data in transit
and at rest, using encryption, key management, and other methods. Hard drive initialization,
protection of data center hardware, and security of Availability Zones are AWS’s responsibility, as
they are part of the infrastructure, physical security, and network security that AWS provides to the
customer12

QUESTION NO: 585

A company wants to create multiple isolated networks in the same AWS account.

Which AWS service or component will provide this functionality?

A. AWS Transit Gateway

B. Internet gateway

C. Amazon VPC

D. Amazon EC2

Answer: C

Amazon Virtual Private Cloud (Amazon VPC) is the AWS service that allows customers to create
multiple isolated networks in the same AWS account. A VPC is a logically isolated section of the
AWS Cloud where customers can launch AWS resources in a virtual network that they define.
Customers can create multiple VPCs within an AWS account, each with its own IP address range,
subnets, route tables, security groups, network access control lists, gateways, and other
components. AWS Transit Gateway, Internet gateway, and Amazon EC2 are not services or
components that provide the functionality of creating multiple isolated networks in the same AWS
account. AWS Transit Gateway is a service that enables customers to connect their Amazon VPCs
and their on-premises networks to a single gateway. An Internet gateway is a component that
enables communication between instances in a VPC and the Internet. Amazon EC2 is a service that
provides scalable compute capacity in the cloud 34

QUESTION NO: 586

Which AWS service offers a global content delivery network (CDN) that helps companies securely deliver
websites, videos, applications,

and APIs at high speeds with low latency?

A. Amazon EC2

B. Amazon CloudFront

C. Amazon CloudWatch

D. AWS CloudFormation

Answer: B

Amazon CloudFront is the AWS service that offers a global content delivery network (CDN) that
helps companies securely deliver websites, videos, applications, and APIs at high speeds with low
latency. Amazon CloudFront is a web service that speeds up distribution of static and dynamic web
content, such as HTML, CSS, JavaScript, and image files, to users. Amazon CloudFront uses a global
network of edge locations, located near users’ geographic locations, to cache and serve content with
high availability and performance. Amazon CloudFront also provides features such as AWS Shield
for DDoS protection, AWS Certificate Manager for SSL/TLS encryption, AWS WAF for web
application firewall, and AWS Lambda@Edge for customizing content delivery with serverless code.
Amazon EC2, Amazon CloudWatch, and AWS CloudFormation are not services that offer a global
CDN. Amazon EC2 is a service that provides scalable compute capacity in the cloud. Amazon
CloudWatch is a service that provides monitoring and observability for AWS resources and
applications. AWS CloudFormation is a service that provides a common language to model and
provision AWS resources and their dependencies.

QUESTION NO: 587

Which benefit of AWS Cloud computing provides lower latency between users and applications?

A. Agility

B. Economies of scale

C. Global reach

D. Pay-as-you-go pricing

Answer: C

Global reach is the benefit of AWS Cloud computing that provides lower latency between users and
applications. Global reach means that AWS customers can deploy their applications and data in
multiple regions around the world, and deliver them to users with high performance and availability.
AWS has the largest global infrastructure of any cloud provider, with 25 geographic regions and 81
Availability Zones, as well as 216 Points of Presence in 84 cities across 42 countries. Customers can
choose the optimal locations for their applications and data based on their business requirements,
such as compliance, data sovereignty, and customer proximity. Agility, economies of scale, and pay-
as-you-go pricing are other benefits of AWS Cloud computing, but they do not directly provide lower
latency between users and applications. Agility means that AWS customers can quickly and easily
provision and scale up or down AWS resources as needed, without upfront costs or long-term
commitments. Economies of scale means that AWS customers can benefit from the lower costs
and higher efficiency that AWS achieves by operating at a massive scale and passing the savings to
the customers. Pay-as-you-go pricing means that AWS customers only pay for the AWS resources
they use, without any upfront costs or long-term contracts.

QUESTION NO: 588

Which design principles should a company apply to AWS Cloud workloads to maximize sustainability and
minimize environmental impact? (Select TWO.)

A. Maximize utilization of Amazon EC2 instances.

B. Minimize utilization of Amazon EC2 instances.

C. Minimize usage of managed services.

D. Force frequent application reinstallations by users.

E. Reduce the need for users to reinstall applications.

Answer: A, E

To maximize sustainability and minimize environmental impact, a company should apply the
following design principles to AWS Cloud workloads: maximize utilization of Amazon EC2 instances
and reduce the need for users to reinstall applications. Maximizing utilization of Amazon EC2
instances means that the company can optimize the performance and efficiency of their compute
resources, and avoid wasting energy and money on idle or underutilized instances. The company
can use features such as Amazon EC2 Auto Scaling, Amazon EC2 Spot Instances, and AWS
Compute Optimizer to automatically adjust the number and type of instances based on demand,
cost, and performance. Reducing the need for users to reinstall applications means that the
company can minimize the amount of data and bandwidth required to deliver their applications to
users, and avoid unnecessary downloads and updates that consume energy and resources. The
company can use services such as Amazon CloudFront, AWS AppStream 2.0, and AWS Amplify to
deliver their applications faster, more securely, and more efficiently to users across the globe.
Minimizing utilization of Amazon EC2 instances, minimizing usage of managed services, and forcing
frequent application reinstallations by users are not design principles that would maximize
sustainability and minimize environmental impact. Minimizing utilization of Amazon EC2 instances
would reduce the performance and efficiency of the compute resources, and potentially increase the
costs and complexity of the cloud workloads. Minimizing usage of managed services would
increase the operational overhead and responsibility of the company, and potentially expose them to
more security and reliability risks. Forcing frequent application reinstallations by users would
increase the amount of data and bandwidth required to deliver the applications to users, and
potentially degrade the user experience and satisfaction.

QUESTION NO: 589

An ecommerce company wants to design a highly available application that will be hosted on multiple
Amazon EC2 instances.

How should the company deploy the EC2 instances to meet these requirements?

A. Across multiple edge locations

B. Across multiple VPCs

C. Across multiple Availability Zones

D. Across multiple AWS accounts

Answer: C

The company should deploy the EC2 instances across multiple Availability Zones to design a highly
available application. Availability Zones are isolated locations within an AWS Region that are
engineered to be fault-tolerant and operate independently of each other. By deploying the EC2
instances across multiple Availability Zones, the company can ensure that their application can
withstand the failure of an entire Availability Zone and continue to operate with minimal disruption.
Deploying the EC2 instances across multiple edge locations, VPCs, or AWS accounts will not provide
the same level of availability and fault tolerance as Availability Zones. Edge locations are part of the
Amazon CloudFront service, which is a content delivery network (CDN) that caches and serves web
content to users. VPCs are virtual networks that isolate the AWS resources within an AWS
Region. AWS accounts are the primary units of ownership and access control for AWS resources 12

QUESTION NO: 590

Which AWS Cloud design principle does a company follow by using AWS CloudTrail?

A. Recover automatically.

B. Perform operations as code.

C. Measure efficiency.

D. Ensure traceability.

Answer: D

The company follows the AWS Cloud design principle of ensuring traceability by using AWS
CloudTrail. AWS CloudTrail is a service that records the API calls and events made by or on behalf of
the AWS account. The company can use AWS CloudTrail to monitor, audit, and analyze the activity
and changes in their AWS resources and applications. AWS CloudTrail helps the company to achieve
compliance, security, governance, and operational efficiency. Recovering automatically, performing
operations as code, and measuring efficiency are other AWS Cloud design principles, but they are
not directly related to using AWS CloudTrail. Recovering automatically means that the company can
design their cloud workloads to handle failures gracefully and resume normal operations without
manual intervention. Performing operations as code means that the company can automate the
creation, configuration, and management of their cloud resources using scripts or
templates. Measuring efficiency means that the company can monitor and optimize the
performance and utilization of their cloud resources and applications 34

QUESTION NO: 591

A company wants to move its data warehouse application to the AWS Cloud. The company wants to run
and scale its analytics services without needing to provision and manage data warehouse clusters.

Which AWS service will meet these requirements?

A. Amazon Redshift provisioned data warehouse

B. Amazon Redshift Serverless

C. Amazon Athena

D. Amazon S3

Answer: B
 Amazon Redshift Serverless is the AWS service that will meet the requirements of the company that
wants to move its data warehouse application to the AWS Cloud and run and scale its analytics
services without needing to provision and manage data warehouse clusters. Amazon Redshift
Serverless is a new feature of Amazon Redshift, which is a fully managed data warehouse service
that allows customers to run complex queries and analytics on large volumes of structured and
semi-structured data. Amazon Redshift Serverless automatically scales the compute and storage
resources based on the workload demand, and customers only pay for the resources they consume.
Amazon Redshift Serverless also simplifies the management and maintenance of the data
warehouse, as customers do not need to worry about choosing the right cluster size, resizing the
cluster, or distributing the data across the nodes. Amazon Redshift provisioned data warehouse,
Amazon Athena, and Amazon S3 are not the best services to meet the requirements of the
company. Amazon Redshift provisioned data warehouse requires customers to choose the number
and type of nodes for their cluster, and manually resize the cluster if their workload changes.
Amazon Athena is a serverless query service that allows customers to analyze data stored in
Amazon S3 using standard SQL, but it is not a data warehouse service that can store and organize
the data. Amazon S3 is a scalable object storage service that can store any amount and type of data,
but it is not a data warehouse service that can run complex queries and analytics on the data.

QUESTION NO: 592

Which tasks are the responsibility of AWS according to the AWS shared responsibility model? (Select
TWO.)

A. Configure AWS Identity and Access Management (IAM).

B. Configure security groups on Amazon EC2 instances.

C. Secure the access of physical AWS facilities.

D. Patch applications that run on Amazon EC2 instances.

E. Perform infrastructure patching and maintenance.

Answer: C, E

The tasks that are the responsibility of AWS according to the AWS shared responsibility model are
securing the access of physical AWS facilities and performing infrastructure patching and
maintenance. The AWS shared responsibility model defines the division of responsibilities between
AWS and the customer for security and compliance. AWS is responsible for the security of the cloud,
which includes the physical security of the hardware, software, networking, and facilities that run the
AWS services. AWS is also responsible for the maintenance and patching of the infrastructure that
supports the AWS services. The customer is responsible for the security in the cloud, which includes
the configuration and management of the AWS resources and applications that they use.
Configuring AWS Identity and Access Management (IAM), configuring security groups on Amazon
EC2 instances, and patching applications that run on Amazon EC2 instances are tasks that are the
responsibility of the customer, not AWS.
QUESTION NO: 593

A company is running an order processing system on Amazon EC2 instances. The company wants to
migrate microservices-based application.

Which combination of AWS services can the application use to meet these requirements? (Select TWO.)

A. Amazon Simple Queue Service (Amazon SQS)

B. AWS Lambda

C. AWS Migration Hub

D. AWS AppSync

E. AWS Application Migration Service

Answer: A, B

The combination of AWS services that the application can use to migrate to a microservices-based
application are Amazon Simple Queue Service (Amazon SQS) and AWS Lambda. Amazon SQS is a
fully managed message queuing service that enables customers to decouple and scale
microservices, distributed systems, and serverless applications. The application can use Amazon
SQS to send, store, and receive messages between the microservices, ensuring that each message
is processed only once and in the right order. AWS Lambda is a serverless compute service that
allows customers to run code without provisioning or managing servers. The application can use
AWS Lambda to create and deploy microservices as functions that are triggered by events, such as
messages from Amazon SQS. AWS Migration Hub, AWS AppSync, and AWS Application Migration
Service are not the best services to use for migrating to a microservices-based application. AWS
Migration Hub is a service that provides a single location to track the progress of application
migrations across multiple AWS and partner solutions. AWS AppSync is a service that simplifies the
development of GraphQL APIs for real-time and offline data synchronization. AWS Application
Migration Service is a service that enables customers to migrate their on-premises applications to
AWS without making any changes to the applications, servers, or databases.

QUESTION NO: 594

A company wants to access a report about the estimated environmental impact of the company's AWS
usage.

Which AWS service or feature should the company use to meet this requirement?

A. AWS Organizations

B. IAM policy

C. AWS Billing console

D. Amazon Simple Notification Service (Amazon SNS)

Answer: C

The company should use the AWS Billing console to access a report about the estimated
environmental impact of the company’s AWS usage. The AWS Billing console provides customers
with various tools and reports to manage and monitor their AWS costs and usage. One of the reports
available in the AWS Billing console is the AWS Sustainability Dashboard, which shows the
estimated carbon footprint and energy mix of the customer’s AWS usage. The company can use this
dashboard to measure and improve the sustainability of their cloud workloads. AWS Organizations,
IAM policy, and Amazon Simple Notification Service (Amazon SNS) are not services or features that
can provide a report about the estimated environmental impact of the company’s AWS usage. AWS
Organizations is a service that enables customers to centrally manage and govern their AWS
accounts. IAM policy is a document that defines the permissions for an IAM identity (user, group, or
role) or an AWS resource. Amazon SNS is a fully managed pub/sub messaging service that enables
customers to send messages to subscribers or other AWS services.

QUESTION NO: 595

A company has an AWS-hosted website located behind an Application Load Balancer. The company
wants to safeguard the website from SQL injection or cross-site scripting.

Which AWS service should the company use?

A. Amazon GuardDuty

B. AWS WAF

C. AWS Trusted Advisor

D. Amazon Inspector

Answer: B

The company should use AWS WAF to safeguard the website from SQL injection or cross-site
scripting. AWS WAF is a web application firewall that helps protect web applications from common
web exploits that could affect availability, compromise security, or consume excessive resources.
The company can use AWS WAF to create custom rules that block malicious requests that match
certain patterns, such as SQL injection or cross-site scripting. AWS WAF can be applied to web
applications that are behind an Application Load Balancer, Amazon CloudFront, or Amazon API
Gateway. Amazon GuardDuty, AWS Trusted Advisor, and Amazon Inspector are not the best services
to use for this purpose. Amazon GuardDuty is a threat detection service that monitors for malicious
activity and unauthorized behavior across the AWS accounts and resources. AWS Trusted Advisor is
a service that provides best practice recommendations for cost optimization, performance, security,
and fault tolerance. Amazon Inspector is a service that assesses the security and compliance of
applications running on Amazon EC2 instances 12
QUESTION NO: 596

A company needs to host a web server on Amazon EC2 instances for at least 1 year. The web server
cannot tolerate interruption.

Which EC2 instance purchasing option will meet these requirements MOST cost-effectively?

A. On-Demand Instances

B. Partial Upfront Reserved Instances

C. Spot Instances

D. No Upfront Reserved Instances

Answer: B

The most cost-effective EC2 instance purchasing option for the company that needs to host a web
server on Amazon EC2 instances for at least 1 year and cannot tolerate interruption is Partial
Upfront Reserved Instances. Reserved Instances are a pricing model that offer significant discounts
compared to On-Demand Instances in exchange for a commitment to use a specific amount of
compute capacity for a fixed period of time (1 or 3 years). Partial Upfront Reserved Instances require
customers to pay a portion of the total cost upfront, and the remaining cost in monthly installments
over the term. This option offers a lower effective hourly rate than No Upfront Reserved Instances,
which require no upfront payment but have higher monthly payments. On-Demand Instances and
Spot Instances are not the best options for the company. On-Demand Instances are a pricing model
that offer the most flexibility and no long-term commitment, but have the highest hourly rate. Spot
Instances are a pricing model that offer the lowest cost, but are subject to interruption based on
supply and demand34

QUESTION NO: 597

A company runs a database on Amazon Aurora in the us-east-1 Region. The company has a disaster
recovery requirement that the database be available in another Region.

Which solution meets this requirement with minimal disruption to the database operations?

A. Perform an Aurora Multi-AZ deployment.

B. Deploy Aurora cross-Region read replicas.

C. Create Amazon Elastic Block Store (Amazon EBS) volume snapshots for Aurora and copy them to
another Region.

D. Deploy Aurora Replicas.

Answer: B
The solution that meets the requirement of the company that runs a database on Amazon Aurora in
the us-east-1 Region and has a disaster recovery requirement that the database be available in
another Region with minimal disruption to the database operations is to deploy Aurora cross-Region
read replicas. Aurora cross-Region read replicas are secondary Aurora clusters that are created in a
different AWS Region from the primary Aurora cluster, and are kept in sync with the primary cluster
using physical replication. The company can use Aurora cross-Region read replicas to improve the
availability and durability of the database, as well as to reduce the recovery time objective (RTO) and
recovery point objective (RPO) in case of a regional disaster. Performing an Aurora Multi-AZ
deployment, creating Amazon EBS volume snapshots for Aurora and copying them to another
Region, and deploying Aurora Replicas are not the best solutions for this requirement. An Aurora
Multi-AZ deployment is a configuration that creates one or more Aurora Replicas within the same
AWS Region as the primary Aurora cluster, and provides automatic failover in case of an Availability
Zone outage. However, this does not provide cross-Region disaster recovery. Creating Amazon EBS
volume snapshots for Aurora and copying them to another Region is a manual process that requires
stopping the database, creating the snapshots, copying them to the target Region, and restoring
them to a new Aurora cluster. This process can cause significant downtime and data loss. Deploying
Aurora Replicas is a configuration that creates one or more secondary Aurora clusters within the
same AWS Region as the primary Aurora cluster, and provides read scaling and high availability.
However, this does not provide cross-Region disaster recovery.

QUESTION NO: 598

Which AWS service requires the customer to patch the guest operating system?

A. AWS Lambda

B. Amazon OpenSearch Service

C. Amazon EC2

D. Amazon ElastiCache

Answer: C

The AWS service that requires the customer to patch the guest operating system is Amazon EC2.
Amazon EC2 is a service that provides scalable compute capacity in the cloud, and allows
customers to launch and run virtual servers, called instances, with a variety of operating systems,
configurations, and specifications. The customer is responsible for patching and updating the guest
operating system and any applications that run on the EC2 instances, as part of the security in the
cloud. AWS Lambda, Amazon OpenSearch Service, and Amazon ElastiCache are not services that
require the customer to patch the guest operating system. AWS Lambda is a serverless compute
service that allows customers to run code without provisioning or managing servers. Amazon
OpenSearch Service is a fully managed service that makes it easy to deploy, operate, and scale
OpenSearch clusters in the AWS Cloud. Amazon ElastiCache is a fully managed service that
provides in-memory data store and cache solutions, such as Redis and Memcached. These services
are managed by AWS, and AWS is responsible for patching and updating the underlying
infrastructure and software.

QUESTION NO: 599

Which benefit of the AWS Cloud helps companies achieve lower usage costs because of the aggregate
usage of all AWS users?

A. No need to guess capacity

B. Ability to go global in minutes

C. Economies of scale

D. Increased speed and agility

Answer: C

The benefit of the AWS Cloud that helps companies achieve lower usage costs because of the
aggregate usage of all AWS users is economies of scale. Economies of scale means that AWS can
achieve lower costs and higher efficiency by operating at a massive scale and passing the savings
to the customers. AWS leverages the aggregate usage of all AWS users to negotiate better prices
with hardware vendors, optimize power consumption, and improve operational processes. As a
result, AWS can offer lower and more flexible pricing options to the customers, such as pay-as-you-
go, reserved, and spot pricing models. No need to guess capacity, ability to go global in minutes, and
increased speed and agility are other benefits of the AWS Cloud, but they are not directly related to
the aggregate usage of all AWS users. No need to guess capacity means that AWS customers can
avoid the risk of over-provisioning or under-provisioning resources, and scale up or down as needed.
Ability to go global in minutes means that AWS customers can deploy their applications and data in
multiple regions around the world, and deliver them to users with high performance and availability.
Increased speed and agility means that AWS customers can quickly and easily provision and access
AWS resources, and accelerate their innovation and time to market.

QUESTION NO: 600

Which options are common stakeholders for the AWS Cloud Adoption Framework (AWS CAF) platform
perspective? (Select TWO.)

A. Chief financial officers (CFOs)

B. IT architects

C. Chief information officers (CIOs)

D. Chief data officers (CDOs)

E. Engineers
Answer: B, E

The common stakeholders for the AWS Cloud Adoption Framework (AWS CAF) platform
perspective are IT architects and engineers. The AWS CAF is a guidance that helps organizations
design and travel an accelerated path to successful cloud adoption. The AWS CAF organizes the
cloud adoption process into six areas of focus, called perspectives, which are business, people,
governance, platform, security, and operations. Each perspective is divided into capabilities, which
are further divided into skills and responsibilities. The platform perspective focuses on the
provisioning and management of the cloud infrastructure and services that support the business
applications. The platform perspective capabilities are design, implementation, and optimization.
The stakeholders for the platform perspective are the IT architects and engineers who are
responsible for designing, implementing, and optimizing the cloud platform. Chief financial officers
(CFOs), chief information officers (CIOs), and chief data officers (CDOs) are not the common
stakeholders for the AWS CAF platform perspective. CFOs are the common stakeholders for the
AWS CAF business perspective, which focuses on the value realization of the cloud adoption. CIOs
are the common stakeholders for the AWS CAF governance perspective, which focuses on the
alignment of the IT strategy and processes with the business strategy and goals. CDOs are the
common stakeholders for the AWS CAF security perspective, which focuses on the protection of the
information assets and systems in the cloud.

QUESTION NO: 601

A company wants to migrate to the AWS Cloud. The company needs the ability to acquire resources
when the resources are necessary.

The company also needs the ability to release those resources when the resources are no longer
necessary.

Which architecture concept of the AWS Cloud meets these requirements?

A. Elasticity

B. Availability

C. Reliability

D. Durability

Answer: A

The architecture concept of the AWS Cloud that meets the requirements of the company that wants
to migrate to the AWS Cloud and needs the ability to acquire and release resources as needed is
elasticity. Elasticity means that AWS customers can quickly and easily provision and scale up or
down AWS resources as their demand changes, without any upfront costs or long-term
commitments. AWS provides various tools and services that enable customers to achieve elasticity,
such as Amazon EC2 Auto Scaling, Amazon CloudWatch, and AWS CloudFormation. Elasticity helps
customers optimize their performance, availability, and cost efficiency. Availability, reliability, and
durability are other architecture concepts of the AWS Cloud, but they are not directly related to the
ability to acquire and release resources as needed. Availability means that AWS customers can
access their AWS resources and applications whenever and wherever they need them. Reliability
means that AWS customers can depend on their AWS resources and applications to function
correctly and consistently. Durability means that AWS customers can preserve their data and
objects for long periods of time without loss or corruption 12

QUESTION NO: 602

Which AWS service or tool provides recommendations to help users get rightsized Amazon EC2
instances based on historical workload usage data?

A. AWS Pricing Calculator

B. AWS Compute Optimizer

C. AWS App Runner

D. AWS Systems Manager

Answer: B

The AWS service or tool that provides recommendations to help users get rightsized Amazon EC2
instances based on historical workload usage data is AWS Compute Optimizer. AWS Compute
Optimizer is a service that analyzes the configuration and performance of the AWS resources, such
as Amazon EC2 instances, and provides recommendations for optimal resource types and sizes
based on the workload patterns and metrics. AWS Compute Optimizer helps users improve the
performance, availability, and cost efficiency of their AWS resources. AWS Pricing Calculator, AWS
App Runner, and AWS Systems Manager are not the best services or tools to use for this purpose.
AWS Pricing Calculator is a tool that helps users estimate the cost of using AWS services based on
their requirements and preferences. AWS App Runner is a service that helps users easily and quickly
deploy web applications and APIs without managing any infrastructure. AWS Systems Manager is a
service that helps users automate and manage the configuration and operation of their AWS
resources and applications34

QUESTION NO: 603

Which AWS service is designed to help users orchestrate a workflow process for a set of AWS Lambda
functions?

A. Amazon DynamoDB

B. AWS CodePipeline

C. AWS Batch

D. AWS Step Functions

Answer: D

The AWS service that is designed to help users orchestrate a workflow process for a set of AWS
Lambda functions is AWS Step Functions. AWS Step Functions is a service that helps users
coordinate multiple AWS services into serverless workflows that can be triggered by events, such as
messages, API calls, or schedules. AWS Step Functions allows users to create and visualize
complex workflows that can include branching, parallel execution, error handling, retries, and
timeouts. AWS Step Functions can integrate with AWS Lambda to orchestrate a sequence of
Lambda functions that perform different tasks or logic. Amazon DynamoDB, AWS CodePipeline, and
AWS Batch are not the best services to use for orchestrating a workflow process for a set of AWS
Lambda functions. Amazon DynamoDB is a fully managed NoSQL database service that provides
fast and consistent performance, scalability, and flexibility. AWS CodePipeline is a fully managed
continuous delivery service that helps users automate the release process of their applications. AWS
Batch is a fully managed service that helps users run batch computing workloads on the AWS Cloud.

QUESTION NO: 604

Which options are perspectives that include foundational capabilities of the AWS Cloud Adoption
Framework (AWS CAF)? (Select TWO.)

A. Sustainability

B. Security

C. Operations

D. Performance efficiency

E. Reliability

Answer: C, D

The options that are perspectives that include foundational capabilities of the AWS Cloud Adoption
Framework (AWS CAF) are operations and performance efficiency. The AWS CAF is a guidance that
helps organizations design and travel an accelerated path to successful cloud adoption. The AWS
CAF organizes the cloud adoption process into six areas of focus, called perspectives, which are
business, people, governance, platform, security, and operations. Each perspective is divided into
capabilities, which are further divided into skills and responsibilities. The operations perspective
focuses on the management and monitoring of the cloud resources and applications, as well as the
automation and optimization of the operational processes. The operations perspective capabilities
are operations support, operations integration, and service management. The performance
efficiency perspective focuses on the selection and configuration of the right cloud resources and
services to meet the performance requirements of the applications, as well as the continuous
improvement and innovation of the cloud solutions. The performance efficiency perspective
capabilities are selection, review, and monitoring. Sustainability, security, and reliability are not
perspectives of the AWS CAF, but they are aspects of the AWS Well-Architected Framework. The
AWS Well-Architected Framework is a guidance that helps users build and operate secure, reliable,
efficient, and cost-effective systems in the cloud. The AWS Well-Architected Framework consists of
five pillars, which are operational excellence, security, reliability, performance efficiency, and cost
optimization. Sustainability is a cross-cutting theme that applies to all the pillars, and refers to the
environmental and social impact of the cloud solutions.

QUESTION NO: 605

Which perspective of the AWS Cloud Adoption Framework (AWS CAF) connects technology and
business?

A. Operations

B. People

C. Security

D. Governance

Answer: D

The perspective of the AWS Cloud Adoption Framework (AWS CAF) that connects technology and
business is governance. The governance perspective focuses on the alignment of the IT strategy
and processes with the business strategy and goals, as well as the management of the IT budget,
risk, and compliance. The governance perspective capabilities are portfolio management, business
performance management, and IT governance. The governance perspective helps organizations
ensure that their cloud adoption delivers the expected business value and outcomes, and that their
cloud solutions are secure, reliable, and compliant. Operations, people, and security are other
perspectives of the AWS CAF, but they do not directly connect technology and business. The
operations perspective focuses on the management and monitoring of the cloud resources and
applications, as well as the automation and optimization of the operational processes. The people
perspective focuses on the development and empowerment of the human resources, as well as the
transformation of the organizational culture and structure. The security perspective focuses on the
protection of the information assets and systems in the cloud, as well as the implementation of the
security policies and controls.

QUESTION NO: 606

A company needs to host a highly available application in the AWS Cloud. The application runs
infrequently for short periods of time.

Which AWS service will meet these requirements with the LEAST amount of operational overhead?

A. Amazon EC2

B. AWS Fargate

C. AWS Lambda
D. Amazon Aurora

Answer: C

The AWS service that will meet the requirements of the company that needs to host a highly
available application in the AWS Cloud that runs infrequently for short periods of time with the least
amount of operational overhead is AWS Lambda. AWS Lambda is a serverless compute service that
allows customers to run code without provisioning or managing servers. The company can use AWS
Lambda to create and deploy their application as functions that are triggered by events, such as API
calls, messages, or schedules. AWS Lambda automatically scales the compute resources based on
the demand, and customers only pay for the compute time they consume. AWS Lambda also
simplifies the management and maintenance of the application, as customers do not need to worry
about the underlying infrastructure, security, or availability. Amazon EC2, AWS Fargate, and Amazon
Aurora are not the best services to use for this purpose. Amazon EC2 is a service that provides
scalable compute capacity in the cloud, and allows customers to launch and run virtual servers,
called instances, with a variety of operating systems, configurations, and specifications. Amazon
EC2 requires customers to provision and manage the instances, and pay for the instance hours they
use, regardless of the application usage. AWS Fargate is a serverless compute engine for containers
that allows customers to run containerized applications without managing servers or clusters. AWS
Fargate requires customers to specify the amount of CPU and memory resources for each container,
and pay for the resources they allocate, regardless of the application usage. Amazon Aurora is a
fully managed relational database service that provides high performance, availability, and
compatibility. Amazon Aurora is not a compute service, and it is not suitable for hosting an
application that runs infrequently for short periods of time12

QUESTION NO: 607

A company is planning a migration to the AWS Cloud and wants to examine the costs that are associated
with different workloads.

Which AWS tool will meet these requirements?

A. AWS Budgets

B. AWS Cost Explorer

C. AWS Pricing Calculator

D. AWS Cost and Usage Report

Answer: C

The AWS tool that will meet the requirements of the company that is planning a migration to the
AWS Cloud and wants to examine the costs that are associated with different workloads is AWS
Pricing Calculator. AWS Pricing Calculator is a tool that helps customers estimate the cost of using
AWS services based on their requirements and preferences. The company can use AWS Pricing
Calculator to compare the costs of different AWS services and configurations, such as Amazon EC2,
Amazon S3, Amazon RDS, and more. AWS Pricing Calculator also provides detailed breakdowns of
the cost components, such as compute, storage, network, and data transfer. AWS Pricing Calculator
helps customers plan and optimize their cloud budget and migration strategy. AWS Budgets, AWS
Cost Explorer, and AWS Cost and Usage Report are not the best tools to use for this purpose. AWS
Budgets is a tool that helps customers monitor and manage their AWS spending and usage against
predefined budget limits and thresholds. AWS Cost Explorer is a tool that helps customers analyze
and visualize their AWS spending and usage trends over time. AWS Cost and Usage Report is a tool
that helps customers access comprehensive and granular information about their AWS costs and
usage in a CSV or Parquet file. These tools are more useful for tracking and optimizing the existing
AWS costs and usage, rather than estimating the costs of different workloads 34

QUESTION NO: 608

A company is hosting a web application on Amazon EC2 instances. The company wants to implement
custom conditions to filter and control inbound web traffic.

Which AWS service will meet these requirements?

A. Amazon GuardDuty

B. AWSWAF

C. Amazon Macie

D. AWS Shield

Answer: B

The AWS service that will meet the requirements of the company that is hosting a web application
on Amazon EC2 instances and wants to implement custom conditions to filter and control inbound
web traffic is AWS WAF. AWS WAF is a web application firewall that helps protect web applications
from common web exploits that could affect availability, compromise security, or consume
excessive resources. The company can use AWS WAF to create custom rules that block malicious
requests that match certain patterns, such as SQL injection or cross-site scripting. AWS WAF can be
applied to web applications that are behind an Application Load Balancer, Amazon CloudFront, or
Amazon API Gateway. Amazon GuardDuty, Amazon Macie, and AWS Shield are not the best services
to use for this purpose. Amazon GuardDuty is a threat detection service that monitors for malicious
activity and unauthorized behavior across the AWS accounts and resources. Amazon Macie is a
data security and data privacy service that uses machine learning and pattern matching to discover,
classify, and protect sensitive data stored in Amazon S3. AWS Shield is a managed distributed
denial of service (DDoS) protection service that safeguards web applications running on AWS. These
services are more useful for detecting and preventing different types of threats and attacks, rather
than filtering and controlling inbound web traffic based on custom conditions.

QUESTION NO: 609

A company wants to create a chatbot and integrate the chatbot with its current web application.
Which AWS service will meet these requirements?

A. AmazonKendra

B. Amazon Lex

C. AmazonTextract

D. AmazonPolly

Answer: B

The AWS service that will meet the requirements of the company that wants to create a chatbot and
integrate the chatbot with its current web application is Amazon Lex. Amazon Lex is a service that
helps customers build conversational interfaces using voice and text. The company can use
Amazon Lex to create a chatbot that can understand natural language and respond to user requests,
using the same deep learning technologies that power Amazon Alexa. Amazon Lex also provides
easy integration with other AWS services, such as Amazon Comprehend, Amazon Polly, and AWS
Lambda, as well as popular platforms, such as Facebook Messenger, Slack, and Twilio. Amazon Lex
helps customers create engaging and interactive chatbots for their web applications. Amazon
Kendra, Amazon Textract, and Amazon Polly are not the best services to use for this purpose.
Amazon Kendra is a service that helps customers provide accurate and natural answers to natural
language queries using machine learning. Amazon Textract is a service that helps customers extract
text and data from scanned documents using optical character recognition (OCR) and machine
learning. Amazon Polly is a service that helps customers convert text into lifelike speech using deep
learning. These services are more useful for different types of natural language processing and
generation tasks, rather than creating and integrating chatbots.

QUESTION NO: 610

Which AWS service is used to temporarily provide federated security credentials to a

A. Amazon GuardDuty

B. AWS Simple Token Service (AWS STS)

C. AWS Secrets Manager

D. AWS Certificate Manager

Answer: B

The AWS service that is used to temporarily provide federated security credentials to a user is AWS
Security Token Service (AWS STS). AWS STS is a service that enables customers to request
temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for
users that they authenticate (federated users). The company can use AWS STS to grant federated
users access to AWS resources without creating permanent IAM users or sharing long-term
credentials. AWS STS helps customers manage and secure access to their AWS resources for
federated users. Amazon GuardDuty, AWS Secrets Manager, and AWS Certificate Manager are not
the best services to use for this purpose. Amazon GuardDuty is a threat detection service that
monitors for malicious activity and unauthorized behavior across the AWS accounts and resources.
AWS Secrets Manager is a service that helps customers manage and rotate secrets, such as
database credentials, API keys, and passwords. AWS Certificate Manager is a service that helps
customers provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer
Security (SSL/TLS) certificates for use with AWS services and internal connected resources. These
services are more useful for different types of security and compliance tasks, rather than providing
temporary federated security credentials to a user.

QUESTION NO: 611

A company wants to securely store Amazon RDS database credentials and automatically rotate user
passwords periodically.

Which AWS service or capability will meet these requirements?

A. Amazon S3

B. AWS Systems Manager Parameter Store

C. AWS Secrets Manager

D. AWS CloudTrail

Answer: C

AWS Secrets Manager is a service that helps you protect access to your applications, services, and
IT resources. This service enables you to easily rotate, manage, and retrieve database credentials,
API keys, and other secrets throughout their lifecycle1. Amazon S3 is a storage service that does not
offer automatic rotation of credentials. AWS Systems Manager Parameter Store is a service that
provides secure, hierarchical storage for configuration data management and secrets management 2,
but it does not offer automatic rotation of credentials. AWS CloudTrail is a service that enables
governance, compliance, operational auditing, and risk auditing of your AWS account 3, but it does
not store or rotate credentials.

QUESTION NO: 612

A company has an application that runs periodically in an on-premises environment. The application
runs for a few hours most days, but runs for 8 hours a day for a week at the end of each month.

Which AWS service or feature should be used to host the application in the AWS Cloud?

A. Amazon EC2 Standard Reserved Instances

B. Amazon EC2 On-Demand Instances

C. AWS Wavelength
D. Application Load Balancer

Answer: B

Amazon EC2 On-Demand Instances are instances that you pay for by the second, with no long-term
commitments or upfront payments4. This option is suitable for applications that have unpredictable
or intermittent workloads, such as the one described in the question. Amazon EC2 Standard
Reserved Instances are instances that you purchase for a one-year or three-year term, and pay a
lower hourly rate compared to On-Demand Instances. This option is suitable for applications that
have steady state or predictable usage. AWS Wavelength is a service that enables developers to
build applications that deliver ultra-low latency to mobile devices and users by deploying AWS
compute and storage at the edge of the 5G network. This option is not relevant for the application
described in the question. Application Load Balancer is a type of load balancer that operates at the
application layer and distributes traffic based on the content of the request. This option is not a
service or feature to host the application, but rather to balance the traffic among multiple instances.

QUESTION NO: 613

A company is reviewing the design of an application that will be migrated from on premises to a single
Amazon EC2 instance.

What should the company do to make the application highly available?

A. Provision additional EC2 instances in other Availability Zones.

B. Configure an Application Load Balancer (ALB). Assign the EC2 instance as the ALB's target.

C. Use an Amazon Machine Image (AMI) to create the EC2 instance.

D. Provision the application by using an EC2 Spot Instance.

Answer: A

Provisioning additional EC2 instances in other Availability Zones is a way to make the application
highly available, as it reduces the impact of failures and increases fault tolerance. Configuring an
Application Load Balancer and assigning the EC2 instance as the ALB’s target is a way to distribute
traffic among multiple instances, but it does not make the application highly available if there is only
one instance. Using an Amazon Machine Image to create the EC2 instance is a way to launch a
virtual server with a preconfigured operating system and software, but it does not make the
application highly available by itself. Provisioning the application by using an EC2 Spot Instance is a
way to use spare EC2 capacity at up to 90% off the On-Demand price, but it does not make the
application highly available, as Spot Instances can be interrupted by EC2 with a two-minute
notification.

QUESTION NO: 614

Which AWS service provides a highly accurate and easy-to-use enterprise search service that is powered
by machine learning (ML)?

A. Amazon Kendra

B. Amazon SageMaker

C. Amazon Augmented Al (Amazon A2I)

D. Amazon Polly

Answer: A

Amazon Kendra is a service that provides a highly accurate and easy-to-use enterprise search
service that is powered by machine learning. Kendra delivers powerful natural language search
capabilities to your websites and applications so your end users can more easily find the
information they need within the vast amount of content spread across your company. Amazon
SageMaker is a service that provides a fully managed platform for data scientists and developers to
quickly and easily build, train, and deploy machine learning models at any scale. Amazon Augmented
AI (Amazon A2I) is a service that makes it easy to build the workflows required for human review of
ML predictions. Amazon A2I brings human review to all developers, removing the undifferentiated
heavy lifting associated with building human review systems or managing large numbers of human
reviewers. Amazon Polly is a service that turns text into lifelike speech, allowing you to create
applications that talk, and build entirely new categories of speech-enabled products. None of these
services provide an enterprise search service that is powered by machine learning.

QUESTION NO: 615

A company provides a software as a service (SaaS) application. The company has a new customer that is
based in a different country.

The new customer's data needs to be hosted in that country.

Which AWS service or infrastructure component should the company use to meet this requirement?

A. AWS Shield

B. Amazon S3 Object Lock

C. AWS Regions

D. Placement groups

Answer: C

AWS Regions are geographic areas around the world where AWS has clusters of data centers. Each
AWS Region consists of multiple, isolated, and physically separate AZ’s within a geographic area. By
hosting the customer’s data in a specific AWS Region, the company can meet the requirement of
hosting the data in the customer’s country. AWS Shield is a service that provides always-on
detection and automatic inline mitigations that minimize application downtime and latency, so there
is no need to engage AWS Support to benefit from DDoS protection. Amazon S3 Object Lock is a
feature that allows you to store objects using a write-once-read-many (WORM) model. You can use it
to prevent an object from being deleted or overwritten for a fixed amount of time or indefinitely.
Placement groups are logical grouping of instances within a single Availability Zone. Placement
groups enable applications to participate in a low-latency, 10 Gbps network. None of these services
or infrastructure components can help the company host the customer’s data in a different country.

QUESTION NO: 616

Which credential allows programmatic access to AWS resources for use from the AWS CLI or the AWS
API?

A. User name and password

B. Access keys

C. SSH public keys

D. AWS Key Management Service (AWS KMS) keys

Answer: B

Access keys are long-term credentials that consist of an access key ID and a secret access
key. You use access keys to sign programmatic requests that you make to AWS using the AWS CLI
or AWS API1. User name and password are credentials that you use to sign in to the AWS
Management Console or the AWS Management Console mobile app 2. SSH public keys are
credentials that you use to authenticate with EC2 instances that are launched from certain Linux
AMIs3. AWS Key Management Service (AWS KMS) keys are customer master keys (CMKs) that you
use to encrypt and decrypt your data and to control access to your data across AWS services and in
your applications4.

QUESTION NO: 617

A company has developed a distributed application that recovers gracefully from interruptions. The
application periodically processes large volumes of data by using multiple Amazon EC2 instances. The
application is sometimes idle for months.

Which EC2 instance purchasing option is MOST cost-effective for this use case?

A. Reserved Instances

B. Spot Instances

C. Dedicated Instances

D. On-Demand Instances
Answer: B

Spot Instances are instances that use spare EC2 capacity that is available for up to 90% off the On-
Demand price. Because Spot Instances can be interrupted by EC2 with two minutes of notification
when EC2 needs the capacity back, you can use them for applications that have flexible start and
end times, or that can withstand interruptions 5. This option is most cost-effective for the use case
described in the question. Reserved Instances are instances that you purchase for a one-year or
three-year term, and pay a lower hourly rate compared to On-Demand Instances. This option is
suitable for applications that have steady state or predictable usage. Dedicated Instances are
instances that run on hardware that’s dedicated to a single customer within an Amazon VPC. This
option is suitable for applications that have stringent regulatory or compliance requirements. On-
Demand Instances are instances that you pay for by the second, with no long-term commitments or
upfront payments. This option is suitable for applications that have unpredictable or intermittent
workloads.

QUESTION NO: 618

A company is preparing to launch a redesigned website on AWS. Users from around the world will
download digital handbooks from the website.

Which AWS solution should the company use to provide these static files securely?

A. Amazon Kinesis Data Streams

B. Amazon CloudFront with Amazon S3

C. Amazon EC2 instances with an Application Load Balancer

D. Amazon Elastic File System (Amazon EFS)

Answer: B

Amazon CloudFront with Amazon S3 is a solution that allows you to provide static files securely to
users from around the world. Amazon CloudFront is a fast content delivery network (CDN) service
that securely delivers data, videos, applications, and APIs to customers globally with low latency,
high transfer speeds, all within a developer-friendly environment. Amazon S3 is an object storage
service that offers industry-leading scalability, data availability, security, and performance. You can
use Amazon S3 to store and retrieve any amount of data from anywhere. You can also configure
Amazon S3 to work with Amazon CloudFront to distribute your content to edge locations near your
users for faster delivery and lower latency. Amazon Kinesis Data Streams is a service that enables
you to build custom applications that process or analyze streaming data for specialized needs. This
option is not relevant for providing static files securely. Amazon EC2 instances with an Application
Load Balancer is a solution that allows you to distribute incoming traffic across multiple targets,
such as EC2 instances, in multiple Availability Zones. This option is suitable for dynamic web
applications, but not necessary for static files. Amazon Elastic File System (Amazon EFS) is a
service that provides a simple, scalable, fully managed elastic NFS file system for use with AWS
Cloud services and on-premises resources. This option is not relevant for providing static files
securely.

QUESTION NO: 619

Which service is an AWS in-memory data store service?

A. Amazon Aurora

B. Amazon RDS

C. Amazon DynamoDB

D. Amazon ElastiCache

Answer: D

Amazon ElastiCache is a service that offers fully managed in-memory data store and cache services
that deliver sub-millisecond response times to applications. You can use Amazon ElastiCache to
improve the performance of your applications by retrieving data from fast, managed, in-memory data
stores, instead of relying entirely on slower disk-based databases. Amazon Aurora is a relational
database service that combines the performance and availability of high-end commercial databases
with the simplicity and cost-effectiveness of open source databases. Amazon RDS is a service that
makes it easy to set up, operate, and scale a relational database in the cloud. Amazon DynamoDB is
a key-value and document database that delivers single-digit millisecond performance at any scale.
None of these services are in-memory data store services.

QUESTION NO: 620

Which AWS service or tool offers consolidated billing?

A. AWS Artifact

B. AWS Budgets

C. AWS Organizations

D. AWS Trusted Advisor

A company wants to limit its employees' AWS access to a portfolio of predefined AWS resources.

Answer: C

AWS Organizations is a service that enables you to consolidate multiple AWS accounts into an
organization that you create and centrally manage. With AWS Organizations, you can create a single
payment method for all the AWS accounts in your organization through consolidated billing.
Consolidated billing enables you to see a combined view of AWS charges incurred by all accounts in
your organization, as well as get a detailed cost report for each individual AWS account associated
with your organization. AWS Artifact is a service that provides on-demand access to AWS’ security
and compliance reports and select online agreements. AWS Budgets is a service that enables you to
plan your service usage, service costs, and instance reservations. AWS Trusted Advisor is a service
that provides real-time guidance to help you provision your resources following AWS best practices.
None of these services or tools offer consolidated billing.

QUESTION NO: 621

Which AWS solution should the company use to meet this requirement?

A. AWS Config

B. AWS software development kits (SDKs)

C. AWS Service Catalog

D. AWS AppSync

Answer: C

AWS Service Catalog is a service that allows you to create and manage catalogs of IT services that
are approved for use on AWS. You can use AWS Service Catalog to centrally manage commonly
deployed IT services and help your organization achieve consistent governance and meet your
compliance requirements, while enabling users to quickly deploy only the approved IT services they
need1. AWS Config is a service that enables you to assess, audit, and evaluate the configurations of
your AWS resources. AWS software development kits (SDKs) are tools that enable you to easily
integrate your applications with AWS services using your preferred programming language. AWS
AppSync is a service that simplifies application development by letting you create a flexible API to
securely access, manipulate, and combine data from one or more data sources. None of these
services can help you limit your employees’ AWS access to a portfolio of predefined AWS resources.

QUESTION NO: 622

A company is running workloads for multiple departments within a single VPC. The company needs to be
able to bill each department for its resource usage.

Which action should the company take to accomplish this goal with the LEAST operational overhead?

A. Add a department tag to each resource and configure cost allocation tags.

B. Move each department resource to its own VPC.

C. Move each department resource to its own AWS account.

D. Use AWS Organizations to get a billing report for each department.

Answer: A

Adding a department tag to each resource and configuring cost allocation tags is an action that can
help you accomplish the goal of billing each department for its resource usage with the least
operational overhead. Tags are simple labels consisting of a key and an optional value that you can
assign to AWS resources. You can use tags to organize your resources and track your AWS costs on
a detailed level. Cost allocation tags enable you to track your AWS costs on a detailed level. After
you activate cost allocation tags, AWS uses the cost allocation tags to organize your resource costs
on your cost allocation report, to make it easier for you to categorize and track your AWS costs 2.
Moving each department resource to its own VPC or its own AWS account is an action that can help
you isolate and control the resources for each department, but it would incur more operational
overhead than using tags. Using AWS Organizations to get a billing report for each department is an
action that can help you consolidate billing and payment across multiple AWS accounts, but it would
not help you bill each department for its resource usage within a single VPC.

QUESTION NO: 623

A large company has multiple departments. Each department has its own AWS account. Each
department has purchased Amazon EC2 Reserved Instances. Some departments do not use all the
Reserved Instances that they purchased, and other departments need more Reserved Instances than
they purchased.

The company needs to manage the AWS accounts for all the departments so that the departments can
share the Reserved Instances.

Which AWS service or tool should the company use to meet these requirements?

A. AWS Systems Manager

B. Cost Explorer

C. AWS Trusted Advisor

D. AWS Organizations

Answer: D

AWS Organizations is a service that enables you to consolidate multiple AWS accounts into an
organization that you create and centrally manage. With AWS Organizations, you can apply service
control policies (SCPs) across multiple AWS accounts to restrict what services and actions users
and roles can access. You can also use AWS Organizations to enable features such as consolidated
billing, AWS Config rules and conformance packs, and AWS CloudFormation StackSets across
multiple accounts3. One of the benefits of using AWS Organizations is that you can share your
Reserved Instances (RIs) with all of the accounts in your organization. This enables you to take
advantage of the billing benefits of RIs without having to specify which account will use them 4. AWS
Systems Manager is a service that gives you visibility and control of your infrastructure on AWS.
Cost Explorer is a tool that enables you to visualize, understand, and manage your AWS costs and
usage over time. AWS Trusted Advisor is a service that provides real-time guidance to help you
provision your resources following AWS best practices. None of these services or tools can help you
manage the AWS accounts for all the departments so that the departments can share the Reserved
Instances.

QUESTION NO: 624

A manufacturing company has a critical application that runs at a remote site that has a slow internet
connection. The company wants to migrate the workload to AWS. The application is sensitive to latency
and interruptions in connectivity. The company wants a solution that can host this application with
minimum latency.

Which AWS service or feature should the company use to meet these requirements?

A. Availability Zones

B. AWS Local Zones

C. AWS Wavelength

D. AWS Outposts

Answer: D

AWS Outposts is a service that offers fully managed and configurable compute and storage racks
built with AWS-designed hardware that allow you to run your workloads on premises and seamlessly
connect to AWS services in the cloud. AWS Outposts is ideal for workloads that require low latency,
local data processing, or local data storage. With AWS Outposts, you can use the same AWS APIs,
tools, and infrastructure across on premises and the cloud to deliver a truly consistent hybrid
experience5. Availability Zones are isolated locations within each AWS Region that are engineered to
be fault-tolerant and provide high availability. AWS Local Zones are extensions of AWS Regions that
are placed closer to large population, industry, and IT centers where no AWS Region exists today.
AWS Wavelength is a service that enables developers to build applications that deliver ultra-low
latency to mobile devices and users by deploying AWS compute and storage at the edge of the 5G
network. None of these services or features can help you host a critical application with minimum
latency at a remote site that has a slow internet connection.

QUESTION NO: 625

Which AWS services can a company use to host and run a MySQL database? (Select TWO.)

A. Amazon RDS

B. Amazon DynamoDB

C. Amazon S3

D. Amazon EC2

E. Amazon MQ
Answer: A, D

Amazon RDS and Amazon EC2 are two AWS services that you can use to host and run a MySQL
database. Amazon RDS is a service that makes it easy to set up, operate, and scale a relational
database in the cloud. You can use Amazon RDS to launch a MySQL database instance and let
Amazon RDS manage common database tasks such as backups, patching, scaling, and replication 6.
Amazon EC2 is a service that provides secure, resizable compute capacity in the cloud. You can use
Amazon EC2 to launch a virtual server and install MySQL software on it. You have complete control
over your database configuration, but you are responsible for managing and maintaining the
database software and the underlying infrastructure7. Amazon DynamoDB is a key-value and
document database that delivers single-digit millisecond performance at any scale. Amazon S3 is an
object storage service that offers industry-leading scalability, data availability, security, and
performance. Amazon MQ is a managed message broker service for Apache ActiveMQ. None of
these services can help you host and run a MySQL database.

QUESTION NO: 626

A company wants its workload to perform consistently and correctly.

Which benefit of AWS Cloud computing does this goal represent?

A. Security

B. Elasticity

C. Pay-as-you-go pricing

D. Reliability

Answer: D

Reliability is the benefit of AWS Cloud computing that ensures the workload performs consistently
and correctly. According to the AWS Cloud Practitioner Essentials course, reliability means "the
ability of a system to recover from infrastructure or service disruptions, dynamically acquire
computing resources to meet demand, and mitigate disruptions such as misconfigurations or
transient network issues."1 Elasticity, security, and pay-as-you-go pricing are also benefits of AWS
Cloud computing, but they do not directly relate to the goal of consistent and correct performance.

QUESTION NO: 627

A company needs help managing multiple AWS linked accounts that are reported on a consolidated bill.

Which AWS Support plan includes an AWS concierge whom the company can ask for assistance?

A. AWS Developer Support

B. AWS Enterprise Support

C. AWS Business Support

D. AWS Basic Support

Answer: B

AWS Enterprise Support is the AWS Support plan that includes an AWS concierge whom the
company can ask for assistance. According to the AWS Support Plans page, AWS Enterprise
Support provides "a dedicated Technical Account Manager (TAM) who provides advocacy and
guidance to help plan and build solutions using best practices, coordinate access to subject matter
experts, and proactively keep your AWS environment operationally healthy."2 AWS Business Support,
AWS Developer Support, and AWS Basic Support do not include a TAM or a concierge service.

QUESTION NO: 628

Which design principle is included in the operational excellence pillar of the AWS Well-Architected
Framework?

A. Create annotated documentation.

B. Anticipate failure.

C. Ensure performance efficiency.

D. Optimize costs.

Answer: A

Create annotated documentation is the design principle that is included in the operational
excellence pillar of the AWS Well-Architected Framework. According to the AWS Well-Architected
Framework whitepaper, creating annotated documentation means "documenting your workload so
that the team understands the architecture, how to operate the workload, and how the workload
delivers value to customers."3 Anticipate failure, ensure performance efficiency, and optimize costs
are design principles that belong to other pillars of the AWS Well-Architected Framework, such as
reliability, performance efficiency, and cost optimization.

QUESTION NO: 629

A company is using Amazon RDS.

A company is launching a critical business application in an AWS Region.

How can the company increase resilience for this application?

A. Deploy a copy of the application in another AWS account.

B. Deploy the application by using multiple VPCs.

C. Deploy the application by using multiple subnets.

D. Deploy the application by using multiple Availability Zones.

Answer: D

Deploying the application by using multiple Availability Zones is the best way to increase resilience
for the application. According to the Amazon RDS User Guide, "Amazon RDS provides high
availability and failover support for DB instances using Multi-AZ deployments. In a Multi-AZ
deployment, Amazon RDS automatically provisions and maintains a synchronous standby replica in
a different Availability Zone. The primary DB instance is synchronously replicated across Availability
Zones to a standby replica to provide data redundancy, eliminate I/O freezes, and minimize latency
spikes during system backups."4 Deploying a copy of the application in another AWS account, using
multiple VPCs, or using multiple subnets do not provide the same level of resilience as using
multiple Availability Zones.

QUESTION NO: 630

Which AWS services or tools are designed to protect a workload from SQL injections, cross-site scripting,
and DDoS attacks? (Select TWO.)

A. VPC endpoint

B. Virtual private gateway

Q C. AWS Shield Standard

D. AWS Config

E. AWS WAF

Answer: C

AWS Shield Standard and AWS WAF are the AWS services or tools that are designed to protect a
workload from SQL injections, cross-site scripting, and DDoS attacks. According to the AWS Shield
Developer Guide, "AWS Shield is a managed Distributed Denial of Service (DDoS) protection service
that safeguards applications running on AWS. AWS Shield provides always-on detection and
automatic inline mitigations that minimize application downtime and latency, so there is no need to
engage AWS Support to benefit from DDoS protection."5 According to the AWS WAF Developer
Guide, “AWS WAF is a web application firewall that helps protect your web applications or APIs
against common web exploits that may affect availability, compromise security, or consume
excessive resources. AWS WAF gives you control over how traffic reaches your applications by
enabling you to create security rules that block common attack patterns, such as SQL injection or
cross-site scripting, and rules that filter out specific traffic patterns you define.” VPC endpoint, virtual
private gateway, and AWS Config are not designed to protect a workload from these types of
attacks.

QUESTION NO: 631

A company wants guidance to optimize the cost and performance of its current AWS environment.

Which AWS service or tool should the company use to identify areas for optimization?

A. Amazon QuickSight

B. AWS Trusted Advisor

C. AWS Organizations

D. AWS Budgets

Answer: B

AWS Trusted Advisor is the AWS service or tool that the company should use to identify areas for
optimization. According to the AWS Trusted Advisor User Guide, “AWS Trusted Advisor is an online
tool that provides you real time guidance to help you provision your resources following AWS best
practices. AWS Trusted Advisor checks help optimize your AWS infrastructure, increase security and
performance, reduce your overall costs, and monitor service limits.” Amazon QuickSight, AWS
Organizations, and AWS Budgets are not designed to provide optimization recommendations for the
current AWS environment.

QUESTION NO: 632

A new AWS user who has little cloud experience wants to build an application by using AWS services.
The user wants to learn how to implement specific AWS services from other customer examples. The
user also wants to ask questions to AWS experts.

Which AWS service or resource will meet these requirements?

A. AWS Online Tech Talks

B. AWS documentation

C. AWS Marketplace

D. AWS Health Dashboard

Answer: A

AWS Online Tech Talks are online presentations that cover a broad range of topics at varying
technical levels and provide a live Q&A session with AWS experts. They are a great resource for new
AWS users who want to learn how to implement specific AWS services from other customer
examples and ask questions to AWS experts. AWS documentation, AWS Marketplace, and AWS
Health Dashboard do not offer the same level of interactivity and guidance as AWS Online Tech
Talks. Source: AWS Online Tech Talks

QUESTION NO: 633

A user discovered that an Amazon EC2 instance is missing an Amazon Elastic Block Store (Amazon EBS)
data volume. The user wants to determine when the EBS volume was removed.

Which AWS service will provide this information?

A. AWS Config

B. AWS Trusted Advisor

C. Amazon Timestream

D. Amazon QuickSight

Answer: A

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your
AWS resources. AWS Config continuously monitors and records your AWS resource configurations
and allows you to automate the evaluation of recorded configurations against desired
configurations. AWS Config can help you determine when an EBS volume was removed from an EC2
instance by providing a timeline of configuration changes and compliance status. AWS Trusted
Advisor, Amazon Timestream, and Amazon QuickSight do not provide the same level of
configuration tracking and auditing as AWS Config. Source: AWS Config

QUESTION NO: 634

What is an AWS responsibility under the AWS shared responsibility model?

A. Configure the security group rules that determine which ports are open on an Amazon EC2 Linux
instance.

B. Ensure the security of the internal network in the AWS data centers.

C. Patch the guest operating system with the latest security patches on Amazon EC2.

D. Turn on server-side encryption for Amazon S3 buckets.

A company wants to deploy its critical application on AWS and maintain high availability.

Answer: B

Under the AWS shared responsibility model, AWS is responsible for ensuring the security of the
internal network in the AWS data centers, as well as the physical security of the hardware and
facilities that run AWS services. AWS customers are responsible for configuring the security group
rules that determine which ports are open on an EC2 Linux instance, patching the guest operating
system with the latest security patches on EC2, and turning on server-side encryption for S3 buckets.
Source: AWS Shared Responsibility Model

QUESTION NO: 635

How should the company deploy the application to meet these requirements?

A. Ina single Availability Zone

B. On AWS Direct Connect

C. On Reserved Instances

D. In multiple Availability Zones

Answer: D

Deploying the application in multiple Availability Zones is the best way to ensure high availability for
the application. Availability Zones are isolated locations within an AWS Region that are engineered
to be fault-tolerant from failures in other Availability Zones. By deploying the application in multiple
Availability Zones, the company can reduce the impact of outages and increase the resilience of the
application. Deploying the application in a single Availability Zone, on AWS Direct Connect, or on
Reserved Instances does not provide the same level of high availability as deploying the application
in multiple Availability Zones. Source: Availability Zones

QUESTION NO: 636

A company must store call recordings for 6 years. The storage system should be highly durable and cost-
effective.

Which AWS service meets these requirements?

A. AWS Snowball

B. Amazon S3

C. AWS Storage Gateway

D. Amazon Kinesis

Answer: B

Amazon S3 is a service that provides highly durable and cost-effective object storage for a variety of
use cases, including backup and archive, big data analytics, disaster recovery, and cloud
applications. Amazon S3 offers 99.999999999% (11 9’s) of durability, meaning that data is designed
to withstand the loss of two facilities concurrently. Amazon S3 also offers several storage classes
with different price and performance characteristics, such as S3 Glacier and S3 Glacier Deep
Archive, which are ideal for long-term archival of data that is rarely accessed. AWS Snowball, AWS
Storage Gateway, and Amazon Kinesis are not designed to provide the same level of durability and
cost-effectiveness as Amazon S3 for storing call recordings for 6 years. Source: Amazon S3

QUESTION NO: 637

In which categories does AWS Trusted Advisor provide recommended actions? (Select TWO.)
A. Operating system patches

B. Cost optimization

C. Repetitive tasks

D. Service quotas

E. Account activity records

Answer: B, D

AWS Trusted Advisor is a service that provides real-time guidance to help you provision your
resources following AWS best practices. AWS Trusted Advisor provides recommended actions in
five categories: cost optimization, performance, security, fault tolerance, and service quotas. Cost
optimization helps you reduce your overall AWS costs by identifying idle and underutilized
resources. Service quotas helps you monitor and manage your usage of AWS service quotas and
request quota increases. Operating system patches, repetitive tasks, and account activity records
are not categories that AWS Trusted Advisor provides recommended actions for. Source: [AWS
Trusted Advisor]

QUESTION NO: 638

Which actions are examples of a company's effort to right size its AWS resources to control cloud costs?
(Select TWO.)

A. Switch from Amazon RDS to Amazon DynamoDB to accommodate NoSQL datasets.

Q B. Base the selection of Amazon EC2 instance types on past utilization patterns.

C. Use Amazon S3 Lifecycle policies to move objects that users access infrequently to lower-cost storage
tiers.

D. Use Multi-AZ deployments for Amazon RDS.

E. Replace existing Amazon EC2 instances with AWS Elastic Beanstalk.

Answer: B, C

Basing the selection of Amazon EC2 instance types on past utilization patterns is a way to right size
the AWS resources and optimize the performance and cost. Using Amazon S3 Lifecycle policies to
move objects that users access infrequently to lower-cost storage tiers is another way to reduce the
storage costs and align them with the business value of the data. These two actions are
recommended by the AWS Cost Optimization Pillar1. Switching from Amazon RDS to Amazon
DynamoDB is not necessarily a cost-saving action, as it depends on the use case and the data
model. Using Multi-AZ deployments for Amazon RDS is a way to improve the availability and
durability of the database, but it also increases the cost. Replacing existing Amazon EC2 instances
with AWS Elastic Beanstalk is a way to simplify the deployment and management of the application,
but it does not affect the cost of the underlying EC2 instances.

QUESTION NO: 639

A company has a single Amazon EC2 instance. The company wants to adopt a highly available
architecture.

What can the company do to meet this requirement?

A. Scale vertically to a larger EC2 instance size.

B. Scale horizontally across multiple Availability Zones.

C. Purchase an EC2 Dedicated Instance.

D. Change the EC2 instance family to a compute optimized instance.

Answer: B

Scaling horizontally across multiple Availability Zones is a way to adopt a highly available
architecture, as it increases the fault tolerance and resilience of the application. Scaling vertically to
a larger EC2 instance size is a way to improve the performance of the application, but it does not
improve the availability. Purchasing an EC2 Dedicated Instance is a way to isolate the instance from
other AWS customers, but it does not improve the availability. Changing the EC2 instance family to a
compute optimized instance is a way to optimize the instance type for the workload, but it does not
improve the availability. These concepts are explained in the AWS Well-Architected Framework2.

QUESTION NO: 640

A company is running an application that is hosted on Amazon EC2 instances. The usage of the EC2
instances is higher during daytime hours than nighttime hours. The company wants to optimize the
number of EC2 instances based on this usage pattern.

Which AWS service or instance purchasing option should the company use to meet these requirements?

A. Spot Instances

B. Reserved Instances

C. AWS CloudFormation

D. AWS Auto Scaling

Answer: D

AWS Auto Scaling is the AWS service that allows users to optimize the number of EC2 instances
based on the usage pattern, as it automatically adjusts the capacity to maintain steady and
predictable performance at the lowest possible cost. Spot Instances are a way to reduce the cost of
EC2 instances by bidding on unused EC2 capacity, but they are not suitable for applications that
require steady and reliable performance. Reserved Instances are a way to reduce the cost of EC2
instances by committing to a certain amount of usage for a period of time, but they are not flexible
to adjust to the usage pattern. AWS CloudFormation is a way to automate the creation and
management of AWS resources, but it does not optimize the number of EC2 instances based on the
usage pattern. These concepts are explained in the AWS Cloud Practitioner Essentials course 3.

QUESTION NO: 641

Which AWS services allow users to monitor and retain records of account activities that include
governance, compliance, and auditing?

(Select TWO.)

A. Amazon CloudWatch

B. AWS CloudTrail

C. Amazon GuardDuty

D. AWS Shield

E. AWS WAF

Answer: A, B

Amazon CloudWatch and AWS CloudTrail are the AWS services that allow users to monitor and
retain records of account activities that include governance, compliance, and auditing. Amazon
CloudWatch is a service that collects and tracks metrics, collects and monitors log files, and sets
alarms. AWS CloudTrail is a service that enables governance, compliance, operational auditing, and
risk auditing of your AWS account. Amazon GuardDuty, AWS Shield, and AWS WAF are AWS services
that provide security and protection for AWS resources, but they do not monitor and retain records
of account activities. These concepts are explained in the AWS Cloud Practitioner Essentials
course3.

QUESTION NO: 642

Which AWS service or tool provides on-demand access to AWS security and compliance reports and
AWS online agreements?

A. AWS Artifact

B. AWS Trusted Advisor

C. Amazon Inspector
D. AWS Billing console

Answer: A

AWS Artifact is the AWS service or tool that provides on-demand access to AWS security and
compliance reports and AWS online agreements. AWS Trusted Advisor is a tool that provides real-
time guidance to help users provision their resources following AWS best practices. Amazon
Inspector is a service that helps users improve the security and compliance of their applications.
AWS Billing console is a tool that helps users manage their AWS costs and usage. These concepts
are explained in the AWS Cloud Practitioner Essentials course3.

QUESTION NO: 643

A company wants to move its iOS application development and build activities to AWS.

Which AWS service or resource should the company use for these activities?

A. AWS CodeCommit

B. Amazon EC2 M1 Mac instances

C. AWS Amplify

D. AWS App Runner

Answer: B

Amazon EC2 M1 Mac instances are the AWS service or resource that the company should use for its
iOS application development and build activities, as they enable users to run macOS on AWS and
access a broad and growing set of AWS services. AWS CodeCommit is a service that provides a fully
managed source control service that hosts secure Git-based repositories. AWS Amplify is a set of
tools and services that enable developers to build full-stack web and mobile applications using AWS.
AWS App Runner is a service that makes it easy for developers to quickly deploy containerized web
applications and APIs. These concepts are explained in the AWS Developer Tools page4.

QUESTION NO: 644

Which statements explain the business value of migration to the AWS Cloud? (Select TWO.)

A. The migration of enterprise applications to the AWS Cloud makes these applications automatically
available on mobile devices.

S B. AWS availability and security provide the ability to improve service level agreements (SLAs) while
reducing risk and unplanned downtime.

C. Companies that migrate to the AWS Cloud eliminate the need to plan for high availability and disaster
recovery.
D. Companies that migrate to the AWS Cloud reduce IT costs related to infrastructure, freeing budget for
reinvestment in other

areas.

E. Applications are modernized because migration to the AWS Cloud requires companies to rearchitect
and rewrite all

enterprise applications.

Answer: B, D

B and D are correct because AWS availability and security enable customers to improve their SLAs
while reducing risk and unplanned downtime1, and AWS reduces IT costs related to infrastructure,
allowing customers to reinvest in other areas 2. A is incorrect because migrating to the AWS Cloud
does not automatically make applications available on mobile devices, as it depends on the
application design and compatibility. C is incorrect because companies that migrate to the AWS
Cloud still need to plan for high availability and disaster recovery, as AWS is a shared responsibility
model3. E is incorrect because migrating to the AWS Cloud does not require companies to
rearchitect and rewrite all enterprise applications, as AWS offers different migration strategies
depending on the application complexity and business objectives 4.

QUESTION NO: 645

Which AWS service is designed to help users build conversational interfaces into applications using voice
and text?

A. Amazon Lex

B. Amazon Transcribe

C. Amazon Comprehend

D. Amazon Timestream

Answer: A

A is correct because Amazon Lex is the AWS service that helps users build conversational interfaces
into applications using voice and text. B is incorrect because Amazon Transcribe is the AWS service
that helps users convert speech to text. C is incorrect because Amazon Comprehend is the AWS
service that helps users analyze text using natural language processing. D is incorrect because
Amazon Timestream is the AWS service that helps users collect, store, and process time series
data.

QUESTION NO: 646

A company wants to develop a shopping application that records customer orders. The application
needs to use an AWS managed database service to store data.
Which AWS service should the company use to meet these requirements?

A. Amazon RDS

B. Amazon Redshift

C. Amazon ElastiCache

D. Amazon Neptune

Answer: A

A is correct because Amazon RDS is the AWS service that provides a managed relational database
service that supports various database engines, such as MySQL, PostgreSQL, Oracle, and SQL
Server. B is incorrect because Amazon Redshift is the AWS service that provides a managed data
warehouse service that is optimized for analytical queries. C is incorrect because Amazon
ElastiCache is the AWS service that provides a managed in-memory data store service that supports
Redis and Memcached. D is incorrect because Amazon Neptune is the AWS service that provides a
managed graph database service that supports property graph and RDF models.

QUESTION NO: 647

A company wants to use Amazon EC2 instances for a stable production workload that will run for 1 year.

Which instance purchasing option meets these requirements MOST cost-effectively?

A. Dedicated Hosts

B. Reserved Instances

C. On-Demand Instances

D. Spot Instances

Answer: B

B is correct because Reserved Instances are the instance purchasing option that offers the most
cost-effective way to use Amazon EC2 instances for a stable production workload that will run for 1
year, as they provide significant discounts compared to On-Demand Instances in exchange for a
commitment to use a specific amount of computing power for a period of time. A is incorrect
because Dedicated Hosts are the instance purchasing option that allows customers to use physical
servers that are fully dedicated to their use, which is more expensive and less flexible than Reserved
Instances. C is incorrect because On-Demand Instances are the instance purchasing option that
allows customers to pay for compute capacity by the hour or second with no long-term
commitments, which is more suitable for short-term, variable, and unpredictable workloads. D is
incorrect because Spot Instances are the instance purchasing option that allows customers to bid
on spare Amazon EC2 computing capacity, which is more suitable for flexible, scalable, and fault-
tolerant workloads that can tolerate interruptions.

QUESTION NO: 648

A company needs a repository that stores source code. The company needs a way to update the running
software when the code changes.

Which combination of AWS services will meet these requirements? (Select TWO.)

A. AWS CodeCommit

B. AWS CodeDeploy

C. Amazon DynamoDB

D. Amazon S3

E. Amazon Elastic Container Service (Amazon ECS)

Answer: A, B

A and B are correct because AWS CodeCommit is the AWS service that provides a fully managed
source control service that hosts secure Git-based repositories1, and AWS CodeDeploy is the AWS
service that automates code deployments to any instance, including Amazon EC2 instances and
servers running on-premises2. These two services can be used together to store source code and
update the running software when the code changes. C is incorrect because Amazon DynamoDB is
the AWS service that provides a fully managed NoSQL database service that supports key-value and
document data models3. It is not related to storing source code or updating software. D is incorrect
because Amazon S3 is the AWS service that provides object storage through a web service
interface4. It can be used to store source code, but it does not provide source control features or
update software. E is incorrect because Amazon Elastic Container Service (Amazon ECS) is the AWS
service that allows users to run, scale, and secure Docker container applications. It can be used to
deploy containerized software, but it does not store source code or update software.

QUESTION NO: 649

A company is setting up AWS Identity and Access Management (IAM) on an AWS account.

Which recommendation complies with IAM security best practices?

A. Use the account root user access keys for administrative tasks.

B. Grant broad permissions so that all company employees can access the resources they need.

C. Turn on multi-factor authentication (MFA) for added security during the login process.

D. Avoid rotating credentials to prevent issues in production applications.

Answer: C

C is correct because turning on multi-factor authentication (MFA) for added security during the login
process is one of the IAM security best practices recommended by AWS. MFA adds an extra layer of
protection on top of the user name and password, making it harder for attackers to access the AWS
account. A is incorrect because using the account root user access keys for administrative tasks is
not a good practice, as the root user has full access to all the resources in the AWS account and can
cause irreparable damage if compromised. AWS recommends creating individual IAM users with the
least privilege principle and using roles for applications that run on Amazon EC2 instances. B is
incorrect because granting broad permissions so that all company employees can access the
resources they need is not a good practice, as it increases the risk of unauthorized or accidental
actions on the AWS resources. AWS recommends granting only the permissions that are required to
perform a task and using groups to assign permissions to IAM users. D is incorrect because
avoiding rotating credentials to prevent issues in production applications is not a good practice, as it
increases the risk of credential leakage or compromise. AWS recommends rotating credentials
regularly and using temporary security credentials from AWS STS when possible.

QUESTION NO: 650

A company wants to run its production workloads on AWS. The company needs concierge service, a
designated AWS technical account manager (TAM), and technical support that is available 24 hours a
day, 7 days a week.

Which AWS Support plan will meet these requirements?

A. AWS Basic Support

B. AWS Enterprise Support

C. AWS Business Support

D. AWS Developer Support

Answer: B

B is correct because AWS Enterprise Support is the AWS Support plan that provides concierge
service, a designated AWS technical account manager (TAM), and technical support that is available
24 hours a day, 7 days a week. This plan is designed for customers who run mission-critical
workloads on AWS and need the highest level of support. A is incorrect because AWS Basic Support
is the AWS Support plan that provides customer service and support for billing and account issues,
service limit increases, and technical support for a limited set of AWS services. It does not provide
concierge service, a designated TAM, or 24/7 technical support. C is incorrect because AWS
Business Support is the AWS Support plan that provides customer service and support for billing
and account issues, service limit increases, and technical support for all AWS services, as well as
access to AWS Trusted Advisor and AWS Support API. It does not provide concierge service or a
designated TAM. D is incorrect because AWS Developer Support is the AWS Support plan that
provides customer service and support for billing and account issues, service limit increases, and
technical support for all AWS services, as well as access to AWS Trusted Advisor. It does not
provide concierge service, a designated TAM, or 24/7 technical support.

QUESTION NO: 651

Which AWS service or feature can be used to control inbound and outbound traffic on an Amazon EC2
instance?

A. Internet gateways

B. AWS Identity and Access Management (IAM)

C. Network ACLs

D. Security groups

Answer: D

D is correct because security groups are the AWS service or feature that can be used to control
inbound and outbound traffic on an Amazon EC2 instance. Security groups act as a virtual firewall
for the EC2 instance, allowing users to specify which protocols, ports, and source or destination IP
addresses are allowed or denied. A is incorrect because internet gateways are the AWS service or
feature that enable communication between instances in a VPC and the internet. They do not control
the traffic on an EC2 instance. B is incorrect because AWS Identity and Access Management (IAM)
is the AWS service or feature that enables users to manage access to AWS services and resources
securely. It does not control the traffic on an EC2 instance. C is incorrect because network ACLs are
the AWS service or feature that provide an optional layer of security for the VPC that acts as a
firewall for controlling traffic in and out of one or more subnets. They do not control the traffic on an
EC2 instance.

QUESTION NO: 652

A user is moving a workload from a local data center to an architecture that is distributed between the
local data center and the AWS Cloud.

Which type of migration is this?

A. On-premises to cloud native

B. Hybrid to cloud native

C. On-premises to hybrid

D. Cloud native to hybrid

Answer: C
 C is correct because moving a workload from a local data center to an architecture that is
distributed between the local data center and the AWS Cloud is an example of an on-premises to
hybrid migration. A hybrid cloud is a cloud computing environment that uses a mix of on-premises,
private cloud, and public cloud services with orchestration between the platforms. A is incorrect
because on-premises to cloud native migration is the process of moving a workload from a local
data center to an architecture that is fully hosted and managed on the AWS Cloud. B is incorrect
because hybrid to cloud native migration is the process of moving a workload from an architecture
that is distributed between the local data center and the AWS Cloud to an architecture that is fully
hosted and managed on the AWS Cloud. D is incorrect because cloud native to hybrid migration is
the process of moving a workload from an architecture that is fully hosted and managed on the AWS
Cloud to an architecture that is distributed between the local data center and the AWS Cloud.

QUESTION NO: 653

Which AWS solution provides the ability for a company to run AWS services in the company's on-
premises data center?

A. AWS Direct Connect

B. AWS Outposts

C. AWS Systems Manager hybrid activations

D. AWS Storage Gateway

Answer: B

AWS Outposts is a fully managed service that extends AWS infrastructure, AWS services, APIs, and
tools to virtually any datacenter, co-location space, or on-premises facility for a truly consistent
hybrid experience. AWS Outposts enables you to run AWS services in your on-premises data center1.

QUESTION NO: 654

A company provides a web-based ecommerce service that runs in two Availability Zones within a single
AWS Region. The web service distributes content that is stored in the Amazon S3 Standard storage class.
The company wants to improve the web service's performance globally.

What should the company do to meet this requirement?

A. Change the S3 storage class to S3 Intelligent-Tiering.

B. Deploy an Amazon CloudFront distribution to cache web server content in edge locations.

C. Use Amazon API Gateway for the web service.

D. Migrate the website ecommerce servers to Amazon EC2 with enhanced networking.

Answer: B
 Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data,
videos, applications, and APIs to customers globally with low latency, high transfer speeds, all within
a developer-friendly environment. CloudFront can cache web server content in edge locations, which
are located closer to the end users, to improve the web service’s performance globally 2.

QUESTION NO: 655

What is a characteristic of Convertible Reserved Instances (RIs)?

A. Users can exchange Convertible RIs for other Convertible RIs from a different instance family.

B. Users can exchange Convertible RIs for other Convertible RIs in different AWS Regions.

C. Users can sell and buy Convertible RIs on the AWS Marketplace.

D. Users can shorten the term of their Convertible RIs by merging them with other Convertible RIs.

Answer: A

Convertible Reserved Instances (RIs) are a type of Reserved Instance that allow you to change the
attributes of the RI as long as the exchange results in the creation of Reserved Instances of equal or
greater value. You can exchange Convertible RIs for other Convertible RIs from a different instance
family, size, platform, tenancy, or scope (Region or Availability Zone) 3.

QUESTION NO: 656

Which AWS service is always available free of charge to users?

A. Amazon Athena

B. AWS Identity and Access Management (IAM)

C. AWS Secrets Manager

D. Amazon ElastiCache

A company has only basic knowledge of AWS technologies.

Answer: B

AWS Identity and Access Management (IAM) is a web service that helps you securely control access
to AWS resources for your users. You use IAM to control who can use your AWS resources
(authentication) and what resources they can use and in what ways (authorization). IAM is always
available free of charge to users4.

QUESTION NO: 657

Which AWS service provides the SIMPLEST way for the company to establish a website on AWS?

A. Amazon Elastic File System (Amazon EFS)

B. AWS Elastic Beanstalk

C. AWS Lambda

D. Amazon Lightsail

Answer: D

Amazon Lightsail is an easy-to-use cloud platform that offers you everything needed to build an
application or website, plus a cost-effective, monthly plan. Whether you’re new to the cloud or
looking to get on the cloud quickly with AWS infrastructure you trust, we’ve got you covered.
Lightsail provides the simplest way for the company to establish a website on AWS.

QUESTION NO: 658

A company wants to migrate its application to AWS. The company wants to replace upfront expenses
with variable payment that is based on usage.

What should the company do to meet these requirements?

A. Use pay-as-you-go pricing.

B. Purchase Reserved Instances.

C. Pay less by using more.

D. Rightsize instances.

Answer: A

Pay-as-you-go pricing is one of the main benefits of AWS. With pay-as-you-go pricing, you pay only
for what you use, when you use it. There are no long-term contracts, termination fees, or complex
licensing. You replace upfront expenses with lower variable costs and pay only for the resources you
consume.

QUESTION NO: 659

A company manages factory machines in real time. The company wants to use AWS technology to
deploy its monitoring applications as close to the factory machines as possible.

Which AWS solution will meet these requirements with the LEAST latency?

A. AWS Outposts

B. Amazon EC2
C. AWS App Runner

D. AWS Batch

Answer: A

AWS Outposts is a fully managed service that extends AWS infrastructure, AWS services, APIs, and
tools to virtually any datacenter, co-location space, or on-premises facility for a truly consistent
hybrid experience. AWS Outposts enables you to run AWS services in your on-premises data center1.

QUESTION NO: 660

Which option is a pillar of the AWS Well-Architected Framework?

A. Patch management

B. Cost optimization

C. Business technology strategy

D. Physical and environmental controls

Answer: B

The AWS Well-Architected Framework helps you understand the pros and cons of decisions you
make while building systems on AWS. By using the Framework, you will learn architectural best
practices for designing and operating reliable, secure, efficient, and cost-effective systems in the
cloud. The Framework consists of five pillars: operational excellence, security, reliability,
performance efficiency, and cost optimization2.

QUESTION NO: 661

A company is collecting user behavior patterns to identify how to meet goals for sustainability impact.

Which guidelines are best practices for the company to implement to meet these goals? (Select TWO.)

A. Scale infrastructure with user load.

B. Maximize the geographic distance between workloads and user locations.

C. Eliminate creation and maintenance of unused assets.

D. Scale resources with excess capacity and remove auto scaling.

E. Scale infrastructure based on the number of users.

Answer: A, C

To meet the goals for sustainability impact, the company should follow the best practices of scaling
infrastructure with user load and eliminating creation and maintenance of unused assets. Scaling
infrastructure with user load means adjusting the capacity of the infrastructure to match the
demand of the users, which can reduce the energy consumption and carbon footprint of the
system. Eliminating creation and maintenance of unused assets means avoiding the waste of
resources and money on assets that are not needed or used, which can also improve the
environmental and economic efficiency of the system3.

QUESTION NO: 662

A company is running an application on AWS. The company wants to identify and prevent the accidental

Which AWS service or feature will meet these requirements?

A. Amazon GuardDuty

B. Network ACL

C. AWS WAF

D. AWS Network Firewall

Answer: A

Amazon GuardDuty is a threat detection service that continuously monitors for malicious activity
and unauthorized behavior to protect your AWS accounts, workloads, and data stored in Amazon S3.
With the cloud, the collection and aggregation of account and network activities is simplified, but it
can be time consuming for security teams to continuously analyze event log data for potential
threats. With GuardDuty, you can automate anomaly detection and get actionable findings to help
you protect your AWS resources4.

QUESTION NO: 663

A company has an Amazon S3 bucket containing images of scanned financial invoices. The company is
building an artificial intelligence (Al)-based application on AWS. The company wants the application to
identify and read total balance amounts on the invoices.

Which AWS service will meet these requirements?

A. Amazon Forecast

B. Amazon Textract

C. Amazon Rekognition

D. Amazon Lex

Answer: B

Amazon Textract is a service that automatically extracts text and data from scanned documents.
Amazon Textract goes beyond simple optical character recognition (OCR) to also identify the
contents of fields in forms and information stored in tables. Amazon Textract can analyze images of
scanned financial invoices and extract the total balance amounts, as well as other relevant
information, such as invoice number, date, vendor name, etc 5.

QUESTION NO: 664

A company migrated its core application onto multiple workloads in the AWS Cloud. The company wants
to improve the application's reliability.

Which cloud design principle should the company implement to achieve this goal?

A. Maximize utilization.

B. Decouple the components.

C. Rightsize the resources.

D. Adopt a consumption model.

Answer: B

Decoupling the components of an application means reducing the dependencies and interactions
between them, which can improve the application’s reliability, scalability, and
performance. Decoupling can be achieved by using services such as Amazon Simple Queue Service
(Amazon SQS), Amazon Simple Notification Service (Amazon SNS), and AWS Lambda 1

QUESTION NO: 665

A company is using AWS Organizations to configure AWS accounts.

A company is planning its migration to the AWS Cloud. The company is identifying its capability gaps by
using the AWS Cloud Adoption Framework (AWS CAF) perspectives.

Which phase of the cloud transformation journey includes these identification activities?

A. Envision

B. Align

C. Scale

D. Launch

Answer: A

The Envision phase of the cloud transformation journey is where the company defines its vision,
business drivers, and desired outcomes for the cloud adoption. The company also identifies its
capability gaps by using the AWS Cloud Adoption Framework (AWS CAF) perspectives, which are
business, people, governance, platform, security, and operations 2.
QUESTION NO: 666

Which aspect of security is the customer's responsibility, according to the AWS shared responsibility
model?

A. Patch and configuration management

B. Service and communications protection or zone security

C. Physical and environmental controls

D. Awareness and training

Answer: A

According to the AWS shared responsibility model, AWS is responsible for the security of the cloud,
while the customer is responsible for the security in the cloud. This means that AWS provides the
physical and environmental controls, the service and communications protection, and the awareness
and training for its employees, while the customer provides the patch and configuration
management, the identity and access management, the data encryption, and the firewall
configuration for its resources3.

QUESTION NO: 667

A developer needs to maintain a development environment infrastructure and a production

environment infrastructure in a repeatable fashion.

Which AWS service should the developer use to meet these requirements?

A. AWS Ground Station

B. AWS Shield

C. AWS loT Device Defender

D. AWS CloudFormation

Answer: D

AWS CloudFormation is a service that allows you to model and provision your AWS and third-party
application resources in a repeatable and predictable way. You can use AWS CloudFormation to
create, update, and delete a collection of resources as a single unit, called a stack. You can also use
AWS CloudFormation to manage your development and production environments in a consistent
and efficient manner4.
QUESTION NO: 668

A company wants to migrate its on-premises application to the AWS Cloud. The company is legally
obligated to retain certain data in its onpremises data center.

Which AWS service or feature will support this requirement?

A. AWS Wavelength

B. AWS Local Zones

C. VMware Cloud on AWS

D. AWS Outposts

Answer: D

AWS Outposts is a fully managed service that extends AWS infrastructure, AWS services, APIs, and
tools to virtually any datacenter, co-location space, or on-premises facility for a truly consistent
hybrid experience. AWS Outposts enables you to run AWS services in your on-premises data center,
which can support the requirement of retaining certain data on-premises due to legal obligations5.

QUESTION NO: 669

A company has set up a VPC in its AWS account and has created a subnet in the VPC. The company
wants to make the subnet public.

Which AWS features should the company use to meet this requirement? (Select TWO.)

A. Amazon VPC internet gateway

B. Amazon VPC NAT gateway

C. Amazon VPC route tables

D. Amazon VPC network ACL

E. Amazon EC2 security groups

Answer: A, C

To make a subnet public, the company should use an Amazon VPC internet gateway and an
Amazon VPC route table. An internet gateway is a horizontally scaled, redundant, and highly
available VPC component that allows communication between your VPC and the internet. A route
table contains a set of rules, called routes, that are used to determine where network traffic from
your subnet or gateway is directed. To enable internet access for a subnet, you need to attach an
internet gateway to your VPC and add a route to the internet gateway in the route table associated
with the subnet.
QUESTION NO: 670

A company has a compliance requirement to record and evaluate configuration changes, as well as
perform remediation actions on AWS resources.

Which AWS service should the company use?

A. AWS Config

B. AWS Secrets Manager

C. AWS CloudTrail

D. AWS Trusted Advisor

Answer: A

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your
AWS resources. AWS Config continuously monitors and records your AWS resource configurations
and allows you to automate the evaluation of recorded configurations against desired
configurations. With AWS Config, you can review changes in configurations and relationships
between AWS resources, dive into detailed resource configuration histories, and determine your
overall compliance against the configurations specified in your internal guidelines. This can help you
simplify compliance auditing, security analysis, change management, and operational
troubleshooting1.

QUESTION NO: 671

A retail company has recently migrated its website to AWS. The company wants to ensure that it is
protected from SQL injection attacks. The website uses an Application Load Balancer to distribute traffic
to multiple Amazon EC2 instances.

Which AWS service or feature can be used to create a custom rule that blocks SQL injection attacks?

A. Security groups

B. AWS WAF

C. Network ACLs

D. AWS Shield

Answer: B

AWS WAF is a web application firewall that helps protect your web applications or APIs against
common web exploits that may affect availability, compromise security, or consume excessive
resources. AWS WAF gives you control over how traffic reaches your applications by enabling you to
create security rules that block common attack patterns, such as SQL injection or cross-site
scripting, and rules that filter out specific traffic patterns you define 2. You can use AWS WAF to
create a custom rule that blocks SQL injection attacks on your website.

QUESTION NO: 672

A company has an application workload that is stateless by design and can sustain occasional downtime.
The application performs massively parallel computations.

Which Amazon EC2 pricing model should the company choose for its application to reduce cost?

A. On-Demand Instances

B. Spot Instances

C. Reserved Instances

D. Dedicated Instances

Answer: B

Amazon EC2 Spot Instances let you take advantage of unused EC2 capacity in the AWS cloud. Spot
Instances are available at up to a 90% discount compared to On-Demand prices. You can use Spot
Instances for various stateless, fault-tolerant, or flexible applications such as big data, containerized
workloads, CI/CD, web servers, high-performance computing (HPC), and other test & development
workloads. Spot Instances are well-suited for massively parallel computations, as they can provide
large amounts of compute capacity at a low cost, and can be interrupted with a two-minute notice3

Topic 3, Exam Pool C

QUESTION NO: 673

A company wants to store data with high availability, encrypt the data at rest, and have direct access to
the data over the internet.

Which AWS service will meet these requirements MOST cost-effectively?

A. Amazon Elastic Block Store (AmazonEBS)

B. Amazon S3

C. Amazon Elastic File System (Amazon EFS)

D. AWS Storage Gateway

Answer: C
Amazon Elastic File System (Amazon EFS) provides a simple, scalable, fully managed elastic NFS
file system for use with AWS Cloud services and on-premises resources. It is built to scale on
demand to petabytes without disrupting applications, growing and shrinking automatically as you
add and remove files, eliminating the need to provision and manage capacity to accommodate
growth. Amazon EFS offers two storage classes: the Standard storage class, and the Infrequent
Access storage class (EFS IA). EFS IA provides price/performance that is cost-optimized for files not
accessed every day. Amazon EFS encrypts data at rest and in transit, and supports direct access
over the internet4.

QUESTION NO: 674

Which AWS service or feature enables users to encrypt data at rest in Amazon S3?

A. IAM policies

B. Server-side encryption

C. Amazon GuardDuty

D. Client-side encryption

Answer: B

Server-side encryption is an encryption option that Amazon S3 provides to encrypt data at rest in
Amazon S3. With server-side encryption, Amazon S3 encrypts an object before saving it to disk in its
data centers and decrypts it when you download the objects. You have three server-side encryption
options to choose from: SSE-S3, SSE-C, and SSE-KMS. SSE-S3 uses keys that are managed by
Amazon S3. SSE-C allows you to manage your own encryption keys. SSE-KMS uses keys that are
managed by AWS Key Management Service (AWS KMS) 5.

QUESTION NO: 675

An auditor is preparing for an annual security audit. The auditor requests certification details for a
company's AWS hosted resources across multiple Availability Zones in the us-east-1 Region.

How should the company respond to the auditor's request?

A. Open an AWS Support ticket to request that the AWS technical account manager (TAM) respond and
help the auditor.

B. Open an AWS Support ticket to request that the auditor receive approval to conduct an onsite
assessment of the AWS data centers in
which the company operates.

C. Explain to the auditor that AWS does not need to be audited because the company's application is
hosted in multiple Availability

Zones.

D. Use AWS Artifact to download the applicable report for AWS security controls. Provide the report to
the auditor.

Answer: D

AWS Artifact is your go-to, central resource for compliance-related information that matters to you.
It provides on-demand access to AWS’ security and compliance reports and select online
agreements. Reports available in AWS Artifact include our Service Organization Control (SOC)
reports, Payment Card Industry (PCI) reports, and certifications from accreditation bodies across
geographies and compliance verticals that validate the implementation and operating effectiveness
of AWS security controls. Agreements available in AWS Artifact include the Business Associate
Addendum (BAA) and the Nondisclosure Agreement (NDA). You can use AWS Artifact to download
the applicable report for AWS security controls and provide it to the auditor.

QUESTION NO: 676

Which AWS service provides encryption at rest for Amazon RDS and for Amazon Elastic Block Store
(Amazon EBS) volumes?

A. AWS Lambda

B. AWS Key Management Service (AWS KMS)

C. AWSWAF

D. Amazon Rekognition

Answer: B

AWS Key Management Service (AWS KMS) is a managed service that enables you to easily encrypt
your data. AWS KMS provides you with centralized control of the encryption keys used to protect
your data. You can use AWS KMS to encrypt data in Amazon RDS and Amazon EBS volumes 12

QUESTION NO: 677

Which task can only an AWS account root user perform?

A. Changing the AWS Support plan

B. Deleting AWS resources

C. Creating an Amazon EC2 instance key pair

D. Configuring AWS WAF

Answer: A

The AWS account root user is the email address that you use to sign up for AWS. The root user has
complete access to all AWS services and resources in the account. The root user can perform tasks
that only the root user can do, such as changing the AWS Support plan, closing the account, and
restoring IAM user permissions34

QUESTION NO: 678

A company is considering migration to the AWS Cloud. The company wants a fully managed service or
feature that can transfer streaming data from multiple sources to an Amazon S3 bucket.

Which AWS service or feature should the company use to meet these requirements?

A. AWS DataSync

B. Amazon Kinesis Data Firehose

C. S3 Select

D. AWS Transfer Family

Answer: B

Amazon Kinesis Data Firehose is a fully managed service that delivers real-time streaming data to
destinations such as Amazon S3, Amazon Redshift, Amazon Elasticsearch Service, and Splunk. You
can use Amazon Kinesis Data Firehose to capture, transform, and load streaming data from multiple
sources, such as web applications, mobile devices, IoT sensors, and social media.

QUESTION NO: 679

Which Amazon S3 storage class is the MOST cost-effective for long-term storage?

A. S3 Glacier Deep Archive

B. S3 Standard

C. S3 Standard-Infrequent Access (S3 Standard-IA)

D. S3 One Zone-Infrequent Access (S3 One Zone-IA)

Answer: A

Amazon S3 Glacier Deep Archive is the lowest-cost storage class in the cloud. It is designed for
long-term data archiving that is rarely accessed. It offers a retrieval time of 12 hours and a durability
of 99.999999999% (11 9’s). It is ideal for data that must be retained for 7 years or longer to meet
regulatory compliance requirements.
QUESTION NO: 680

A company is launching a mobile app. The company wants customers to be able to use the app without
upgrading their mobile devices.

Which pillar of the AWS Well-Architected Framework does this goal represent?

A. Security

B. Reliability

C. Cost optimization

D. Sustainability

Answer: C

Cost optimization is one of the five pillars of the AWS Well-Architected Framework. It focuses on
avoiding unnecessary costs, understanding and controlling where money is being spent, selecting
the most appropriate and right number of resource types, analyzing spend over time, and scaling to
meet business needs without overspending.

QUESTION NO: 681

Which AWS service can a company use to find security and compliance reports, including International
Organization for Standardization (ISO) reports?

A. AWS Artifact

B. Amazon CloudWatch

C. AWS Config

D. AWS Audit Manager

Answer: A

AWS Artifact is a self-service portal that provides on-demand access to AWS security and
compliance reports and select online agreements. You can use AWS Artifact to download AWS
service audit reports, such as ISO, PCI, and SOC, and to accept and manage agreements with AWS,
such as the Business Associate Addendum (BAA).

QUESTION NO: 682

Which database engines does Amazon Aurora support? (Select TWO.)

A. Oracle

B. Microsoft SQL Server

C. MySQL

D. PostgreSQL

E. MongoDB

Answer: C, D

Amazon Aurora is a relational database service that is compatible with MySQL and PostgreSQL
engines. It delivers up to five times the performance of MySQL and up to three times the
performance of PostgreSQL. It also provides high availability, scalability, security, and durability 1

QUESTION NO: 683

A company's headquarters is located on a different continent from where the majority of the company's
customers live. The company wants an AWS Cloud environment setup that will provide the lowest
latency to the customers.

A company wants to automate the creation of new AWS accounts and automatically prevent all users
from creating Amazon EC2

instances.

Which AWS service provides this functionality?

A. AWS Service Catalog

B. AWS Organizations

C. EC2 Image Builder

D. AWS Systems Manager

Answer: B

AWS Organizations is a service that enables you to create and manage multiple AWS accounts
centrally. You can use AWS Organizations to automate account creation, apply policies to control
access and permissions, and consolidate billing across your accounts. You can also use AWS
Organizations to prevent users from creating Amazon EC2 instances in certain regions or with
certain configurations2

QUESTION NO: 684

A company needs to set up user authentication for a new application. Users must be able to sign in
directly with a user name and password, or through a third-party provider.

Which AWS service should the company use to meet these requirements?
A. AWS IAM Identity Center (AWS Single Sign-On)

B. AWS Signer

C. Amazon Cognito

D. AWS Directory Service

Answer: C

Amazon Cognito is a service that provides user authentication and authorization for web and mobile
applications. You can use Amazon Cognito to enable users to sign in directly with a user name and
password, or through a third-party provider, such as Facebook, Google, or Amazon. You can also use
Amazon Cognito to manage user profiles, preferences, and security settings 3

QUESTION NO: 685

Which abilities are benefits of the AWS Cloud? (Select TWO.)

A. Trade variable expenses for capital expenses.

B. Deploy globally in minutes.

C. Plan capacity in advance of deployments.

D. Take advantage of economies of scale.

E. Reduce dependencies on network connectivity.

Answer: A, B

The AWS Cloud offers many benefits, such as:

• Trade variable expenses for capital expenses: You can pay only for the resources you use,
instead of investing in fixed costs upfront. This reduces the risk and complexity of planning
and managing your IT infrastructure4
• Deploy globally in minutes: You can leverage the global infrastructure of AWS to deploy your
applications and data in multiple regions and availability zones. This enables you to reach
your customers faster, improve performance, and increase reliability 5

QUESTION NO: 686

Which benefits can customers gain by using AWS Marketplace? (Select TWO.)

A. Speed of business

B. Fewer legal objections

C. Ability to pay with credit cards

D. No requirement for product licenses for any products

E. Free use of all services for the first hour

Answer: A, B

AWS Marketplace is a digital catalog that offers thousands of software products and solutions from
independent software vendors (ISVs) and AWS partners. Customers can use AWS Marketplace to
find, buy, and deploy software on AWS. Some of the benefits of using AWS Marketplace are:
• Speed of business: You can quickly and easily discover and deploy software that meets your
business needs, without having to go through lengthy procurement processes. You can also
use AWS Marketplace to test and compare different solutions before making a purchase
decision.
• Fewer legal objections: You can benefit from standardized contract terms and conditions
that are pre-negotiated between AWS and the ISVs. This reduces the time and effort required
to review and approve legal agreements.

QUESTION NO: 687

A company wants to receive alerts to monitor its overall operating costs for its AWS public cloud
infrastructure.

Which AWS offering will meet these requirements?

A. Amazon EventBridge

B. Compute Savings Plans

C. AWS Budgets

D. Migration Evaluator

Answer: C

AWS Budgets is a service that enables you to plan your service usage, service costs, and instance
reservations. You can use AWS Budgets to create custom budgets that alert you when your costs or
usage exceed (or are forecasted to exceed) your budgeted amount. You can also use AWS Budgets
to monitor how close your usage and costs are to meeting your reservation purchases 1

QUESTION NO: 688

According to the AWS shared responsibility model, which task is the customer's responsibility?

A. Maintaining the infrastructure needed to run AWS Lambda

B. Updating the operating system of Amazon DynamoDB instances

C. Maintaining Amazon S3 infrastructure

D. Updating the guest operating system on Amazon EC2 instances

Answer: D

The AWS shared responsibility model describes the division of responsibilities between AWS and
the customer for security and compliance. AWS is responsible for the security of the cloud, which
includes the hardware, software, networking, and facilities that run AWS services. The customer is
responsible for security in the cloud, which includes the customer data, applications, operating
systems, and network and firewall configurations. Therefore, updating the guest operating system
on Amazon EC2 instances is the customer’s responsibility 2

QUESTION NO: 689

Which of the following actions are controlled with AWS Identity and Access Management (IAM)? (Select
TWO.)

A. Control access to AWS service APIs and to other specific resources.

B. Provide intelligent threat detection and continuous monitoring.

C. Protect the AWS environment using multi-factor authentication (MFA).

D. Grant users access to AWS data centers.

E. Provide firewall protection for applications from common web attacks.

Answer: A, C

AWS Identity and Access Management (IAM) is a service that enables you to manage access to
AWS services and resources securely. You can use IAM to perform the following actions:
• Control access to AWS service APIs and to other specific resources: You can create users,
groups, roles, and policies that define who can access which AWS resources and how. You
can also use IAM to grant temporary access to users or applications that need to perform
certain tasks on your behalf3
• Protect the AWS environment using multi-factor authentication (MFA): You can enable MFA
for your IAM users and root user to add an extra layer of security to your AWS account. MFA
requires users to provide a unique authentication code from an approved device or SMS text
message, in addition to their user name and password, when they sign in to AWS 4

QUESTION NO: 690

A company needs to securely store important credentials that an application uses to connect users to a
database.

Which AWS service can meet this requirement with the MINIMAL amount of operational overhead?
A. AWS Key Management Service (AWS KMS)

B. AWS Config

C. AWS Secrets Manager

D. Amazon GuardDuty

Answer: C

AWS Secrets Manager is a service that helps you protect secrets needed to access your
applications, services, and IT resources. You can use AWS Secrets Manager to store, rotate, and
retrieve database credentials, API keys, and other secrets throughout their lifecycle. AWS Secrets
Manager eliminates the need to hardcode sensitive information in plain text, and reduces the risk of
unauthorized access or leakage. AWS Secrets Manager also integrates with other AWS services,
such as AWS Lambda, Amazon RDS, and AWS CloudFormation, to simplify the management of
secrets across your environment5

QUESTION NO: 691

Which AWS service or feature is associated with a subnet in a VPC and is used to control inbound and
outbound traffic?

A. Amazon Inspector

B. Network ACLs

C. AWS Shield

D. VPC Flow Logs

Answer: B

Network ACLs (network access control lists) are an optional layer of security for your VPC that act
as a firewall for controlling traffic in and out of one or more subnets. You can use network ACLs to
allow or deny traffic based on protocol, port, or source and destination IP address. Network ACLs
are stateless, meaning that they do not track the traffic that flows through them. Therefore, you
must create rules for both inbound and outbound traffic.

QUESTION NO: 692

Which task does AWS perform automatically?

A. Encrypt data that is stored in Amazon DynamoDB.

B. Patch Amazon EC2 instances.

C. Encrypt user network traffic.

D. Create TLS certificates for users' websites.

Answer: B

AWS performs some tasks automatically to help you manage and secure your AWS resources. One
of these tasks is patching Amazon EC2 instances. AWS provides two options for patching your EC2
instances: managed instances and patch baselines. Managed instances are a group of EC2
instances or on-premises servers that you can manage using AWS Systems Manager. Patch
baselines define the patches that AWS Systems Manager applies to your instances. You can use
AWS Systems Manager to automate the process of patching your instances based on a schedule or
a maintenance window.

QUESTION NO: 693

A company is migrating its data center to AWS. The company needs an AWS Support plan that provides
chat access to a cloud sup engineer 24 hours a day, 7 days a week. The company does not require access
to infrastructure event management.

What is the MOST cost-effective AWS Support plan that meets these requirements?

A. AWS Enterprise Support

B. AWS Business Support

C. AWS Developer Support

D. AWS Basic Support

Answer: B

AWS Business Support is the most cost-effective AWS Support plan that provides chat access to a
cloud support engineer 24/7. AWS Business Support also offers phone and email support, as well as
a response time of less than one hour for urgent issues. AWS Business Support does not include
access to infrastructure event management, which is a feature of AWS Enterprise Support. AWS
Enterprise Support is more expensive and provides additional benefits, such as a technical account
manager, a support concierge, and a response time of less than 15 minutes for critical issues. AWS
Developer Support and AWS Basic Support do not provide chat access to a cloud support engineer.
AWS Developer Support provides email support and a response time of less than 12 hours for
general guidance issues. AWS Basic Support provides customer service and account support, as
well as access to forums and documentation1

QUESTION NO: 694

In the AWS shared responsibility model, which tasks are the responsibility of AWS? (Select TWO.)

A. Patch an Amazon EC2 instance operating system.

B. Configure a security group.

C. Monitor the health of an Availability Zone.

D. Protect the infrastructure that runs Amazon EC2 instances.

E. Manage access to the data in an Amazon S3 bucket

Answer: C, D

According to the AWS shared responsibility model, AWS is responsible for the security of the cloud,
which includes the tasks of monitoring the health of an Availability Zone and protecting the
infrastructure that runs Amazon EC2 instances. An Availability Zone is a physically isolated location
within an AWS Region that has its own power, cooling, and network connectivity. AWS monitors the
health and performance of each Availability Zone and notifies customers of any issues or
disruptions. AWS also protects the infrastructure that runs AWS services, such as Amazon EC2, by
implementing physical, environmental, and operational security measures. AWS is not responsible
for patching an Amazon EC2 instance operating system, configuring a security group, or managing
access to the data in an Amazon S3 bucket. These are the customer’s responsibilities for security in
the cloud. The customer must ensure that the operating system and applications on their EC2
instances are up to date and secure. The customer must also configure the security group rules that
control the inbound and outbound traffic for their EC2 instances. The customer must also manage
the access permissions and encryption settings for their S3 buckets and objects 2

QUESTION NO: 695

A company’s IT team is managing MySQL database server clusters. The IT team has to patch the
database and take backup snapshots of the data in the clusters. The company wants to move this
workload to AWS so that these tasks will be completed automatically.

What should the company do to meet these requirements?

A. Deploy MySQL database server clusters on Amazon EC2 instances.

B. Use Amazon RDS with a MySQL database.

C. Use an AWS CloudFormation template to deploy MySQL database servers on Amazon EC2 instances.

D. Migrate all the MySQL database data to Amazon S3.

Answer: B

Amazon RDS is a service that makes it easy to set up, operate, and scale a relational database in the
cloud. Amazon RDS supports MySQL as one of the database engines. By using Amazon RDS with a
MySQL database, the company can offload the tasks of patching the database and taking backup
snapshots to AWS. Amazon RDS automatically patches the database software and operating
system of the database instances. Amazon RDS also automatically backs up the database and
retains the backups for a user-defined retention period. The company can also restore the database
to any point in time within the retention period. Deploying MySQL database server clusters on
Amazon EC2 instances, using an AWS CloudFormation template to deploy MySQL database servers
on Amazon EC2 instances, or migrating all the MySQL database data to Amazon S3 are not the best
options to meet the requirements. These options would not automate the tasks of patching the
database and taking backup snapshots, and would require more operational overhead from the
company3

QUESTION NO: 696

A company needs to store infrequently used data for data archives and long-term backups.

A company needs a history report about how its Amazon EC2 instances were modified last month.

Which AWS service can be used to meet this requirement?

A. AWS Service Catalog

B. AWS Config

C. Amazon CloudWatch

D. AWS Artifact

Answer: B

AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your
AWS resources. AWS Config continuously monitors and records your AWS resource configurations
and allows you to automate the evaluation of recorded configurations against desired
configurations. AWS Config can also track changes to your EC2 instances over time and provide a
history report of the modifications. AWS Service Catalog, Amazon CloudWatch, and AWS Artifact are
not the best services to meet this requirement. AWS Service Catalog is a service that allows you to
create and manage catalogs of IT services that are approved for use on AWS. Amazon CloudWatch
is a service that monitors your AWS resources and applications and provides metrics, alarms,
dashboards, and logs. AWS Artifact is a service that provides on-demand access to AWS security
and compliance reports and online agreements

QUESTION NO: 697

A company wants to use the latest technologies and wants to minimize its capital investment. Instead of
upgrading on-premises infrastructure, the company wants to move to the AWS Cloud.

Which AWS Cloud benefit does this scenario describe?

A. Increased speed to market

B. The trade of infrastructure expenses for operating expenses

C. Massive economies of scale

D. The ability to go global in minutes

Answer: B

The trade of infrastructure expenses for operating expenses is one of the benefits of the AWS
Cloud. By moving to the AWS Cloud, the company can avoid the upfront costs of purchasing and
maintaining on-premises infrastructure, such as servers, storage, network, and software. Instead, the
company can pay only for the AWS resources and services that they use, as they use them. This
reduces the risk and complexity of planning and managing IT infrastructure, and allows the company
to focus on innovation and growth. Increased speed to market, massive economies of scale, and the
ability to go global in minutes are also benefits of the AWS Cloud, but they are not the best ones to
describe this scenario. Increased speed to market means that the company can launch new
products and services faster by using AWS services and tools. Massive economies of scale means
that the company can benefit from the lower costs and higher performance that AWS achieves by
operating at a large scale. The ability to go global in minutes means that the company can deploy
their applications and data in multiple regions and availability zones around the world to reach their
customers faster and improve performance and reliability 5

QUESTION NO: 698

Which AWS service provides threat detection by monitoring for malicious activities and unauthorized
actions to protect AWS accounts, workloads, and data that is stored in Amazon S3?

A. AWS Shield

B. AWS Firewall Manager

C. Amazon GuardDuty

D. Amazon Inspector

Answer: C

Amazon GuardDuty is a service that provides intelligent threat detection and continuous monitoring
for your AWS accounts, workloads, and data. Amazon GuardDuty analyzes and processes data
sources, such as VPC Flow Logs, AWS CloudTrail event logs, and DNS logs, to identify malicious
activities and unauthorized actions, such as reconnaissance, instance compromise, account
compromise, and data exfiltration. Amazon GuardDuty can also detect threats to your data stored in
Amazon S3, such as API calls from unusual locations or disabling of preventative controls. Amazon
GuardDuty generates findings that summarize the details of the detected threats and provides
recommendations for remediation. AWS Shield, AWS Firewall Manager, and Amazon Inspector are
not the best services to meet this requirement. AWS Shield is a service that provides protection
against distributed denial of service (DDoS) attacks. AWS Firewall Manager is a service that allows
you to centrally configure and manage firewall rules across your accounts and resources. Amazon
Inspector is a service that assesses the security and compliance of your applications running on
EC2 instances.
QUESTION NO: 699

Amazon Elastic File System (Amazon EFS) and Amazon FSx offer which type of storage?

A. File storage

B. Object storage

C. Block storage

D. Instance store

Answer: A

Amazon Elastic File System (Amazon EFS) and Amazon FSx are AWS services that offer file storage.
File storage is a type of storage that organizes data into files and folders that can be accessed and
shared over a network. File storage is suitable for applications that require shared access to data,
such as content management, media processing, and web serving. Amazon EFS provides a simple,
scalable, and fully managed elastic file system that can be used with AWS Cloud services and on-
premises resources. Amazon FSx provides fully managed third-party file systems, such as Windows
File Server and Lustre, with native compatibility and high performance 12

QUESTION NO: 700

Which AWS service provides protection against DDoS attacks for applications that run in the AWS Cloud?

A. Amazon VPC

B. AWS Shield

C. AWS Audit Manager

D. AWS Config

Answer: B

AWS Shield is an AWS service that provides protection against distributed denial of service (DDoS)
attacks for applications that run in the AWS Cloud. DDoS attacks are attempts to make an online
service unavailable by overwhelming it with traffic from multiple sources. AWS Shield provides two
tiers of protection: AWS Shield Standard and AWS Shield Advanced. AWS Shield Standard is
automatically enabled for all AWS customers at no additional charge. It provides protection against
common and frequently occurring network and transport layer DDoS attacks. AWS Shield Advanced
is an optional paid service that provides additional protection against larger and more sophisticated
DDoS attacks. AWS Shield Advanced also provides access to 24/7 DDoS response team, cost
protection, and enhanced detection and mitigation capabilities

QUESTION NO: 701

A company wants to migrate its server-based applications to the AWS Cloud. The company wants to
determine the total cost of ownership for its compute resources that will be hosted on the AWS Cloud.

Which combination of AWS services or tools will meet these requirements?

A. AWS Pricing Calculator

B. Migration Evaluator

C. AWS Support Center

D. AWS Application Discovery Service

E. AWS Database Migration Service (AWS DMS)

Answer: A, D

AWS Pricing Calculator and AWS Application Discovery Service are the best combination of AWS
services or tools to meet the requirements of determining the total cost of ownership for compute
resources that will be hosted on the AWS Cloud. AWS Pricing Calculator is a tool that enables you to
estimate the cost of using AWS services based on your usage scenarios and requirements. You can
use AWS Pricing Calculator to compare the costs of running your applications on-premises or on
AWS, and to optimize your AWS spending. AWS Application Discovery Service is a service that helps
you plan your migration to the AWS Cloud by collecting and analyzing information about your on-
premises servers, applications, and dependencies. You can use AWS Application Discovery Service
to identify the inventory of your on-premises infrastructure, group servers by applications, and
estimate the performance and resource utilization of your applications 45

QUESTION NO: 702

A company is planning to migrate to the AWS Cloud and wants to become more responsive to customer
inquiries and feedback. The company wants to focus on organizational transformation.

A company wants to give its customers the ability to view specific data that is hosted in Amazon S3
buckets. The company wants to keep control over the full datasets that the company shares with the
customers.

Which S3 feature will meet these requirements?

A. S3 Storage Lens

B. S3 Cross-Region Replication (CRR)

C. S3 Versioning

D.S3 Access Points

Answer: D
S3 Access Points are a feature of Amazon S3 that allows you to easily manage access to specific
data that is hosted in S3 buckets. S3 Access Points are unique hostnames that customers can use
to access data in S3 buckets. You can create multiple access points for a single bucket, each with
its own name and permissions. You can use S3 Access Points to provide different levels of access
to different groups of customers, such as read-only or write-only access. You can also use S3
Access Points to enforce encryption or logging requirements for specific data. S3 Access Points
help you keep control over the full datasets that you share with your customers, while simplifying the
access management and improving the performance and scalability of your applications.

QUESTION NO: 703

Which AWS services can limit manual errors by consistently provisioning AWS resources in multiple
envirom

A. AWS Config

B. AWS CodeStar

C. AWS CloudFormation

D. AWS Cloud Development Kit (AWS CDK)

E. AWS CodeBuild

Answer: C, D

AWS CloudFormation and AWS Cloud Development Kit (AWS CDK) are AWS services that can limit
manual errors by consistently provisioning AWS resources in multiple environments. AWS
CloudFormation is a service that enables you to model and provision AWS resources using
templates. You can use AWS CloudFormation to define the AWS resources and their dependencies
that you need for your applications, and to automate the creation and update of those resources
across multiple environments, such as development, testing, and production. AWS CloudFormation
helps you ensure that your AWS resources are configured consistently and correctly, and that you
can easily replicate or modify them as needed. AWS Cloud Development Kit (AWS CDK) is a service
that enables you to use familiar programming languages, such as Python, TypeScript, Java, and C#,
to define and provision AWS resources. You can use AWS CDK to write code that synthesizes into
AWS CloudFormation templates, and to leverage the existing libraries and tools of your preferred
language. AWS CDK helps you reduce the complexity and errors of writing and maintaining AWS
CloudFormation templates, and to apply the best practices and standards of software development
to your AWS infrastructure.

QUESTION NO: 704

A company processes personally identifiable information (Pll) and must keep data in the country where
it was generated. The company wants to use Amazon EC2 instances for these workloads.

Which AWS service will meet these requirements?

A. AWS Outposts

B. AWS Storage Gateway

C. AWS DataSync

D. AWS OpsWorks

Answer: A

AWS Outposts is an AWS service that extends AWS infrastructure, services, APIs, and tools to
virtually any datacenter, co-location space, or on-premises facility. AWS Outposts enables you to run
Amazon EC2 instances and other AWS services locally, while maintaining a consistent and seamless
connection to the AWS Cloud. AWS Outposts is ideal for workloads that require low latency, local
data processing, or data residency. By using AWS Outposts, the company can process personally
identifiable information (PII) and keep data in the country where it was generated, while leveraging
the benefits of AWS

QUESTION NO: 705

Which tasks are customer responsibilities, according to the AWS shared responsibility model? (Select
TWO.)

A. Configure the AWS provided security group firewall.

B. Classify company assets in the AWS Cloud.

C. Determine which Availability Zones to use for Amazon S3 buckets.

D. Patch or upgrade Amazon DynamoDB.

E. Select Amazon EC2 instances to run AWS Lambda on.

D. AWS Config

Answer: A, B

According to the AWS shared responsibility model, the customer is responsible for security in the
cloud, which includes the tasks of configuring the AWS provided security group firewall and
classifying company assets in the AWS Cloud. A security group is a virtual firewall that controls the
inbound and outbound traffic for one or more EC2 instances. The customer must configure the
security group rules to allow or deny traffic based on protocol, port, or source and destination IP
address2 Classifying company assets in the AWS Cloud means identifying the types, categories, and
sensitivity levels of the data and resources that the customer stores and processes on AWS. The
customer must also determine the applicable compliance requirements and regulations that apply to
their assets, and implement the appropriate security controls and measures to protect them
QUESTION NO: 706

A company is running an Amazon EC2 instance in a VPC.

An ecommerce company is using Amazon EC2 Auto Scaling groups to manage a fleet of web servers
running on Amazon EC2.

This architecture follows which AWS Well-Architected Framework best practice?

A. Secure the workload

B. Decouple infrastructure components

C. Design for failure

D. Think parallel

Answer: C

Design for failure is one of the best practices of the AWS Well-Architected Framework. It means that
the architecture should be resilient and fault-tolerant, and able to handle failures without impacting
the availability and performance of the applications. By using Amazon EC2 Auto Scaling groups, the
ecommerce company can design for failure by automatically scaling the number of EC2 instances
up or down based on demand or health status. Amazon EC2 Auto Scaling groups can also distribute
the EC2 instances across multiple Availability Zones, which are isolated locations within an AWS
Region that have independent power, cooling, and network connectivity. This way, the company can
ensure that their web servers can handle traffic spikes, recover from failures, and provide a
consistent user experience

QUESTION NO: 707

Which tasks are the responsibility of the customer, according to the AWS shared responsibility model?
(Select TWO.)

A. Patch the Amazon RDS operating system.

B. Upgrade the firmware of the network infrastructure.

C. Manage data encryption.

D. Maintain physical access control in an AWS Region.

E. Grant least privilege access to IAM users.

Answer: C, E

According to the AWS shared responsibility model, the customer is responsible for security in the
cloud, which includes the tasks of managing data encryption and granting least privilege access to
IAM users. Data encryption is the process of transforming data into an unreadable format that can
only be accessed with a key or a password. The customer must decide whether to encrypt their data
at rest (when it is stored on AWS) or in transit (when it is moving between AWS and the customer or
between AWS services). The customer must also choose the encryption method, algorithm, and key
management solution that best suit their needs. AWS provides various services and features that
support data encryption, such as AWS Key Management Service (AWS KMS), AWS Certificate
Manager (ACM), and AWS Encryption SDK5 IAM users are entities that represent the people or
applications that interact with AWS resources and services. The customer must grant the IAM users
the minimum permissions that they need to perform their tasks, and avoid giving them unnecessary
or excessive access. This is known as the principle of least privilege, and it helps reduce the risk of
unauthorized or malicious actions. The customer can use IAM policies, roles, groups, and
permissions boundaries to manage the access of IAM users.

QUESTION NO: 708

A company has created an AWS Cost and Usage Report and wants to visualize the report.

Which AWS service should the company use to ingest and display this information?

A. Amazon QuickSight

B. Amazon Pinpoint

C. Amazon Neptune

D. Amazon Kinesis

Answer: A

Amazon QuickSight is an AWS service that provides business intelligence and data visualization
capabilities. Amazon QuickSight enables you to ingest, analyze, and display data from various
sources, such as AWS Cost and Usage Reports, Amazon S3, Amazon Athena, Amazon Redshift, and
Amazon RDS. You can use Amazon QuickSight to create interactive dashboards and charts that
show insights and trends from your data. You can also share your dashboards and charts with other
users or embed them into your applications.

QUESTION NO: 709

A company is migrating to the AWS Cloud to meet storage needs. The company wants to optimize costs
based on the amount of storage that the company uses.

Which AWS offering or benefit will meet these requirements MOST cost-effectively?

A. Pay-as-you-go pricing

B. Savings Plans

C. AWS Free Tier

D. Volume-based discounts

Answer: D

Volume-based discounts are an AWS offering or benefit that can help the company optimize costs
based on the amount of storage that the company uses. Volume-based discounts are discounts that
AWS provides for some storage services, such as Amazon S3 and Amazon EBS, when the company
stores a large amount of data. The more data the company stores, the lower the price per GB. For
example, Amazon S3 offers six storage classes, each with a different price per GB. The price per GB
decreases as the amount of data stored in each storage class increases

QUESTION NO: 710

A company wants to minimize network latency between its Amazon EC2 instances. The EC2 instances do
not need to be highly available.

Which solution meets these requirements?

A. Use EC2 instances in a single Availability Zone.

B. Use Amazon CloudFront as the database for the EC2 instances.

C. Use EC2 instances in the same edge location and the same Availability Zone.

D. Use EC2 instances in the same edge location and the same AWS Region.

Answer: A

Using EC2 instances in a single Availability Zone is a solution that meets the requirements of
minimizing network latency between the EC2 instances and not needing high availability. An
Availability Zone is a physically isolated location within an AWS Region that has its own power,
cooling, and network connectivity. EC2 instances within the same Availability Zone can
communicate with each other using low-latency private IP addresses. However, EC2 instances in a
single Availability Zone are not highly available, because they are vulnerable to failures or disruptions
that affect the Availability Zone

QUESTION NO: 711

A company seeks cost savings in exchange for a commitment to use a specific amount of an AWS service
or category ofAWS services for 1 year or 3 years.

Which AWS pricing model or offering will meet these requirements?

A. Pay-as-you-go pricing

B. Savings Plans

C. AWS Free Tier

D. Volume discounts

Answer: B

Savings Plans are an AWS pricing model or offering that can meet the requirements of seeking cost
savings in exchange for a commitment to use a specific amount of an AWS service or category of
AWS services for 1 year or 3 years. Savings Plans are flexible plans that offer significant discounts
on AWS compute usage, such as EC2, Lambda, and Fargate. The company can choose from two
types of Savings Plans: Compute Savings Plans and EC2 Instance Savings Plans. Compute Savings
Plans provide the most flexibility and apply to any eligible compute usage, regardless of instance
family, size, region, operating system, or tenancy. EC2 Instance Savings Plans provide more savings
and apply to a specific instance family within a region. The company can select the amount of
compute usage per hour (e.g., $10/hour) that they want to commit to for the duration of the plan (1
year or 3 years). The company will pay the discounted Savings Plan rate for the amount of usage
that matches their commitment, and the regular on-demand rate for any usage beyond that

QUESTION NO: 712

Which company needs to apply security rules to a subnet for Amazon EC2 instances.

Which AWS service or feature provides this functionality?

A. Network ACLs

B. Security groups

C. AWS Certificate Manager (ACM)

D. AWS Config

Answer: A

Network ACLs (network access control lists) are an AWS service or feature that provides the
functionality of applying security rules to a subnet for EC2 instances. A subnet is a logical partition
of an IP network within a VPC (virtual private cloud). A VPC is a logically isolated section of the AWS
Cloud where the company can launch AWS resources in a virtual network that they define. A network
ACL is a virtual firewall that controls the inbound and outbound traffic for one or more subnets. The
company can use network ACLs to allow or deny traffic based on protocol, port, or source and
destination IP address. Network ACLs are stateless, meaning that they do not track the traffic that
flows through them. Therefore, the company must create rules for both inbound and outbound
traffic4

QUESTION NO: 713

A company wants to migrate its high-performance computing (HPC) application to Amazon EC2
instances. The application has multiple components. The application must have fault tolerance and must
have the ability to fail over automatically.
Which AWS infrastructure solution will meet these requirements with the LEAST latency between
components?

A. Multiple AWS Regions

B. Multiple edge locations

C. Multiple Availability Zones

D. Regional edge caches

Answer: C

Using EC2 instances in multiple Availability Zones is an AWS infrastructure solution that meets the
requirements of migrating a high performance computing (HPC) application to AWS with fault
tolerance and failover capabilities, and with the least latency between components. An Availability
Zone is a physically isolated location within an AWS Region that has its own power, cooling, and
network connectivity. EC2 instances within the same Region can communicate with each other
using low-latency private IP addresses. By using EC2 instances in multiple Availability Zones, the
company can achieve fault tolerance and failover for their HPC application, because they can
distribute the workload and data across different locations that are independent of each other. If one
Availability Zone becomes unavailable or impaired, the company can redirect the traffic and data to
another Availability Zone without affecting the performance and availability of the application 5

QUESTION NO: 714

A company is running its application in the AWS Cloud. The company wants to periodically review its
AWS account for cost optimization opportunities.

Which AWS service or tool can the company use to meet these requirements?

A. AWS Cost Explorer

B. AWS Trusted Advisor

C. AWS Pricing Calculator

D. AWS Budgets

Answer: A

AWS Cost Explorer is an AWS service or tool that the company can use to periodically review its
AWS account for cost optimization opportunities. AWS Cost Explorer is a tool that enables the
company to visualize, understand, and manage their AWS costs and usage over time. The company
can use AWS Cost Explorer to access interactive graphs and tables that show the breakdown of their
costs and usage by service, region, account, tag, and more. The company can also use AWS Cost
Explorer to forecast their future costs, identify trends and anomalies, and discover potential savings
by using Reserved Instances or Savings Plans.
QUESTION NO: 715

A developer who has no AWS Cloud experience wants to use AWS technology to build a web application.

Which AWS service should the developer use to start building the application?

A. Amazon SageMaker

B. AWS Lambda

C. Amazon Lightsail

D. Amazon Elastic Container Service (Amazon ECS)

Answer: C

Amazon Lightsail is an easy-to-use cloud platform that offers everything you need to build an
application or website, plus a cost-effective, monthly plan1. It is designed for developers who have
little or no prior cloud experience and want to launch and manage applications on AWS with minimal
complexity2. Amazon SageMaker is a service for building, training, and deploying machine learning
models3. AWS Lambda is a service that lets you run code without provisioning or managing servers 4.
Amazon Elastic Container Service (Amazon ECS) is a fully managed container orchestration service.

QUESTION NO: 716

A company wants to monitor for misconfigured security groups that are allowing unrestricted access to
specific ports.

Which AWS service will meet this requirement?

A. AWS Trusted Advisor

B. Amazon CloudWatch

C. Amazon GuardDuty

D. AWS Health Dashboard

Answer: A

AWS Trusted Advisor is an online tool that provides you real time guidance to help you provision
your resources following AWS best practices, including security and performance. It can help you
monitor for misconfigured security groups that are allowing unrestricted access to specific ports.
Amazon CloudWatch is a service that monitors your AWS resources and the applications you run on
AWS. Amazon GuardDuty is a threat detection service that continuously monitors for malicious
activity and unauthorized behavior. AWS Health Dashboard provides relevant and timely information
to help you manage events in progress, and provides proactive notification to help you plan for
scheduled activities.

QUESTION NO: 717

An IT engineer needs to access AWS services from an on-premises application.

Which credentials or keys does the application need for authentication?

A. AWS account user name and password

B. IAM access key and secret

C. Amazon EC2 key pairs

D. AWS Key Management Service (AWS KMS) keys

Answer: B

IAM access keys are long-term credentials that consist of an access key ID and a secret access key.
You use access keys to sign programmatic requests that you make to AWS. If you need to access
AWS services from an on-premises application, you can use IAM access keys to authenticate your
requests. AWS account user name and password are used to sign in to the AWS Management
Console. Amazon EC2 key pairs are used to connect to your EC2 instances using SSH. AWS Key
Management Service (AWS KMS) keys are used to encrypt and decrypt your data using the AWS
Encryption SDK or the AWS CLI.

QUESTION NO: 718

A company simulates workflows to review and validate that all processes are effective and that staff are
familiar with the processes.

Which design principle of the AWS Well-Architected Framework is the company following with this
practice?

A. Perform operations as code.

B. Refine operation procedures frequently.

C. Make frequent, small, reversible changes.

D. Structure the company to support business outcomes.

Answer: B

Refining operation procedures frequently is one of the design principles of the operational
excellence pillar of the AWS Well-Architected Framework. It means that you should review and
validate your processes regularly to ensure they are effective and that staff are familiar with them.
Performing operations as code, making frequent, small, reversible changes, and structuring the
company to support business outcomes are design principles of other pillars of the AWS Well-
Architected Framework.

QUESTION NO: 719

A company wants to launch its web application in a second AWS Region. The company needs to
determine which services must be regionally configured for this launch.

Which AWS services can be configured at the Region level? (Select TWO.)

A. Amazon EC2

B. Amazon Route 53

C. Amazon CloudFront

D. AWS WAF

E. Amazon DynamoDB

Answer: B, D

Amazon Route 53 and AWS WAF are AWS services that can be configured at the Region level.
Amazon Route 53 is a highly available and scalable cloud Domain Name System (DNS) web service
that lets you register domain names, route traffic to resources, and check the health of your
resources. AWS WAF is a web application firewall that helps protect your web applications or APIs
against common web exploits that may affect availability, compromise security, or consume
excessive resources. Amazon EC2, Amazon CloudFront, and Amazon DynamoDB are AWS services
that can be configured at the global level or the Availability Zone level .

QUESTION NO: 720

A company needs to identify who accessed an AWS service and what action was performed for a given
time period.

Which AWS service should the company use to meet this requirement?

A. Amazon CloudWatch

B. AWS CloudTrail

C. AWS Security Hub

D. Amazon Inspector

Answer: B
AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk
auditing of your AWS account. With CloudTrail, you can log, continuously monitor, and retain
account activity related to actions across your AWS infrastructure. You can use CloudTrail to identify
who accessed an AWS service and what action was performed for a given time period. Amazon
CloudWatch, AWS Security Hub, and Amazon Inspector are AWS services that provide different
types of monitoring and security capabilities.

QUESTION NO: 721

A company is running its application in the AWS Cloud and wants to protect against a DDoS attack. The
company's security team wants near real-time visibility into DDoS attacks.

Which AWS service or traffic filter will meet these requirements with the MOST features for DDoS
protection?

A. AWS Shield Advanced

B. AWS Shield

C. Amazon GuardDuty

D. Network ACLs

Answer: A

AWS Shield Advanced is a managed Distributed Denial of Service (DDoS) protection service that
safeguards applications running on AWS. AWS Shield Advanced provides you with 24x7 access to
the AWS DDoS Response Team (DRT) and protection against DDoS attacks of any size or
duration. AWS Shield Advanced also provides near real-time visibility into attacks, advanced attack
mitigation capabilities, and integration with AWS WAF and AWS Firewall Manager 1. AWS Shield is a
standard service that provides always-on detection and automatic inline mitigations to minimize
application downtime and latency, but it does not offer the same level of features and support as
AWS Shield Advanced2. Amazon GuardDuty is a threat detection service that continuously monitors
for malicious activity and unauthorized behavior, but it does not provide DDoS protection 3. Network
ACLs are stateless filters that can be associated with a subnet to control the traffic to and from the
subnet, but they are not designed to protect against DDoS attacks

QUESTION NO: 722

A company is planning to migrate its application to the AWS Cloud.

Which AWS tool or set of resources should the company use to analyze and asses its readiness for
migration?

A. AWS Cloud Adoption Framework (AWS CAF)

B. AWS Pricing Calculator

C. AWS Well-Architected Framework

D. AWS Budgets

Answer: A

AWS Cloud Adoption Framework (AWS CAF) is a tool that helps organizations understand how cloud
adoption transforms the way they work, and it provides structure to identify and address gaps in
skills and processes. Applying the AWS CAF in your organization results in an actionable plan that
helps you prepare the cloud environment, enable your staff with new skills, and migrate your
applications. AWS Pricing Calculator is a tool that helps you estimate the cost of AWS services for
your use cases and compare the cost of different AWS service configurations. AWS Well-Architected
Framework is a tool that helps you review and improve your cloud-based architectures and better
understand the business impact of your design decisions. AWS Budgets is a tool that helps you plan
your service usage, service costs, and instance reservations, and track how close your plan is to your
budgeted amount.

QUESTION NO: 723

Which task must a user perform by using the AWS account root user credentials?

A. Make changes to AWS production resources.

B. Change AWS Support plans.

C. Access AWS Cost and Usage Reports.

D. Grant auditors’ access to an AWS account for a compliance audit.

Answer: B

Changing AWS Support plans is a task that must be performed by using the AWS account root user
credentials. The root user is the email address that you used to sign up for AWS. It has complete
access to all AWS services and resources in the account. You should use the root user only to
perform a few account and service management tasks, such as changing AWS Support plans,
closing the account, or changing the account name or email address. Making changes to AWS
production resources, accessing AWS Cost and Usage Reports, and granting auditors access to an
AWS account for a compliance audit are tasks that can be performed by using IAM users or roles,
which are entities that you create in AWS to delegate permissions to access AWS services and
resources.

QUESTION NO: 724

A company wants high levels of detection and near-real-time (NRT) mitigation against large and
sophisticated distributed denial of service (DDoS) attacks on applications running on AWS.

Which AWS service should the company use?

A. Amazon GuardDuty

B. Amazon Inspector

C. AWS Shield Advanced

D. Amazon Macie

Answer: C

AWS Shield Advanced is a service that provides high levels of detection and near-real-time (NRT)
mitigation against large and sophisticated distributed denial of service (DDoS) attacks on
applications running on AWS. AWS Shield Advanced also provides you with 24x7 access to the AWS
DDoS Response Team (DRT) and protection against DDoS attacks of any size or duration 1. Amazon
GuardDuty is a service that provides threat detection for your AWS accounts and workloads, but it
does not offer DDoS protection3. Amazon Inspector is a service that helps you improve the security
and compliance of your applications deployed on AWS by automatically assessing them for
vulnerabilities and deviations from best practices. Amazon Macie is a service that uses machine
learning and pattern matching to discover and protect your sensitive data in AWS.

QUESTION NO: 725

A company needs to control inbound and outbound traffic for an Amazon EC2 instance.

Which AWS service or feature can the company associate with the EC2 instance to meet this
requirement?

A. Network ACL

B. Security group

C. AWS WAF

D. VPC route tables

Answer: B

A security group is a virtual firewall that can be associated with an Amazon EC2 instance to control
the inbound and outbound traffic for the instance. You can specify which protocols, ports, and
source or destination IP ranges are allowed or denied by the security group. A network ACL is a
stateless filter that can be associated with a subnet to control the traffic to and from the subnet, but
it is not associated with an EC2 instance4. AWS WAF is a web application firewall that helps protect
your web applications or APIs against common web exploits that may affect availability,
compromise security, or consume excessive resources. VPC route tables are used to determine
where network traffic is directed within a VPC or to an internet gateway, virtual private gateway, NAT
device, VPC peering connection, or VPC endpoint.

QUESTION NO: 726

A company is expecting a short-term spike in internet traffic for its application. During the traffic
increase, the application cannot be interrupted. The company also needs to minimize cost and maximize
flexibility.

A company needs to use a serverless interactive query service to analyze data in Amazon S3. The query
service

must support standard SQL.

Which AWS service will meet these requirements?

A. Amazon Redshift

B. AWS Glue

C. Amazon Athena

D. Amazon Kinesis Data Streams

Answer: C

Amazon Athena is a serverless interactive query service that makes it easy to analyze data in
Amazon S3 using standard SQL. Athena is ideal for quick, ad-hoc querying but it can also handle
complex analysis, including large joins, window functions, and arrays. Athena scales automatically—
executing queries in parallel—so results are fast, even with large datasets and complex queries.
Amazon Redshift is a fully managed, petabyte-scale data warehouse service that can run complex
analytic queries against structured and semi-structured data using standard SQL. However, it is not
a serverless service and requires provisioning and managing clusters of nodes. AWS Glue is a fully
managed extract, transform, and load (ETL) service that makes it easy to prepare and load your data
for analytics. However, it is not a query service and does not support standard SQL. Amazon Kinesis
Data Streams is a service that enables you to build custom applications that process or analyze
streaming data for specialized needs. However, it is not a query service and does not support
standard SQL.

QUESTION NO: 727

A company needs to run a workload for several batch image rendering applications. It is acceptable for
the workload to experience downtime.

Which Amazon EC2 pricing model would be MOST cost-effective in this situation?

A. On-Demand Instances

B. Reserved Instances

C. Dedicated Instances

D. Spot Instances
Answer: D

Amazon EC2 Spot Instances are instances that use spare EC2 capacity that is available at up to a
90% discount compared to On-Demand prices. You can use Spot Instances for various stateless,
fault-tolerant, or flexible applications such as big data, containerized workloads, high-performance
computing (HPC), and test & development workloads. Spot Instances are ideal for workloads that
can be interrupted, such as batch image rendering applications 1. On-Demand Instances are
instances that let you pay for compute capacity by the hour or second (minimum of 60 seconds)
with no long-term commitments. This frees you from the costs and complexities of planning,
purchasing, and maintaining hardware and transforms what are commonly large fixed costs into
much smaller variable costs2. Reserved Instances are instances that provide you with a significant
discount (up to 75%) compared to On-Demand Instance pricing. In exchange, you select a term and
make an upfront payment to reserve a certain amount of compute capacity for that term 3. Dedicated
Instances are instances that run in a VPC on hardware that’s dedicated to a single customer. Your
Dedicated Instances are physically isolated at the host hardware level from instances that belong to
other AWS accounts4.

QUESTION NO: 728

A company has an application that runs periodically in an on-premises environment. The application
runs for a few hours most days, but runs for 8 hours a day for a week at the end of each month.

Which AWS service or feature should be used to host the application in the AWS Cloud?

A. Amazon EC2 Standard Reserved Instances

B. Amazon EC2 On-Demand Instances

C. AWS Wavelength

D. Application Load Balancer

Answer: B

Amazon EC2 On-Demand Instances are instances that let you pay for compute capacity by the hour
or second (minimum of 60 seconds) with no long-term commitments. This frees you from the costs
and complexities of planning, purchasing, and maintaining hardware and transforms what are
commonly large fixed costs into much smaller variable costs. On-Demand Instances are suitable for
applications with short-term, irregular, or unpredictable workloads that cannot be interrupted, such
as periodic applications that run for a few hours most days, but run for 8 hours a day for a week at
the end of each month2. Amazon EC2 Standard Reserved Instances are instances that provide you
with a significant discount (up to 75%) compared to On-Demand Instance pricing. In exchange, you
select a term and make an upfront payment to reserve a certain amount of compute capacity for
that term. Reserved Instances are suitable for applications with steady state or predictable usage
that require reserved capacity3. AWS Wavelength is a service that enables developers to build
applications that deliver ultra-low latency to mobile devices and users by deploying AWS compute
and storage at the edge of the 5G network. Wavelength is suitable for applications that require
single-digit millisecond latencies, such as game and live video streaming, machine learning
inference at the edge, and augmented and virtual reality (AR/VR). Application Load Balancer is a
service that operates at the request level (layer 7) and distributes incoming application traffic across
multiple targets, such as EC2 instances, containers, Lambda functions, and IP addresses.
Application Load Balancer is suitable for applications that need advanced routing capabilities, such
as microservices or container-based architectures.

QUESTION NO: 729

A company is planning to migrate to the AWS Cloud. The company is conducting organizational
transformation and wants to become more responsive to customer inquiries and feedback.

Which tasks should the company perform to meet these requirements, according to the AWS Cloud
Adoption

Framework (AWS CAF)? (Select TWO.)

A. Realign teams to focus on products and value streams.

B. Create new value propositions with new products and services.

C. Use agile methods to rapidly iterate and evolve.

D. Use a new data and analytics platform to create actionable insights.

E. Migrate and modernize legacy infrastructure.

Answer: A, C

Realigning teams to focus on products and value streams, and using agile methods to rapidly
iterate and evolve are tasks that the company should perform to meet the requirements of becoming
more responsive to customer inquiries and feedback, according to the AWS Cloud Adoption
Framework (AWS CAF). AWS CAF organizes guidance into six areas of focus, called perspectives:
business, people, governance, platform, security, and operations. Each perspective is divided into
capabilities, which describe the skills and processes to execute the transition effectively. The people
perspective helps you prepare your organization for cloud adoption, and includes capabilities such
as organizational change management, staff skills and readiness, and organizational alignment. The
business perspective helps you align IT strategy with business strategy, and includes capabilities
such as business case development, value proposition, and product ownership. Creating new value
propositions with new products and services is a task that belongs to the business perspective, but
it is not directly related to the requirement of becoming more responsive to customer inquiries and
feedback. Using a new data and analytics platform to create actionable insights is a task that
belongs to the platform perspective, which helps you design, implement, and optimize the
architecture of the AWS environment. However, it is also not directly related to the requirement of
becoming more responsive to customer inquiries and feedback. Migrating and modernizing legacy
infrastructure is a task that belongs to the operations perspective, which helps you enable, run, use,
operate, and recover IT workloads to the level agreed upon with your business stakeholders.
However, it is also not directly related to the requirement of becoming more responsive to customer
inquiries and feedback.

QUESTION NO: 730

A company is building an application on AWS. The application needs to comply with credit card
regulatory requirements. The company needs proof that the AWS services and deployment are in
compliance.

Which actions should the company take to meet these requirements? (Select TWO.)

A. Use Amazon Inspector to submit the application for certification.

B. Ensure that the application's underlying hardware components comply with requirements.

C. Use AWS Artifact to access AWS documents about the compliance of the services.

D. Get the compliance of the application certified by a company assessor.

E. Use AWS Security Hub to certify the compliance of the application.

Answer: C, D

Using AWS Artifact to access AWS documents about the compliance of the services, and getting
the compliance of the application certified by a company assessor are actions that the company
should take to meet the requirements of complying with credit card regulatory requirements. AWS
Artifact is a service that provides on-demand access to AWS security and compliance reports and
select online agreements. Reports available in AWS Artifact include our Service Organization Control
(SOC) reports, Payment Card Industry (PCI) reports, and certifications from accreditation bodies
across geographies and compliance verticals that validate the implementation and operating
effectiveness of AWS security controls. AWS Artifact can help you demonstrate compliance with
credit card regulatory requirements by providing you with proof that the AWS services and
deployment are in compliance. Getting the compliance of the application certified by a company
assessor is an action that the company should take to ensure that the application meets the specific
requirements of the credit card industry. A company assessor is an independent third-party entity
that is qualified to assess the compliance of the application with the relevant standards and
regulations. Using Amazon Inspector to submit the application for certification is not an action that
the company should take, because Amazon Inspector is a service that helps you improve the
security and compliance of your applications deployed on AWS by automatically assessing them for
vulnerabilities and deviations from best practices, but it does not provide certification for the
applications. Ensuring that the application’s underlying hardware components comply with
requirements is not an action that the company should take, because the application is deployed on
AWS, and AWS is responsible for the security and compliance of the underlying hardware
components. This is part of the shared responsibility model, where AWS is responsible for security
of the cloud, and customers are responsible for security in the cloud. Using AWS Security Hub to
certify the compliance of the application is not an action that the company should take, because
AWS Security Hub is a service that gives you a comprehensive view of your security posture across
your AWS accounts and helps you check your environment against security industry standards and
best practices, but it does not provide certification for the applications.

QUESTION NO: 731

A company has set up a VPC on AWS. The company needs a dedicated connection between the VPC and
the company’s on-premises network.

Which action should the company take to meet this requirement?

A. Establish a VPN connection between the VPC and the company's on-premises network.

B. Establish an AWS Direct Connect connection between the VPC and the company's on-premises

network.

C. Attach an internet gateway to the VPC. Use the AWS public endpoints for connectivity.

D. Configure Amazon Connect to provide connectivity between the VPC and the company's on-premises

network.

Answer: B

Establishing an AWS Direct Connect connection between the VPC and the company’s on-premises
network is the action that the company should take to meet the requirement of having a dedicated
connection between the VPC and the company’s on-premises network. AWS Direct Connect is a
service that lets you establish a dedicated network connection between your network and one of the
AWS Direct Connect locations. Using AWS Direct Connect, you can create a private connection
between AWS and your datacenter, office, or colocation environment, which can reduce your
network costs, increase bandwidth throughput, and provide a more consistent network experience
than internet-based connections. Establishing a VPN connection between the VPC and the
company’s on-premises network is an action that the company can take to create a secure and
encrypted connection between the VPC and the company’s on-premises network, but it is not a
dedicated connection, as it uses the public internet as the transport mechanism. Attaching an
internet gateway to the VPC and using the AWS public endpoints for connectivity is an action that
the company can take to enable communication between the VPC and the internet, but it is not a
dedicated connection, as it also uses the public internet as the transport mechanism. Configuring
Amazon Connect to provide connectivity between the VPC and the company’s on-premises network
is not an action that the company can take, because Amazon Connect is a service that lets you set
up and manage a contact center in the cloud, but it does not provide network connectivity between
the VPC and the company’s on-premises network.

QUESTION NO: 732

A company has deployed an application in the AWS Cloud. The company wants to ensure that the
application is highly resilient.
Which component of AWS infrastructure can the company use to meet this requirement?

A. Content delivery network (CDN)

B. Edge locations

C. Wavelength Zones

D. Availability Zones

Answer: D

Availability Zones are components of AWS infrastructure that can help the company ensure that the
application is highly resilient. Availability Zones are multiple, isolated locations within each AWS
Region. Each Availability Zone has independent power, cooling, and physical security, and is
connected to the other Availability Zones in the same Region via low-latency, high-throughput, and
highly redundant networking. Availability Zones allow you to operate production applications and
databases that are more highly available, fault tolerant, and scalable than would be possible from a
single data center.

QUESTION NO: 733

Which AWS services are connectivity services for a VPC? (Select TWO.)

A. AWS Site-to-Site VPN

B. AWS Direct Connect

C. Amazon Connect

D. AWS Key Management Service (AWS KMS)

E. AWS Identity and Access Management (IAM)

Answer: A

AWS Site-to-Site VPN and AWS Direct Connect are AWS services that are connectivity services for a
VPC. AWS Site-to-Site VPN is a service that enables you to securely connect your on-premises
network or branch office site to your Amazon Virtual Private Cloud (Amazon VPC). You can establish
VPN connections over the internet or over AWS Direct Connect 1. AWS Direct Connect is a service
that lets you establish a dedicated network connection between your network and one of the AWS
Direct Connect locations. Using AWS Direct Connect, you can create a private connection between
AWS and your datacenter, office, or colocation environment, which can reduce your network costs,
increase bandwidth throughput, and provide a more consistent network experience than internet-
based connections2. Amazon Connect is a service that lets you set up and manage a contact center
in the cloud, but it does not provide network connectivity between the VPC and your on-premises
network. AWS Key Management Service (AWS KMS) is a service that makes it easy for you to create
and manage cryptographic keys and control their use across a wide range of AWS services and in
your applications, but it does not provide network connectivity between the VPC and your on-
premises network. AWS Identity and Access Management (IAM) is a service that enables you to
manage access to AWS services and resources securely, but it does not provide network
connectivity between the VPC and your on-premises network.

QUESTION NO: 734

A company wants a key-value NoSQL database that is fully managed and serverless.

Which AWS service will meet these requirements?

A. Amazon DynamoDB

B. Amazon RDS

C. Amazon Aurora

D. Amazon Memory DB for Redis

Answer: A

Amazon DynamoDB is a key-value and document database that delivers single-digit millisecond
performance at any scale. It is a fully managed, serverless database that does not require
provisioning, patching, or backup. It offers built-in security, backup and restore, and in-memory
caching3. Amazon RDS is a relational database service that makes it easy to set up, operate, and
scale a relational database in the cloud. It provides cost-efficient and resizable capacity while
automating time-consuming administration tasks such as hardware provisioning, database setup,
patching, and backups. However, it is not a key-value NoSQL database, and it is not serverless, as it
requires you to choose an instance type and size4. Amazon Aurora is a MySQL and PostgreSQL-
compatible relational database built for the cloud, that combines the performance and availability of
traditional enterprise databases with the simplicity and cost-effectiveness of open source
databases. However, it is also not a key-value NoSQL database, and it is not serverless, as it requires
you to choose an instance type and size. Amazon MemoryDB for Redis is a Redis-compatible,
durable, in-memory database service that delivers ultra-fast performance and multi-AZ reliability for
the most demanding applications. However, it is also not a key-value NoSQL database, and it is not
serverless, as it requires you to choose a node type and size.

QUESTION NO: 735

A company needs to set a maximum spending limit on AWS services each month. The company also
needs to set up alerts for when the company reaches its spending limit.

Which AWS service or tool should the company use to meet these requirements?

A. Cost Explorer

B. AWS Trusted Advisor

C. Service Quotas

D. AWS Budgets

Answer: D

AWS Budgets is a service that helps you plan your service usage, service costs, and instance
reservations, and track how close your plan is to your budgeted amount. You can set custom
budgets that alert you when you exceed (or are forecasted to exceed) your budgeted thresholds. You
can also use AWS Budgets to set a maximum spending limit on AWS services each month and set
up alerts for when you reach your spending limit. Cost Explorer is a service that enables you to
visualize, understand, and manage your AWS costs and usage over time. You can use Cost Explorer
to view charts and graphs that show how your costs are trending, identify areas that need further
inquiry, and see the impact of your cost management actions. However, Cost Explorer does not
allow you to set a maximum spending limit or alerts for your AWS services. AWS Trusted Advisor is
a service that provides you real time guidance to help you provision your resources following AWS
best practices, including security and performance. It can help you monitor for cost optimization
opportunities, such as unused or underutilized resources, but it does not allow you to set a
maximum spending limit or alerts for your AWS services. Service Quotas is a service that enables
you to view and manage your quotas, also referred to as limits, from a central location. Quotas, also
referred to as limits, are the maximum number of resources that you can create in your AWS
account. However, Service Quotas does not allow you to set a maximum spending limit or alerts for
your AWS services.

QUESTION NO: 736

A software engineer wants to launch a virtual machine (VM) and MySQL database on AWS.

Which AWS service will meet these requirements with the LEAST operational effort?

A. Amazon Elastic Container Service (Amazon ECS)

B. AWS Elastic Beanstalk

C. Amazon Lightsail

D. Amazon EC2

Answer: B

AWS Elastic Beanstalk is a service that enables you to quickly deploy and manage applications in
the AWS Cloud without worrying about the infrastructure that runs those applications. You simply
upload your application, and Elastic Beanstalk automatically handles the details of capacity
provisioning, load balancing, scaling, and application health monitoring. Elastic Beanstalk supports
several platform configurations for Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker web
applications that can run on familiar servers such as Apache, Nginx, Passenger, and IIS. You can
also use Elastic Beanstalk to launch a virtual machine (VM) and MySQL database on AWS with the
least operational effort. Amazon Elastic Container Service (Amazon ECS) is a fully managed
container orchestration service that enables you to easily run, scale, and secure Docker
containerized applications on AWS. However, it requires more operational effort than Elastic
Beanstalk, as you need to define your application architecture and the specifications of the
containers that run it. Amazon Lightsail is an easy-to-use cloud platform that offers everything you
need to build an application or website, plus a cost-effective, monthly plan. It is designed for
developers who have little or no prior cloud experience and want to launch and manage applications
on AWS with minimal complexity. However, it does not support MySQL databases, and it requires
more operational effort than Elastic Beanstalk, as you need to configure your VM and database
settings. Amazon EC2 is a web service that provides secure, resizable compute capacity in the
cloud. It allows you to launch a virtual machine (VM) and MySQL database on AWS, but it requires
the most operational effort, as you need to provision, monitor, and manage your EC2 instances and
database.

QUESTION NO: 737

A company runs business applications in an on-premises data center and in the AWS Cloud. The
company needs a shared file system that can be available to both environments.

Which AWS service meets these requirements?

A. Amazon Elastic Block Store (Amazon EBS)

B. Amazon S3

C. Amazon ElastiCache

D. Amazon Elastic File System (Amazon EFS)

Answer: D

Amazon Elastic File System (Amazon EFS) is a service that provides a simple, scalable, fully
managed elastic NFS file system for use with AWS Cloud services and on-premises resources. It is
built to scale on demand to petabytes without disrupting applications, growing and shrinking
automatically as you add and remove files, eliminating the need to provision and manage capacity to
accommodate growth. You can use Amazon EFS to create a shared file system that can be available
to both your on-premises data center and your AWS Cloud environment. Amazon Elastic Block Store
(Amazon EBS) is a service that provides persistent block storage volumes for use with Amazon EC2
instances in the AWS Cloud. Each Amazon EBS volume is automatically replicated within its
Availability Zone to protect you from component failure, offering high availability and durability.
However, Amazon EBS volumes are not shared file systems, and they cannot be available to both
your on-premises data center and your AWS Cloud environment. Amazon S3 is a service that
provides object storage through a web services interface. You can use Amazon S3 to store and
protect any amount of data for a range of use cases, such as data lakes, websites, mobile
applications, backup and restore, archive, enterprise applications, IoT devices, and big data
analytics. However, Amazon S3 is not a shared file system, and it cannot be available to both your
on-premises data center and your AWS Cloud environment without additional configuration. Amazon
ElastiCache is a service that enables you to seamlessly set up, run, and scale popular open-source
compatible in-memory data stores in the cloud. You can use Amazon ElastiCache to improve the
performance of your applications by allowing you to retrieve information from fast, managed, in-
memory data stores, instead of relying entirely on slower disk-based databases. However, Amazon
ElastiCache is not a shared file system, and it cannot be available to both your on-premises data
center and your AWS Cloud environment.

QUESTION NO: 738

Which option is AWS responsible for under the AWS shared responsibility model?

A. Network and firewall configuration

B. Client-side data encryption

C. Management of user permissions

D. Hardware and infrastructure

Answer: D

Hardware and infrastructure is the option that AWS is responsible for under the AWS shared
responsibility model. The AWS shared responsibility model describes how AWS and customers
share responsibilities for security and compliance in the cloud. AWS is responsible for security of
the cloud, which means protecting the infrastructure that runs all the services offered in the AWS
Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run
AWS Cloud services. Customers are responsible for security in the cloud, which means taking care
of the security of their own applications, data, and operating systems. This includes network and
firewall configuration, client-side data encryption, management of user permissions, and more.

QUESTION NO: 739

A company needs to run some of its workloads on premises to comply with regulatory guidelines. The
company wants to use the AWS Cloud to run workloads that are not required to be on premises. The
company also wants to be able to use the same API calls for the on-premises workloads and the cloud
workloads.

Which AWS service or feature should the company use to meet these requirements?

A. Dedicated Hosts

B. AWS Outposts

C. Availability Zones

D. AWS Wavelength
Answer: B

AWS Outposts is a fully managed service that extends AWS infrastructure, AWS services, APIs, and
tools to virtually any datacenter, co-location space, or on-premises facility for a truly consistent
hybrid experience1. AWS Outposts enables customers to run workloads on premises using the same
AWS APIs, tools, and services that they use in the cloud 2. Dedicated Hosts are physical servers with
EC2 instance capacity fully dedicated to a customer’s use 3. Availability Zones are one or more
discrete data centers, each with redundant power, networking, and connectivity, housed in separate
facilities within an AWS Region4. AWS Wavelength is an AWS Infrastructure offering optimized for
mobile edge computing applications.

QUESTION NO: 740

A company wants to set up a high-speed connection between its data center and its applications that
run on AWS. The company must not transfer data over the internet.

Which action should the company take to meet these requirements?

A. Transfer data to AWS by using AWS Snowball.

B. Transfer data to AWS by using AWS Storage Gateway.

C. Set up a VPN connection between the data center and an AWS Region.

D. Set up an AWS Direct Connect connection between the company network and AWS.

Answer: D

AWS Direct Connect is a cloud service solution that makes it easy to establish a dedicated network
connection from a customer’s premises to AWS. AWS Direct Connect does not involve the public
internet, and therefore can reduce network costs, increase bandwidth throughput, and provide a
more consistent network experience than internet-based connections. AWS Snowball is a petabyte-
scale data transport service that uses secure devices to transfer large amounts of data into and out
of the AWS Cloud. AWS Storage Gateway is a hybrid cloud storage service that gives customers on-
premises access to virtually unlimited cloud storage. A VPN connection enables customers to
establish a secure and private connection between their network and AWS.

QUESTION NO: 741

A company is using a central data platform to manage multiple types of data for its customers. The
company wants to use AWS services to discover, transform, and visualize the data.

Which combination of AWS services should the company use to meet these requirements? (Select
TWO.)

A. AWS Glue

B. Amazon Elastic File System (Amazon EFS)

C. Amazon Redshift

D. Amazon QuickSight

E. Amazon Quantum Ledger Database (Amazon QLDB)

Answer: A, C

AWS Glue is a fully managed extract, transform, and load (ETL) service that makes it easy to prepare
and load data for analytics. AWS Glue can discover data sources, transform data, and make it
available for analysis by using data catalogs and workflows. Amazon Redshift is a fully managed,
petabyte-scale data warehouse service in the cloud that enables customers to analyze data using
standard SQL and existing business intelligence tools. Amazon Redshift can also integrate with
other AWS services to visualize and transform data. Amazon Elastic File System (Amazon EFS)
provides a simple, scalable, fully managed elastic NFS file system for use with AWS Cloud services
and on-premises resources. Amazon QuickSight is a fast, cloud-powered business intelligence
service that makes it easy to deliver insights to everyone in an organization. Amazon Quantum
Ledger Database (Amazon QLDB) is a fully managed ledger database that provides a transparent,
immutable, and cryptographically verifiable transaction log owned by a central trusted authority.

QUESTION NO: 742

A company deployed an Amazon EC2 instance last week. A developer realizes that the EC2 instance is no
longer running. The developer reviews a list of provisioned EC2 instances, and the EC2 instance is no
longer on the list.

What can the developer do to generate a recent history of the EC2 instance?

A. Run Cost Explorer to identify the start time and end time of the EC2 instance.

B. Use Amazon Inspector to find out when the EC2 instance was stopped.

C. Perform a search in AWS CloudTrail to find all EC2 instance-related events.

D. Use AWS Secrets Manager to display hidden termination logs of the EC2 instance.

Answer: C

AWS CloudTrail is a service that enables governance, compliance, operational auditing, and risk
auditing of a customer’s AWS account. AWS CloudTrail allows customers to track user activity and
API usage across their AWS infrastructure. AWS CloudTrail can also provide a history of EC2
instance events, such as launch, stop, terminate, and reboot. Cost Explorer is a tool that enables
customers to visualize, understand, and manage their AWS costs and usage over time. Amazon
Inspector is an automated security assessment service that helps improve the security and
compliance of applications deployed on AWS. AWS Secrets Manager helps customers protect
secrets needed to access their applications, services, and IT resources.

QUESTION NO: 743

A company has all of its servers in the us-east-1 Region. The company is considering the deployment of
additional servers different Region.

Which AWS tool should the company use to find pricing information for other Regions?

A. Cost Explorer

B. AWS Budgets

C. AWS Purchase Order Management

D. AWS Pricing Calculator

Answer: D

AWS Pricing Calculator lets customers explore AWS services, and create an estimate for the cost of
their use cases on AWS. AWS Pricing Calculator can also compare the costs of different AWS
Regions and configurations. Cost Explorer is a tool that enables customers to visualize, understand,
and manage their AWS costs and usage over time. AWS Budgets gives customers the ability to set
custom budgets that alert them when their costs or usage exceed (or are forecasted to exceed) their
budgeted amount. AWS Purchase Order Management is a feature that allows customers to pay for
their AWS invoices using purchase orders.

QUESTION NO: 744

A company is moving to the AWS Cloud to reduce operational overhead for its application
infrastructure.

Which IT operation will the company still be responsible for after the migration to AWS?

A. Security patching of AWS Elastic Beanstalk

B. Backups of data that is stored in Amazon Aurora

C. Termination of Amazon EC2 instances that are managed by AWS Auto Scaling

D. Configuration of IAM access controls

Answer: D

AWS Elastic Beanstalk, Amazon Aurora, and AWS Auto Scaling are managed services that reduce
the operational overhead for the customers. AWS is responsible for security patching, backups, and
termination of these services. However, the customers are still responsible for configuring IAM
access controls to manage the permissions and policies for their AWS resources. This is part of the
AWS shared responsibility model, which defines the security and compliance responsibilities of AWS
and the customers. You can learn more about the AWS shared responsibility model from this
whitepaper or this digital course.
QUESTION NO: 745

Which AWS service provides storage that can be mounted across multiple Amazon EC2 instances?

A. Amazon Workspaces

B. Amazon Elastic File System (Amazon EFS)

C. AWS Database Migration Service (AWS DMS)

D. AWS Snowball Edge

Answer: B

Amazon EFS is a fully managed service that provides scalable and elastic file storage for multiple
Amazon EC2 instances. Amazon EFS supports the Network File System (NFS) protocol, which
allows multiple EC2 instances to access the same file system concurrently. You can learn more
about Amazon EFS from this webpage or this digital course.

QUESTION NO: 746

Which AWS services or features can a company use to connect the network of its on-premises data
center to AWS? (Select TWO.)

A. AWS VPN

B. AWS Directory Service

C. AWS Data Pipeline

D. AWS Direct Connect

E. AWS CloudHSM

Answer: A, D

AWS VPN and AWS Direct Connect are two services that enable customers to connect their on-
premises data center network to the AWS Cloud. AWS VPN establishes a secure and encrypted
connection over the public internet, while AWS Direct Connect establishes a dedicated and private
connection through a partner network. You can learn more about AWS VPN from [this webpage] or
[this digital course]. You can learn more about AWS Direct Connect from [this webpage] or [this
digital course].

QUESTION NO: 747

Which pillar of the AWS Well-Architected Framework includes the AWS shared responsibility model?

A. Operational excellence
B. Performance efficiency

C. Reliability

D. Security

Answer: D

The AWS Well-Architected Framework is a set of best practices and guidelines for designing and
operating reliable, secure, efficient, and cost-effective systems in the cloud. The framework consists
of five pillars: operational excellence, performance efficiency, reliability, security, and cost
optimization. The security pillar covers the AWS shared responsibility model, which defines the
security and compliance responsibilities of AWS and the customers. You can learn more about the
AWS Well-Architected Framework from [this whitepaper] or [this digital course].

QUESTION NO: 748

AWS has the ability to achieve lower pay-as-you-go pricing by aggregating usage across hundreds of
thousands of users.

This describes which advantage of the AWS Cloud?

A. Launch globally in minutes

B. Increase speed and agility

C. High economies of scale

D. No guessing about compute capacity

Answer: C

AWS has the ability to achieve lower pay-as-you-go pricing by aggregating usage across hundreds
of thousands of users. This means that AWS can leverage its massive scale and purchasing power
to reduce the costs of infrastructure, hardware, software, and operations. These savings are then
passed on to the customers, who only pay for the resources they use. You can learn more about the
AWS pricing model from [this webpage] or [this digital course].

QUESTION NO: 749

A company wants to use guidelines from the AWS Well-Architected Framework to limit human error and
facilitate consistent responses to events.

Which of the following is a Well-Architected design principle that will meet these requirements?
A. Use AWS CodeDeploy.

B. Perform operations as code.

C. Migrate workloads to a Dedicated Host.

D. Use AWS Compute Optimizer.

Answer: B

This is a design principle of the operational excellence pillar of the AWS Well-Architected
Framework. Performing operations as code means using scripts, templates, or automation tools to
perform routine tasks, such as provisioning, configuration, deployment, and monitoring. This
reduces human error, increases consistency, and enables faster recovery from failures. You can
learn more about the operational excellence pillar from this whitepaper or this digital course.

QUESTION NO: 750

Which of the following is a benefit of using an AWS managed service?

A. Reduced operational overhead for a company's IT staff

B. Increased fixed costs that can be predicted by a finance team

C. Removal of the need to have a backup strategy

D. Removal of the need to follow compliance standards

Answer: A

This is a benefit of using an AWS managed service, such as Amazon S3, Amazon DynamoDB, or
AWS Lambda. AWS managed services are fully managed by AWS, which means that AWS handles
the provisioning, scaling, patching, backup, and recovery of the underlying infrastructure and
software. This reduces the operational overhead for the company’s IT staff, who can focus on their
core business logic and innovation. You can learn more about the AWS managed services from this
webpage or this digital course.

QUESTION NO: 751

A company encourages its teams to test failure scenarios regularly and to validate their understanding
of the impact of potential failures.

Which pillar of the AWS Well-Architected Framework does this philosophy represent?

A. Operational excellence

B. Cost optimization

C. Performance efficiency
D. Security

Answer: A

This is the pillar of the AWS Well-Architected Framework that represents the philosophy of testing
failure scenarios regularly and validating the understanding of the impact of potential failures. The
operational excellence pillar covers the best practices for designing, running, monitoring, and
improving systems in the AWS Cloud. Testing failure scenarios is one of the ways to improve the
system’s resilience, reliability, and recovery. You can learn more about the operational excellence
pillar from this whitepaper or this digital course.

QUESTION NO: 752

Which of the following are general AWS Cloud design principles described in the AWS Well-Architected
Framework?

A. Consolidate key components into monolithic architectures.

B. Test systems at production scale.

C. Provision more capacity than a workload is expected to need.

D. Drive architecture design based on data collected about the workload behavior and requirements.

E. Make AWS Cloud architectural decisions static, one-time events.

Answer: B, D

These are two of the general AWS Cloud design principles described in the AWS Well-Architected
Framework. Testing systems at production scale means using tools such as AWS CloudFormation,
AWS CodeDeploy, and AWS X-Ray to simulate real-world scenarios and measure the performance,
scalability, and availability of the system. Driving architecture design based on data means using
tools such as Amazon CloudWatch, AWS CloudTrail, and AWS Config to collect and analyze metrics,
logs, and events about the system and use the insights to optimize the system’s design and
operation. You can learn more about the AWS Well-Architected Framework from this whitepaper or
[this digital course].

QUESTION NO: 753

Which scenarios represent the concept of elasticity on AWS? (Select TWO.)

A. Scaling the number of Amazon EC2 instances based on traffic

B. Resizing Amazon RDS instances as business needs change

C. Automatically directing traffic to less-utilized Amazon EC2 instances

D. Using AWS compliance documents to accelerate the compliance process

E. Having the ability to create and govern environments using code

Answer: A, B

These are two scenarios that represent the concept of elasticity on AWS. Elasticity means the ability
to adjust the resources and capacity of the system in response to changes in demand or
environment. Scaling the number of Amazon EC2 instances based on traffic means using services
such as AWS Auto Scaling or Elastic Load Balancing to add or remove instances as the traffic
increases or decreases. Resizing Amazon RDS instances as business needs change means using
the Amazon RDS console or API to modify the instance type, storage type, or storage size of the
database as the workload grows or shrinks. You can learn more about the concept of elasticity on
AWS from [this webpage] or [this digital course].

QUESTION NO: 754

An ecommerce company wants to distribute traffic between the Amazon EC2 instances that host its
website.

Which AWS service or resource will meet these requirements?

A. Application Load Balancer

B. AWS WAF

C. AWS CloudHSM

D. AWS Direct Connect

Answer: A

This is the AWS service or resource that will meet the requirements of distributing traffic between
the Amazon EC2 instances that host the website. Application Load Balancer is a type of Elastic Load
Balancing that distributes incoming application traffic across multiple targets, such as Amazon EC2
instances, containers, IP addresses, and Lambda functions. Application Load Balancer operates at
the application layer (layer 7) of the OSI model and supports advanced features such as path-based
routing, host-based routing, health checks, and SSL termination. You can learn more about
Application Load Balancer from [this webpage] or [this digital course].

QUESTION NO: 755

Which AWS service will allow a user to set custom cost and usage limits, and will alert when the
thresholds are exceeded?

A. AWS Organizations

B. AWS Budgets

C. Cost Explorer
D. AWS Trusted Advisor

Answer: B

AWS Budgets allows you to set custom budgets that alert you when your costs or usage exceed (or
are forecasted to exceed) your budgeted amount. You can also use AWS Budgets to set reservation
utilization or coverage targets and receive alerts when your utilization drops below the threshold you
define. AWS Budgets provides you with a comprehensive view of your cost and usage, as well as
your reservation utilization and coverage1.

QUESTION NO: 756

Which AWS service or feature can the company use to limit the access to AWS services for member
accounts?

A. AWS Identity and Access Management (IAM)

B. Service control policies (SCPs)

C. Organizational units (OUs)

D. Access control lists (ACLs)

Answer: B

Service control policies (SCPs) are a type of organization policy that you can use to manage
permissions in your organization. SCPs offer central control over the maximum available
permissions for all accounts in your organization, allowing you to ensure your accounts stay within
your organization’s access control guidelines 2. SCPs are available only in an organization that has all
features enabled2.

QUESTION NO: 757

A company must archive Amazon S3 data that the company's business units no longer need to access.

Which S3 storage class will meet this requirement MOST cost-effectively?

A. S3 Glacier Instant Retrieval

B. S3 Glacier Flexible Retrieval

C. S3 Glacier Deep Archive

D. S3 One Zone-Infrequent Access (S3 One Zone-IA)

Answer: C

S3 Glacier Deep Archive is Amazon S3’s lowest-cost storage class and supports long-term retention
and digital preservation for data that may be accessed once or twice in a year. It is designed for
customers — particularly those in highly-regulated industries, such as the Financial Services,
Healthcare, and Public Sectors — that retain data sets for 7-10 years or longer to meet regulatory
compliance requirements. Customers can store large amounts of data at a very low cost, and
reliably access it with a wait time of 12 hours 3.

QUESTION NO: 758

A company wants to build a new web application by using AWS services. The application must meet the
on-demand load for periods of heavy activity.

Which AWS services or resources provide the necessary workload adjustments to meet these
requirements? (Select TWO.)

A. Amazon Machine Image (AMI)

B. Amazon EC2 Auto Scaling

C. Amazon EC2 instance

D. AWS Lambda

E. EC2 Image Builder

Answer: B, D

Amazon EC2 Auto Scaling helps you ensure that you have the correct number of Amazon EC2
instances available to handle the load for your application. You create collections of EC2 instances,
called Auto Scaling groups. You can specify the minimum number of instances in each Auto Scaling
group, and Amazon EC2 Auto Scaling ensures that your group never goes below this size. You can
specify the maximum number of instances in each Auto Scaling group, and Amazon EC2 Auto
Scaling ensures that your group never goes above this size4. AWS Lambda lets you run code without
provisioning or managing servers. You pay only for the compute time you consume. With Lambda,
you can run code for virtually any type of application or backend service - all with zero
administration. Just upload your code and Lambda takes care of everything required to run and
scale your code with high availability. You can set up your code to automatically trigger from other
AWS services or call it directly from any web or mobile app.

QUESTION NO: 759

Which AWS service or feature is an example of a relational database management system?

A. Amazon Athena

B. Amazon Redshift

C. Amazon S3 Select

D. Amazon Kinesis Data Streams

Answer: B

Amazon Redshift is a fully managed, petabyte-scale data warehouse service in the cloud. You can
start with just a few hundred gigabytes of data and scale to a petabyte or more. This enables you to
use your data to acquire new insights for your business and customers. Amazon Redshift is a
relational database management system (RDBMS), so it is compatible with other RDBMS
applications. You can use standard SQL to query the data.

QUESTION NO: 760

A company needs to apply security rules to specific Amazon EC2 instances.

Which AWS service or feature provides this functionality?

A. AWS Shield

B. Network ACLs

C. Security groups

D. AWS Firewall Manager

Answer: C

Security groups act as a firewall for associated Amazon EC2 instances, controlling both inbound
and outbound traffic at the instance level. You can use security groups to set rules that allow or deny
traffic to or from your instances. You can modify the rules for a security group at any time; the new
rules are automatically applied to all instances that are associated with the security group.

QUESTION NO: 761

Which AWS service is deployed to VPCs and provides protection from common network threats?

A. AWSShield

B. AWSWAF

C. AWS Network Firewall

D. AWS FirewallManager

Answer: C

AWS Network Firewall is a managed service that makes it easy to deploy essential network
protections for all of your Amazon Virtual Private Clouds (VPCs). The service can be set up with just
a few clicks from the AWS console or using APIs. AWS Network Firewall automatically scales with
your network traffic, so you don’t have to worry about deploying and managing any
infrastructure. AWS Network Firewall provides protection from common network threats such as
SQL injection, cross-site scripting, and DDoS attacks1.
QUESTION NO: 762

Which option is a perspective that includes foundational capabilities of the AWS Cloud Adoption
Framework (AWS CAF)?

A. Sustainability

B. Security

C. Performance efficiency

D. Reliability

Answer: B

The AWS Cloud Adoption Framework (AWS CAF) helps organizations understand how cloud
adoption transforms the way they work, and it provides structure to identify and address gaps in
skills and processes. The AWS CAF organizes guidance into six areas of focus, called perspectives.
Each perspective reflects a different stakeholder viewpoint with its own distinct responsibilities,
skills, and attributes. The Security Perspective helps you structure the selection and implementation
of security controls that meet your organization’s needs 2.

QUESTION NO: 763

A company needs to store data from a recommendation engine in a database.

Which AWS service provides this functionality with the LEAST operational overhead?

A. Amazon RDS for PostgreSQL

B. Amazon DynamoDB

C. Amazon Neptune

D. Amazon Aurora

Answer: B

Amazon DynamoDB is a key-value and document database that delivers single-digit millisecond
performance at any scale. It’s a fully managed, multi-region, multi-active, durable database with built-
in security, backup and restore, and in-memory caching for internet-scale applications. DynamoDB
can handle more than 10 trillion requests per day and can support peaks of more than 20 million
requests per second. DynamoDB provides the least operational overhead for storing data from a
recommendation engine, as it does not require any server provisioning, patching, or maintenance 3

QUESTION NO: 764

Which AWS Support plan is the minimum recommended tier for users who have production workloads
on AWS?
A. AWS Developer Support

B. AWS Enterprise Support

C. AWS Business Support

D. AWS Enterprise On-Ramp Support

Answer: C

AWS Business Support is the minimum recommended tier for users who have production workloads
on AWS. AWS Business Support provides 24x7 access to cloud support engineers via phone, chat, or
email, as well as a guaranteed response time of less than one hour for urgent issues. AWS Business
Support also includes access to AWS Trusted Advisor, a tool that provides real-time guidance to
help you provision your resources following AWS best practices 4.

QUESTION NO: 765

Which AWS service is an in-memory data store service?

A. Amazon Aurora

B. Amazon RDS

C. Amazon DynamoDB

D. Amazon ElastiCache

Answer: D

Amazon ElastiCache is a fully managed in-memory data store and cache service that delivers sub-
millisecond response times to applications. You can use ElastiCache as a primary data store for
your applications, or as a cache to improve the performance of your existing databases. ElastiCache
supports two popular open-source in-memory engines: Redis and Memcached5.

QUESTION NO: 766

A company runs a MySQL database in its on-premises data center. The company wants to run a copy of
this database in the AWS

Cloud.

Which AWS service would support this workload?

A. Amazon RDS

B. Amazon Neptune

C. Amazon ElastiCache for Redis

D. Amazon Quantum Ledger Database (Amazon QLDB)

Answer: A

Amazon Relational Database Service (Amazon RDS) is a web service that makes it easier to set up,
operate, and scale a relational database in the cloud. It provides cost-efficient and resizable
capacity, while automating time-consuming administration tasks such as hardware provisioning,
database setup, patching, and backups. Amazon RDS supports six popular database engines:
Amazon Aurora, PostgreSQL, MySQL, MariaDB, Oracle Database, and SQL Server. Amazon RDS can
support running a copy of a MySQL database in the AWS Cloud, as it offers compatibility, scalability,
and availability features.

QUESTION NO: 767

A company uses AWS Organizations. The company wants to apply security best practices from the AWS
Well-Architected Framework to all of its AWS accounts.

Which AWS service will meet these requirements?

A. Amazon Macie

B. Amazon Detective

C. AWS Control Tower

D. AWS Secrets Manager

Answer: C

AWS Control Tower is the easiest way to set up and govern a secure, multi-account AWS
environment based on best practices established through AWS’s experience working with thousands
of enterprises as they move to the cloud. With AWS Control Tower, builders can provision new AWS
accounts in a few clicks, while you have peace of mind knowing your accounts conform to your
organization’s policies. AWS Control Tower automates the setup of a baseline environment, or
landing zone, that is a secure, well-architected multi-account AWS environment1. AWS Control Tower
helps you apply security best practices from the AWS Well-Architected Framework to all of your AWS
accounts2.

QUESTION NO: 768

A company uses AWS for its web application. The company wants to minimize latency and perform
compute operations for the application as close to end users as possible.

Which AWS service or infrastructure component will provide this functionality?

A. AWS Regions

B. Availability Zones
C. Edge locations

D. AWS Direct Connect

Answer: C

Edge locations are sites that Amazon CloudFront uses to cache copies of your content for faster
delivery to users at any location. You can use Amazon CloudFront to deliver your entire website,
including dynamic, static, streaming, and interactive content using a global network of edge
locations. Requests for your content are automatically routed to the nearest edge location, so
content is delivered with the best possible performance 3. Edge locations can also host AWS Lambda
functions to perform compute operations for your web application as close to end users as
possible4.

QUESTION NO: 769

A company wants to ensure that all of its Amazon EC2 instances have compliant operating system
patches.

Which AWS service will meet these requirements?

A. AWS Compute Optimizer

B. AWS Elastic Beanstalk

C. AWS AppSync

D. AWS Systems Manager

Answer: D

AWS Systems Manager gives you visibility and control of your infrastructure on AWS. Systems
Manager provides a unified user interface so you can view operational data from multiple AWS
services and allows you to automate operational tasks across your AWS resources. You can use
Systems Manager to apply OS patches, create system images, configure Windows and Linux
operating systems, and execute PowerShell commands 5. Systems Manager can help you ensure
that all of your Amazon EC2 instances have compliant operating system patches by using the Patch
Manager feature.

QUESTION NO: 770

Which task must a user perform by using the AWS account root user credentials?

A. Make changes to AWS production resources.

B. Change AWS Support plans.

C. Access AWS Cost and Usage Reports.

D. Grant auditors’ access to an AWS account for a compliance audit.

Answer: B

The AWS account root user is the email address that you used to sign up for AWS. The root user has
complete access to all AWS services and resources in the account. You should use the root user
only to perform a few account and service management tasks. One of these tasks is changing AWS
Support plans, which requires root user credentials. For other tasks, you should create an IAM user
or role with the appropriate permissions and use that instead of the root user.

QUESTION NO: 771

A company wants to integrate natural language processing (NLP) into business intelligence (Bl)
dashboards. The company wants to ask questions and receive answers with relevant visualizations.

Which AWS service or tool will meet these requirements?

A. Amazon Macie

B. Amazon Rekognition

C. Amazon QuickSight Q

D. Amazon Lex

Answer: C

Amazon QuickSight Q is a natural language query feature that lets you ask questions about your
data using everyday language and get answers in seconds. You can type questions such as “What
are the total sales by region?” or “How did marketing campaign A perform?” and get answers in the
form of relevant visualizations, such as charts or tables. You can also use Q to drill down into details,
filter data, or perform calculations. Q uses machine learning to understand your data and your intent,
and provides suggestions and feedback to help you refine your questions.

QUESTION NO: 772

Which of the following is a pillar of the AWS Well-Architected Framework?

A. Redundancy

B. Operational excellence

C. Availability

D. Multi-Region

Answer: B
The AWS Well-Architected Framework helps cloud architects build secure, high-performing, resilient,
and efficient infrastructure for their applications and workloads. Based on five pillars — operational
excellence, security, reliability, performance efficiency, and cost optimization — the Framework
provides a consistent approach for customers and partners to evaluate architectures, and
implement designs that can scale over time. Operational excellence is one of the pillars of the
Framework, and it focuses on running and monitoring systems to deliver business value, and
continually improving processes and procedures.

QUESTION NO: 773

A company wants to integrate natural language processing (NLP) into business intelligence (Bl)
dashboards. The company wants to ask questions and

receive answers with relevant visualizations.

Which AWS service or tool will meet these requirements?

A. Amazon Macie

B. Amazon Rekognition

C. Amazon QuickSight Q

D. Amazon Lex

Answer: C

Amazon QuickSight Q is a natural language query feature that allows users to ask questions about
their data and receive answers in the form of relevant visualizations 1. Amazon Macie is a data
security and data privacy service that uses machine learning and pattern matching to discover and
protect sensitive data in AWS2. Amazon Rekognition is a computer vision service that can analyze
images and videos for faces, objects, scenes, text, and more 3. Amazon Lex is a service for building
conversational interfaces using voice and text4.

QUESTION NO: 774

Which option is an AWS Cloud Adoption Framework (AWS CAF) foundational capability for the
operations perspective?

A. Performance and capacity management

B. Application portfolio management

C. Identity and access management

D. Product management

Answer: C
Identity and access management is one of the foundational capabilities for the operations
perspective of the AWS Cloud Adoption Framework (AWS CAF). It involves managing the identities,
roles, permissions, and credentials of users and systems that interact with AWS resources.
Performance and capacity management is a capability for the platform perspective. Application
portfolio management is a capability for the business perspective. Product management is a
capability for the governance perspective.

QUESTION NO: 775

A company needs to implement identity management for a fleet of mobile apps that are running in the
AWS Cloud.

Which AWS service will meet this requirement?

A. Amazon Cognito

B. AWS Security Hub

C. AWS Shield

D. AWS WAF

Answer: A

Amazon Cognito is a service that provides identity management for mobile and web applications,
allowing users to sign up, sign in, and access AWS resources with different identity providers. AWS
Security Hub is a service that provides a comprehensive view of the security posture of AWS
accounts and resources. AWS Shield is a service that provides protection against distributed denial
of service (DDoS) attacks. AWS WAF is a web application firewall that helps protect web
applications from common web exploits.

QUESTION NO: 776

Which AWS service or feature offers security for a VPC by acting as a firewall to control traffic in and out
of subnets?

A. AWS Security Hub

B. Security groups

C. Network ACL

D. AWSWAF

Answer: C

A network access control list (network ACL) is a feature that acts as a firewall for controlling traffic
in and out of one or more subnets in a virtual private cloud (VPC). AWS Security Hub is a service that
provides a comprehensive view of the security posture of AWS accounts and resources. Security
groups are features that act as firewalls for controlling traffic at the instance level. AWS WAF is a
web application firewall that helps protect web applications from common web exploits.

QUESTION NO: 777

An ecommerce company wants to provide relevant product recommendations to its customers. The
recommendations will include products that are frequently purchased with other products that the
customer already purchased. The recommendations also will include

products of a specific color and products from the customer’s favorite brand.

Which AWS service or feature should the company use to meet these requirements with the LEAST
development effort?

A. Amazon Comprehend

B. Amazon Forecast

C. Amazon Personalize

D. Amazon SageMaker Studio

Answer: C

Amazon Personalize is a service that provides real-time personalized recommendations based on

the user’s behavior, preferences, and context. It can also incorporate metadata such as product
color and brand to generate more relevant recommendations. Amazon Comprehend is a natural
language processing (NLP) service that can analyze text for entities, sentiments, topics, and more.
Amazon Forecast is a service that provides accurate time-series forecasting based on machine
learning. Amazon SageMaker Studio is a web-based integrated development environment (IDE) for
machine learning.

QUESTION NO: 778

Which AWS service or storage class provides low-cost, long-term data storage?

A. Amazon S3 Glacier Deep Archive

B. AWS Snowball

C. Amazon MQ

D. AWS Storage Gateway

Answer: A

Amazon S3 Glacier Deep Archive is a storage class within Amazon S3 that provides the lowest-cost,
long-term data storage for data that is rarely accessed. AWS Snowball is a service that provides a
physical device for transferring large amounts of data into and out of AWS. Amazon MQ is a service
that provides managed message broker service for Apache ActiveMQ. AWS Storage Gateway is a
service that provides hybrid cloud storage for on-premises applications.

QUESTION NO: 779

Which AWS service or feature offers security for a VPC by acting as a firewall to control traffic in and out
of subnets?

A. AWS Security Hub

B. Security groups

C. Network ACL

D. AWSWAF

Answer: C

A network access control list (network ACL) is a feature that acts as a firewall for controlling traffic
in and out of one or more subnets in a virtual private cloud (VPC). Network ACLs can be configured
with rules that allow or deny traffic based on the source and destination IP addresses, ports, and
protocols1. AWS Security Hub is a service that provides a comprehensive view of the security
posture of AWS accounts and resources2. Security groups are features that act as firewalls for
controlling traffic at the instance level3. AWS WAF is a web application firewall that helps protect
web applications from common web exploits 4.

QUESTION NO: 780

A company wants to create a set of custom dashboards to collect metrics to monitor its applications.

Which AWS service will meet these requirements?

A. Amazon CloudWatch

B. AWS X-Ray

C. AWS Systems Manager

D. AWS CloudTrail

Answer: A

Amazon CloudWatch is a service that provides monitoring and observability for AWS resources and
applications. Users can create custom dashboards to collect and visualize metrics, logs, alarms, and
events from different sources5. AWS X-Ray is a service that provides distributed tracing and analysis
for applications. AWS Systems Manager is a service that provides operational management for AWS
resources and applications. AWS CloudTrail is a service that provides governance, compliance, and
auditing for AWS account activity.
QUESTION NO: 781

A company wants to migrate its workloads to AWS, but it lacks expertise in AWS Cloud computing.

Which AWS service or feature will help the company with its migration?

A. AWS Trusted Advisor

B. AWS Consulting Partners

C. AWS Artifacts

D. AWS Managed Services

Answer: D

AWS Managed Services is a service that provides operational management for AWS infrastructure
and applications. It helps users migrate their workloads to AWS and provides ongoing support,
security, compliance, and automation. AWS Trusted Advisor is a service that provides best practices
and recommendations for cost optimization, performance, security, and fault tolerance. AWS
Consulting Partners are professional services firms that help customers design, architect, build,
migrate, and manage their workloads and applications on AWS. AWS Artifacts is a service that
provides on-demand access to AWS compliance reports and select online agreements.

QUESTION NO: 782

A company deployed an application on an Amazon EC2 instance. The application ran as expected for 6
months. In the past week, users

have reported latency issues. A system administrator found that the CPU utilization was at 100% during
business hours. The company

wants a scalable solution to meet demand.

Which AWS service or feature should the company use to handle the load for its application during
periods of high demand?

A. Auto Scaling groups

B. AWS Global Accelerator

C. Amazon Route 53

D. An Elastic IP address

Answer: A
Auto Scaling groups are a feature that allows users to automatically scale the number of Amazon
EC2 instances up or down based on demand or a predefined schedule. Auto Scaling groups can help
improve the performance and availability of applications by adjusting the capacity in response to
traffic fluctuations1. AWS Global Accelerator is a service that improves the availability and
performance of applications by routing traffic through AWS edge locations 2. Amazon Route 53 is a
service that provides scalable and reliable domain name system (DNS) service 3. An Elastic IP
address is a static IPv4 address that can be associated with an Amazon EC2 instance 4.

QUESTION NO: 783

Which VPC component provides a layer of security at the subnet level?

A. Security groups

B. Network ACLs

C. NAT gateways

D. Route tables

Answer: B

Network ACLs are a feature that provide a layer of security at the subnet level by acting as a firewall
to control traffic in and out of one or more subnets. Network ACLs can be configured with rules that
allow or deny traffic based on the source and destination IP addresses, ports, and protocols 5.
Security groups are a feature that provide a layer of security at the instance level by acting as a
firewall to control traffic to and from one or more instances. Security groups can be configured with
rules that allow or deny traffic based on the source and destination IP addresses, ports, protocols,
and security groups. NAT gateways are a feature that enable instances in a private subnet to
connect to the internet or other AWS services, but prevent the internet from initiating a connection
with those instances. Route tables are a feature that determine where network traffic from a subnet
or gateway is directed.

QUESTION NO: 784

For which AWS service is the customer responsible for maintaining the underlying operating system?

A. Amazon DynamoDB

B. Amazon S3

C. Amazon EC2

D. AWS Lambda

Answer: C
Amazon EC2 is a service that provides resizable compute capacity in the cloud. Users can launch
and manage virtual servers, known as instances, that run on the AWS infrastructure. Users are
responsible for maintaining the underlying operating system of the instances, as well as any
applications or software that run on them. Amazon DynamoDB is a service that provides a fully
managed NoSQL database that delivers fast and consistent performance at any scale. Users do not
need to manage the underlying operating system or the database software. Amazon S3 is a service
that provides scalable and durable object storage in the cloud. Users do not need to manage the
underlying operating system or the storage infrastructure. AWS Lambda is a service that allows
users to run code without provisioning or managing servers. Users only need to upload their code
and configure the triggers and parameters. AWS Lambda takes care of the underlying operating
system and the execution environment.

QUESTION NO: 785

According to the AWS shared responsibility model, who is responsible for the virtualization layer down
to the

physical security of the facilities in which AWS services operate?

A. It is the sole responsibility of the customer.

B. It is the sole responsibility of AWS.

C. It is a shared responsibility between AWS and the customer.

D. The customer's AWS Support plan tier determines who manages the configuration.

Answer: B

According to the AWS shared responsibility model, AWS is responsible for the security of the cloud,
which includes the virtualization layer down to the physical security of the facilities in which AWS
services operate1. The customer is responsible for the security in the cloud, which includes the
configuration and management of the AWS resources and applications that they use 1.

QUESTION NO: 786

Which benefit does AWS offer exclusively to users who have an AWS Enterprise Support plan?

A. Access to a technical project manager

B. Access to a technical account manager (TAM)

C. Access to a cloud support engineer

D. Access to a solutions architect

A company wants to automatically set up and govern a multi-account AWS environment.

Answer: B
AWS Enterprise Support plan is the highest level of support that AWS offers to its customers. One of
the exclusive benefits of this plan is the access to a technical account manager (TAM), who is a
dedicated point of contact for guidance, advocacy, and support 2. A technical project manager, a
cloud support engineer, and a solutions architect are not exclusive benefits of the AWS Enterprise
Support plan, as they are also available to customers with lower-tier support plans or through other
AWS services or programs345.

QUESTION NO: 787

Which AWS service provides this functionality?

A. AWS IAM Identity Center (AWS Single Sign-On)

B. AWS Systems Manager

C. AWS Config

D. AWS Control Tower

Answer: D

AWS Control Tower is a service that provides an easy way to set up and govern a secure, multi-
account AWS environment. It automates the creation of accounts, organizational units, policies, and
best practices based on the AWS Well-Architected Framework. AWS IAM Identity Center (AWS Single
Sign-On) is a service that enables users to centrally manage access to multiple AWS accounts and
business applications using a single sign-on experience. AWS Systems Manager is a service that
provides operational management for AWS resources and applications. AWS Config is a service that
enables users to assess, audit, and evaluate the configurations of AWS resources.

QUESTION NO: 788

A company wants its AWS usage to be more sustainable. The company wants to track, measure, review,
and forecast polluting emissions that result from its AWS applications.

Which AWS service or tool can the company use to meet these requirements?

A. AWS Health Dashboard

B. AWS customer carbon footprint tool

C. AWS Support Center

D. Amazon QuickSight

Answer: B

AWS customer carbon footprint tool is a tool that helps customers measure and manage their
carbon emissions from their AWS usage. It provides data on the carbon intensity, energy
consumption, and estimated emissions of AWS services across regions and time periods. It also
enables customers to review and forecast their emissions, and compare them with industry
benchmarks. AWS Health Dashboard is a service that provides personalized information about the
health and performance of AWS services and resources. AWS Support Center is a service that
provides access to AWS support resources, such as cases, forums, and documentation. Amazon
QuickSight is a service that provides business intelligence and analytics for AWS data sources.

QUESTION NO: 789

A company has a large number of Linux Amazon EC2 instances across several Availability Zones in an
AWS Region. Applications that run on the EC2 instances need access to a common set of files.

Which AWS service or device should the company use to meet this requirement?

A. AWS Backup

B. Amazon Elastic File System (Amazon EFS)

C. Amazon Elastic Block Store (Amazon EBS)

D. AWS Snowball Edge Storage Optimized

Answer: B

Amazon Elastic File System (Amazon EFS) is a service that provides a scalable and elastic file
system for Linux-based workloads. It can be mounted on multiple Amazon EC2 instances across
different Availability Zones within a region, allowing applications to access a common set of files 1.
AWS Backup is a service that provides a centralized and automated way to back up data across
AWS services. Amazon Elastic Block Store (Amazon EBS) is a service that provides persistent block
storage volumes for Amazon EC2 instances. AWS Snowball Edge Storage Optimized is a device that
provides a petabyte-scale data transport and edge computing solution.

QUESTION NO: 790

Which of the following is a benefit that AWS Professional Services provides?

A. Management of the ongoing security of user data

B. Advisory solutions for AWS adoption

C. Technical support 24 hours a day, 7 days a week

D. Monitoring of monthly billing costs in AWS accounts

Answer: B

AWS Professional Services is a team of experts that help customers achieve their desired outcomes
using the AWS Cloud. One of the benefits that AWS Professional Services provides is advisory
solutions for AWS adoption, which include guidance on cloud strategy, architecture, migration, and
innovation2. Management of the ongoing security of user data, technical support 24 hours a day, 7
days a week, and monitoring of monthly billing costs in AWS accounts are not benefits that AWS
Professional Services provides, as they are either the responsibility of the customer or the features
of other AWS services or support plans3

QUESTION NO: 791

Which of the following is a benefit of operating in the AWS Cloud?

A. The ability to migrate on-premises network devices to the AWS Cloud

B. The ability to expand compute, storage, and memory when needed

C. The ability to host custom hardware in the AWS Cloud

D. The ability to customize the underlying hypervisor layer for Amazon EC2

Answer: B

One of the benefits of operating in the AWS Cloud is the ability to expand compute, storage, and
memory when needed, which enables users to scale their applications and resources up or down
based on demand. This also helps users optimize their costs and performance. The ability to
migrate on-premises network devices to the AWS Cloud, the ability to host custom hardware in the
AWS Cloud, and the ability to customize the underlying hypervisor layer for Amazon EC2 are not
benefits of operating in the AWS Cloud, as they are either not possible or not recommended by AWS
.

QUESTION NO: 792

A company is operating several factories where it builds products. The company needs the ability to
process data, store data, and run applications with local system interdependencies that require low
latency.

Which AWS service should the company use to meet these requirements?

A. AWS loT Greengrass

B. AWS Lambda

C. AWS Outposts

D. AWS Snowball Edge

Answer: C

AWS Outposts is a service that provides fully managed AWS infrastructure and services on
premises. It allows users to run applications that require low latency and local data processing,
while seamlessly connecting to the AWS Cloud for a consistent hybrid experience. AWS IoT
Greengrass is a service that provides local compute, messaging, data caching, sync, and ML
inference capabilities for connected devices. AWS Lambda is a service that allows users to run code
without provisioning or managing servers. AWS Snowball Edge is a device that provides a petabyte-
scale data transport and edge computing solution.

QUESTION NO: 793

What is the LEAST expensive AWS Support plan that provides the full set of AWS Trusted Advisor best
practice checks for cost optimization?

A. AWS Enterprise Support

B. AWS Business Support

C. AWS Developer Support

D. AWS Basic Support

Answer: B

AWS Business Support is the least expensive AWS Support plan that provides the full set of AWS
Trusted Advisor best practice checks for cost optimization. AWS Trusted Advisor is a service that
provides best practices and recommendations for cost optimization, performance, security, and
fault tolerance. AWS Business Support also provides other benefits, such as 24/7 technical support,
unlimited cases, and faster response times. AWS Enterprise Support is the most expensive AWS
Support plan that provides the same benefits as AWS Business Support, plus additional benefits,
such as a technical account manager and enterprise concierge support. AWS Developer Support and
AWS Basic Support are cheaper AWS Support plans that provide only a limited set of AWS Trusted
Advisor best practice checks for cost optimization .

QUESTION NO: 794

Which AWS service helps developers use loose coupling and reliable messaging between microservices?

A. Elastic Load Balancing

B. Amazon Simple Notification Service (Amazon SNS)

C. Amazon CloudFront

D. Amazon Simple Queue Service (Amazon SQS)

Answer: D

Amazon Simple Queue Service (Amazon SQS) is a service that provides fully managed message
queues for asynchronous communication between microservices. It helps developers use loose
coupling and reliable messaging by allowing them to send, store, and receive messages between
distributed components without losing them or requiring each component to be always available 1.
Elastic Load Balancing is a service that distributes incoming traffic across multiple targets, such as
Amazon EC2 instances, containers, and IP addresses. Amazon Simple Notification Service (Amazon
SNS) is a service that provides fully managed pub/sub messaging for event-driven and push-based
communication between microservices. Amazon CloudFront is a service that provides a fast and
secure content delivery network (CDN) for web applications.

QUESTION NO: 795

A company is building a mobile app to provide shopping recommendations to its customers. The
company wants to use a graph database as part of the shopping recommendation engine.

Which AWS database service should the company choose?

A. Amazon DynamoDB

B. Amazon Aurora

C. Amazon Neptune

D. Amazon DocumentDB (with MongoDB compatibility)

Answer: C

Amazon Neptune is a service that provides a fully managed graph database that supports property
graphs and RDF graphs. It can be used to build applications that work with highly connected
datasets, such as shopping recommendations, social networks, fraud detection, and knowledge
graphs2. Amazon DynamoDB is a service that provides a fully managed NoSQL database that
delivers fast and consistent performance at any scale. Amazon Aurora is a service that provides a
fully managed relational database that is compatible with MySQL and PostgreSQL. Amazon
DocumentDB (with MongoDB compatibility) is a service that provides a fully managed document
database that is compatible with MongoDB.

QUESTION NO: 796

Which option is the default pricing model for Amazon EC2 instances?

A. On-Demand Instances

B. Savings Plans

C. Spot Instances

D. Reserved Instances

Answer: A

On-Demand Instances are the default pricing model for Amazon EC2 instances. They allow users to
pay for compute capacity by the second, with no long-term commitments or upfront payments. They
are suitable for applications with short-term, irregular, or unpredictable workloads that cannot be
interrupted3. Savings Plans are a pricing model that offer significant savings on Amazon EC2 and
AWS Fargate usage, in exchange for a commitment to a consistent amount of usage (measured in
$/hour) for a 1-year or 3-year term. Spot Instances are a pricing model that offer spare Amazon EC2
compute capacity at up to 90% discount compared to On-Demand prices, but they can be interrupted
by AWS with a two-minute notice when the demand exceeds the supply. Reserved Instances are a
pricing model that offer up to 75% discount compared to On-Demand prices, in exchange for a
commitment to use a specific instance type and size in a specific region for a 1-year or 3-year term.

QUESTION NO: 797

Which AWS service can provide a dedicated network connection with consistent low latency from on
premises to the AWS Cloud?

A. Amazon VPC

B. Amazon Kinesis Data Streams

C. AWS Direct Connect

D. Amazon OpenSearch Service

Answer: C

AWS Direct Connect is a service that provides a dedicated network connection from on premises to
the AWS Cloud. It can reduce network costs, increase bandwidth throughput, and provide a more
consistent network experience than internet-based connections. It can also provide low latency for
applications that require real-time data transfer4. Amazon VPC is a service that provides a logically
isolated section of the AWS Cloud where users can launch AWS resources in a virtual network that
they define. Amazon Kinesis Data Streams is a service that provides a scalable and durable stream
of data records for real-time data processing. Amazon OpenSearch Service is a service that provides
a fully managed, scalable, and secure search and analytics solution that is compatible with
Elasticsearch.

QUESTION NO: 798

A company simulates workflows to review and validate that all processes are effective and that staff are
familiar with the processes.

Which design principle of the AWS Well-Architected Framework is the company following with this
practice?

A. Perform operations as code.

B. Refine operation procedures frequently.

C. Make frequent, small, reversible changes.

D. Structure the company to support business outcomes.

Answer: B

Refine operation procedures frequently is one of the design principles of the operational excellence
pillar of the AWS Well-Architected Framework. It means that users should continuously review and
validate their operational processes to ensure that they are effective and that staff are familiar with
them. It also means that users should identify and address any gaps or issues in their processes,
and incorporate feedback and lessons learned from operational events 5. Perform operations as
code is another design principle of the operational excellence pillar, which means that users should
automate and script their operational tasks to reduce human error and enable consistent and
repeatable execution. Make frequent, small, reversible changes is a design principle of the reliability
pillar, which means that users should deploy changes in small increments that can be easily tested
and rolled back if necessary. Structure the company to support business outcomes is a design
principle of the performance efficiency pillar, which means that users should align their
organizational structure and culture with their business goals and cloud strategy.

QUESTION NO: 799

A company has designed its AWS Cloud infrastructure to run its workloads effectively. The company also
has protocols in place to

continuously improve supporting processes.

Which pillar of the AWS Well-Architected Framework does this scenario represent?

A. Security

B. Performance efficiency

C. Cost optimization

D. Operational excellence

Answer: D

The scenario represents the operational excellence pillar of the AWS Well-Architected Framework,
which focuses on running and monitoring systems to deliver business value and continually improve
supporting processes and procedures1. Security, performance efficiency, cost optimization, and
reliability are the other four pillars of the framework1.

QUESTION NO: 800

Which AWS service is a continuous delivery and deployment solution?

A. AWSAppSync

B. AWS CodePipeline

C. AWS Cloud9
D. AWS CodeCommit

Answer: B

AWS CodePipeline is a continuous delivery and deployment service that automates the release
process of software applications across different stages, such as source code, build, test, and
deploy2. AWSAppSync, AWS Cloud9, and AWS CodeCommit are other AWS services related to
application development, but they do not provide continuous delivery and deployment solutions 34 .

QUESTION NO: 801

A company wants to set AWS spending targets and track costs against those targets.

Which AWS tool or feature should the company use to meet these requirements?

A. AWS Cost Explorer

B. AWS Budgets

C. AWS Cost and Usage Report

D. Savings Plans

Answer: B

AWS Budgets is a tool that allows users to set AWS spending targets and track costs against those
targets. Users can create budgets for various dimensions, such as service, linked account, tag, and
more. Users can also receive alerts when the actual or forecasted costs exceed or are projected to
exceed the budgeted amount. AWS Cost Explorer, AWS Cost and Usage Report, and Savings Plans
are other AWS tools or features that can help users manage and optimize their AWS costs, but they
do not enable users to set and track spending targets .

QUESTION NO: 802

Which AWS services can be used to store files? (Select TWO.)

A. Amazon S3

B. AWS Lambda

C. Amazon Elastic Block Store (Amazon EBS)

D. Amazon SageMaker

E. AWS Storage Gateway

Answer: A, C
Amazon S3 and Amazon EBS are two AWS services that can be used to store files . Amazon S3 is
an object storage service that offers high scalability, durability, availability, and performance.
Amazon EBS is a block storage service that provides persistent and low-latency storage volumes for
Amazon EC2 instances. AWS Lambda, Amazon SageMaker, and AWS Storage Gateway are other
AWS services that have different purposes, such as serverless computing, machine learning, and
hybrid cloud storage .

QUESTION NO: 803

A company's application has high customer usage during certain times of the day. The company wants
to reduce the number of Amazon EC2 instances that run when application usage is low.

Which AWS service or instance purchasing option should the company use to meet this requirement?

A. EC2 Instance Savings Plans

B. Spot Instances

C. Reserved Instances

D. Amazon EC2 Auto Scaling

Answer: D

Amazon EC2 Auto Scaling is an AWS service that can help users reduce the number of Amazon EC2
instances that run when application usage is low. Amazon EC2 Auto Scaling allows users to create
scaling policies that automatically adjust the number of EC2 instances based on the demand or a
schedule. EC2 Instance Savings Plans, Spot Instances, and Reserved Instances are instance
purchasing options that can help users save money on EC2 usage, but they do not automatically
scale the number of instances according to the application usage .

QUESTION NO: 804

A company is running a workload in the AWS Cloud.

Which AWS best practice ensures the MOST cost-effective architecture for the workload?

A. Loose coupling

B. Rightsizing

C. Caching

D. Redundancy

Answer: B

The AWS best practice that ensures the most cost-effective architecture for the workload
is rightsizing. Rightsizing means selecting the most appropriate instance type or resource
configuration that matches the needs of the workload. Rightsizing can help optimize performance
and reduce costs by avoiding over-provisioning or under-provisioning of resources1. Loose coupling,
caching, and redundancy are other AWS best practices that can improve the scalability, availability,
and performance of the workload, but they do not necessarily ensure the most cost-effective
architecture.

QUESTION NO: 805

A company is looking for a managed machine learning (ML) service that can recommend products based
on a customer's previous behaviors.

Which AWS service meets this requirement?

A. Amazon Personalize

B. Amazon SageMaker

C. Amazon Pinpoint

D. Amazon Comprehend

Answer: A

The AWS service that meets the requirement of providing a managed machine learning (ML) service
that can recommend products based on a customer’s previous behaviors is Amazon Personalize.
Amazon Personalize is a fully managed service that enables developers to create personalized
recommendations for customers using their own data. Amazon Personalize can automatically
process and examine the data, identify what is meaningful, select the right algorithms, and train and
optimize a personalized recommendation model2. Amazon SageMaker, Amazon Pinpoint, and
Amazon Comprehend are other AWS services related to machine learning, but they do not provide
the specific functionality of product recommendation.

QUESTION NO: 806

A company wants its Amazon EC2 instances to share the same geographic area but use multiple
independent underlying power sources.

Which solution achieves this goal?

A. Use EC2 instances in a single Availability Zone.

B. Use EC2 instances in multiple AWS Regions.

C. Use EC2 instances in multiple Availability Zones in the same AWS Region.

D. Use EC2 instances in the same edge location and the same AWS Region.

Answer: C
The solution that achieves the goal of having Amazon EC2 instances share the same geographic
area but use multiple independent underlying power sources is to use EC2 instances in multiple
Availability Zones in the same AWS Region . An Availability Zone is a physically isolated location
within an AWS Region that has its own power, cooling, and network connectivity. An AWS Region is a
geographical area that consists of two or more Availability Zones. By using multiple Availability
Zones, users can increase the fault tolerance and resilience of their applications, as well as reduce
latency for end users3. Using EC2 instances in a single Availability Zone, multiple AWS Regions, or
the same edge location and the same AWS Region would not meet the requirement of having
multiple independent power sources.

QUESTION NO: 807

Which AWS service should be used when a company needs to provide its remote employees with virtual
desktops?

A. Amazon Identity and Access Management (IAM)

B. AWS Directory Service

C. AWS IAM Identity Center (AWS Single Sign-On)

D. Amazon Workspaces

Answer: D

The AWS service that should be used when a company needs to provide its remote employees with
virtual desktops is Amazon WorkSpaces. Amazon WorkSpaces is a fully managed, secure desktop-
as-a-service (DaaS) solution that runs on AWS. Amazon WorkSpaces allows users to provision
cloud-based virtual desktops and provide their end users access to the documents, applications, and
resources they need from any supported device, including Windows and Mac computers,
Chromebooks, iPads, Fire tablets, and Android tablets4. Amazon Identity and Access Management
(IAM), AWS Directory Service, and AWS IAM Identity Center (AWS Single Sign-On) are other AWS
services related to identity and access management, but they do not provide virtual desktops.

QUESTION NO: 808

A company needs a graph database service that is scalable and highly available.

Which AWS service meets these requirements?

A. Amazon Aurora

B. Amazon Redshift

C. Amazon DynamoDB

D. Amazon Neptune
Answer: D

The AWS service that meets the requirements of providing a graph database service that is scalable
and highly available is Amazon Neptune. Amazon Neptune is a fast, reliable, and fully managed
graph database service that supports property graph and RDF graph models. Amazon Neptune is
designed to store billions of relationships and query the graph with milliseconds latency. Amazon
Neptune also offers high availability and durability by replicating six copies of the data across three
Availability Zones and continuously backing up the data to Amazon S3 5. Amazon Aurora, Amazon
Redshift, and Amazon DynamoDB are other AWS services that provide relational or non-relational
database solutions, but they do not support graph database models.

QUESTION NO: 809

Which AWS Cloud benefit describes the ability to acquire resources as they are needed and release
resources when they are no longer needed?

A. Economies of scale

B. Elasticity

C. Agility

D. Security

Answer: B

The AWS Cloud benefit that describes the ability to acquire resources as they are needed and
release resources when they are no longer needed is elasticity. Elasticity means that users can
quickly add and remove resources to match the demand of their applications, and only pay for what
they use. Elasticity enables users to handle unpredictable workloads, reduce costs, and improve
performance1. Economies of scale, agility, and security are other benefits of the AWS Cloud, but they
do not describe the specific ability of acquiring and releasing resources on demand.

QUESTION NO: 810

A company wants to design a reliable web application that is hosted on Amazon EC2.

Which approach will achieve this goal?

A. Launch large EC2 instances in the same Availability Zone.

B. Spread EC2 instances across more than one security group.

C. Spread EC2 instances across more than one Availability Zone.

D. Use an Amazon Machine Image (AMI) from AWS Marketplace.

Answer: C
The approach that will achieve the goal of designing a reliable web application that is hosted on
Amazon EC2 is to spread EC2 instances across more than one Availability Zone. An Availability Zone
is a physically isolated location within an AWS Region that has its own power, cooling, and network
connectivity. By spreading EC2 instances across multiple Availability Zones, users can increase the
fault tolerance and availability of their web applications, as well as reduce latency for end users 2.
Launching large EC2 instances in the same Availability Zone, spreading EC2 instances across more
than one security group, or using an Amazon Machine Image (AMI) from AWS Marketplace are not
sufficient to ensure reliability, as they do not provide redundancy or resilience in case of an outage in
one Availability Zone.

QUESTION NO: 811

A company has a MySQL database running on a single Amazon EC2 instance. The company now requires
higher availability in the event of an outage.

Which set of tasks would meet this requirement?

A. Add an Application Load Balancer in front of the EC2 instance.

B. Configure EC2 Auto Recovery to move the instance to another Availability Zone.

C. Migrate to Amazon RDS and enable Multi-AZ.

D. Enable termination protection for the EC2 instance to avoid outages.

Answer: C

The set of tasks that would meet the requirement of having higher availability for a MySQL database
running on a single Amazon EC2 instance is to migrate to Amazon RDS and enable Multi-AZ.
Amazon RDS is a fully managed relational database service that supports MySQL and other popular
database engines. By enabling Multi-AZ, users can have a primary database in one Availability Zone
and a synchronous standby replica in another Availability Zone. In case of a planned or unplanned
outage of the primary database, Amazon RDS automatically fails over to the standby replica with
minimal disruption3. Adding an Application Load Balancer in front of the EC2 instance, configuring
EC2 Auto Recovery to move the instance to another Availability Zone, or enabling termination
protection for the EC2 instance would not provide higher availability for the database, as they do not
address the single point of failure or data replication issues.

QUESTION NO: 433

A company wants to verify if multi-factor authentication (MFA) is enabled for all users within its AWS
accounts.

Which AWS service or resource will meet this requirement?

A. AWS Cost and Usage Report

B. IAM credential reports

C. AWS Artifact

D. Amazon CloudFront reports

Answer: B

The AWS service or resource that will meet the requirement of verifying if multi-factor authentication
(MFA) is enabled for all users within its AWS accounts is IAM credential reports. IAM credential
reports are downloadable reports that list all the users in an AWS account and the status of their
various credentials, including passwords, access keys, and MFA devices. Users can use IAM
credential reports to audit the security status of their AWS accounts and identify any issues or risks 4.
AWS Cost and Usage Report, AWS Artifact, and Amazon CloudFront reports are other AWS services
or resources that provide different types of information, such as billing, compliance, and content
delivery, but they do not show the MFA status of the users.

QUESTION NO: 434

A company has migrated its workloads to AWS. The company wants to adopt AWS
at scale and operate more efficiently and securely.

Which AWS service or framework should the company use for operational
support?

A. AWS Support

B. AWS Cloud Adoption Framework (AWS CAF)

C. AWS Managed Services (AMS)

D. AWS Well-Architected Framework

Answer: D
The AWS Well-Architected Framework is a set of best practices and guidelines for
designing and operating workloads on AWS. It helps customers achieve operational
excellence, security, reliability, performance efficiency, cost optimization, and
sustainability. The framework is based on six pillars, each with its own design
principles, best practices, and questions. Customers can use the framework to assess
their current state, identify gaps, and implement improvements 12.
AWS Support is a service that provides technical assistance, guidance, and resources
for AWS customers. It offers different plans with varying levels of access to AWS
experts, response times, and features3. AWS Support does not provide a comprehensive
framework for operational support.
AWS Cloud Adoption Framework (AWS CAF) is a guidance tool that helps customers
plan and execute their cloud migration journey. It provides a set of perspectives,
capabilities, and best practices to align the business and technical aspects of cloud
adoption4. AWS CAF does not focus on operational support for existing workloads on
AWS.
AWS Managed Services (AMS) is a service that operates AWS infrastructure on behalf
of customers. It provides a secure and compliant environment, automates common
activities, and applies best practices for provisioning, patching, backup, recovery, and
monitoring5. AMS does not provide a framework for customers to operate their own
workloads on AWS.

QUESTION NO: 435

A company is building an application in the AWS Cloud. The company wants to

use temporary credentials for the application to access other AWS resources.

Which AWS service will meet these requirements?

A. AWS Key Management Service (Aws KMS)

B. AWS CloudHSM

C. Amazon Cognito

D. AWS Security Token Service (Aws STS)

Answer: D

AWS Security Token Service (AWS STS) is a service that provides temporary security
credentials to users or applications that need to access AWS resources. The temporary
credentials have a limited lifetime and can be configured to last from a few minutes to
several hours. The credentials are not stored with the user or application, but are
generated dynamically and provided on request. The credentials work almost identically
to long-term access key credentials, but have the advantage of not requiring
distribution, rotation, or revocation1.
AWS Key Management Service (AWS KMS) is a service that provides encryption and
decryption services for data and keys. It does not provide temporary security
credentials2.
AWS CloudHSM is a service that provides hardware security modules (HSMs) for
cryptographic operations and key management. It does not provide temporary security
credentials3.
Amazon Cognito is a service that provides user authentication and authorization for
web and mobile applications. It can also provide temporary security credentials for
authenticated users, but not for applications4.

QUESTION NO: 436

Which AWS service offers object storage?

A. Amazon RDS

B. Amazon Elastic File System (Amazon EFS)

C. Amazon S3

D. Amazon DynamoDB

Answer: C

Amazon S3 is the AWS service that offers object storage. Object storage is a
technology that stores and manages data in an unstructured format called objects.
Each object consists of the data, metadata, and a unique identifier. Object storage is
ideal for storing large amounts of unstructured data, such as photos, videos, email, web
pages, sensor data, and audio files1. Amazon S3 provides industry-leading scalability,
data availability, security, and performance for object storage2.
Amazon RDS is the AWS service that offers relational database storage. Relational
database storage is a technology that stores and manages data in a structured format
called tables. Each table consists of rows and columns that define the attributes and
values of the data. Relational database storage is ideal for storing structured or semi-
structured data, such as customer records, inventory, transactions, and analytics 3.
Amazon Elastic File System (Amazon EFS) is the AWS service that offers file storage.
File storage is a technology that stores and manages data in a hierarchical format
called files and folders. Each file consists of the data and metadata, and each folder
consists of files or subfolders. File storage is ideal for storing shared data that can be
accessed by multiple users or applications, such as home directories, content
repositories, media libraries, and configuration files 4.
Amazon DynamoDB is the AWS service that offers NoSQL database storage. NoSQL
database storage is a technology that stores and manages data in a flexible format
called documents or key-value pairs. Each document or key-value pair consists of the
data and metadata, and can have different attributes and values depending on the
schema. NoSQL database storage is ideal for storing dynamic or unstructured data that
requires high performance, scalability, and availability, such as web applications, social
media, gaming, and IoT.

QUESTION NO: 437

A company needs to deploy applications in the AWS Cloud as quickly as

possible. The company also needs to minimize the complexity that is related
to the management of AWS resources.

Which AWS service should the company use to meet these requirements?

A. AWS config

B. AWS Elastic Beanstalk

C. Amazon EC2

D. Amazon Personalize

Answer: B

AWS Elastic Beanstalk is the AWS service that allows customers to deploy applications
in the AWS Cloud as quickly as possible. AWS Elastic Beanstalk automatically handles
the deployment, from capacity provisioning, load balancing, and auto-scaling to
application health monitoring. Customers can upload their code and Elastic Beanstalk
will take care of the rest1. AWS Elastic Beanstalk also minimizes the complexity that is
related to the management of AWS resources. Customers can retain full control of the
underlying AWS resources powering their applications and adjust the settings to suit
their needs1. Customers can also use the AWS Management Console, the AWS
Command Line Interface (AWS CLI), or APIs to manage their applications 1.
AWS Config is the AWS service that enables customers to assess, audit, and evaluate
the configurations of their AWS resources. AWS Config continuously monitors and
records the configuration changes of the resources and evaluates them against desired
configurations or best practices2. AWS Config does not help customers deploy
applications in the AWS Cloud as quickly as possible or minimize the complexity that is
related to the management of AWS resources.
Amazon EC2 is the AWS service that provides secure, resizable compute capacity in the
cloud. Customers can launch virtual servers called instances and choose from various
configurations of CPU, memory, storage, and networking resources 3. Amazon EC2 does
not automatically handle the deployment or management of AWS resources for
customers. Customers have to manually provision, configure, monitor, and scale their
instances and other related resources.
Amazon Personalize is the AWS service that enables customers to create personalized
recommendations for their users based on their behavior and preferences. Amazon
Personalize uses machine learning to analyze data and deliver real-time
recommendations4. Amazon Personalize does not help customers deploy applications
in the AWS Cloud as quickly as possible or minimize the complexity that is related to the
management of AWS resources.

QUESTION NO: 438

Which AWS service or feature can a company use to apply security rules to
specific Amazon EC2 instances?

A. Network ACLs

B. Security groups

C. AWS Trusted Advisor

D. AWS WAF

Answer: B
Security groups are the AWS service or feature that can be used to apply security rules
to specific Amazon EC2 instances. Security groups are virtual firewalls that control the
inbound and outbound traffic for one or more instances. Customers can create security
groups and add rules that reflect the role of the instance that is associated with the
security group. For example, a web server instance needs security group rules that allow
inbound HTTP and HTTPS access, while a database instance needs rules that allow
access for the type of database12. Security groups are stateful, meaning that the
responses to allowed inbound traffic are also allowed, regardless of the outbound
rules1. Customers can assign multiple security groups to an instance, and the rules
from each security group are effectively aggregated to create one set of rules 1.
Network ACLs are another AWS service or feature that can be used to control the traffic
for a subnet. Network ACLs are stateless, meaning that they do not track the traffic that
they allow. Therefore, customers must add rules for both inbound and outbound traffic 3.
Network ACLs are applied at the subnet level, not at the instance level.
AWS Trusted Advisor is an AWS service that provides best practice recommendations
for security, performance, cost optimization, and fault tolerance. AWS Trusted Advisor
does not apply security rules to specific Amazon EC2 instances, but it can help
customers identify security gaps and improve their security posture 4.
AWS WAF is an AWS service that helps protect web applications from common web
exploits, such as SQL injection, cross-site scripting, and bot attacks. AWS WAF does not
apply security rules to specific Amazon EC2 instances, but it can be integrated with
other AWS services, such as Amazon CloudFront, Amazon API Gateway, and
Application Load Balancer.

QUESTION NO: 439

Which actions are best practices for an AWS account root user? (Select TWO.)

A. Share root user credentials with team members.

B. Create multiple root users for the account, separated by environment.

C. Enable multi-factor authentication (MFA) on the root user.

D. Create an IAM user with administrator privileges for daily

administrative tasks, instead of using the root user.

E. Use programmatic access instead of the root user and password.

Answer: CD
The AWS account root user is the identity that has complete access to all AWS services
and resources in the account. It is accessed by signing in with the email address and
password that were used to create the account1. The root user should be protected and
used only for a few account and service management tasks that require it 1. Therefore,
the following actions are best practices for an AWS account root user:
• Enable multi-factor authentication (MFA) on the root user. MFA is a security feature that
requires users to provide two or more pieces of information to authenticate themselves,
such as a password and a code from a device. MFA adds an extra layer of protection for
the root user credentials, which can access sensitive information and perform critical
operations in the account2.
• Create an IAM user with administrator privileges for daily administrative tasks, instead
of using the root user. IAM is a service that helps customers manage access to AWS
resources for users and groups. Customers can create IAM users and assign them
permissions to perform specific tasks on specific resources. Customers can also create
IAM roles and policies to delegate access to other AWS services or external entities 3. By
creating an IAM user with administrator privileges, customers can avoid using the root
user for everyday tasks and reduce the risk of accidental or malicious changes to the
account1.

QUESTION NO: 440

A company wants an automated process to continuously scan its Amazon EC2

instances for software vulnerabilities.

Which AWS service will meet these requirements?

A. Amazon GuardDuty

B. Amazon Inspector

C. Amazon Detective

D. Amazon Cognito

Answer: B

Amazon Inspector is the AWS service that can be used to perform vulnerability scans on AWS
EC2 instances for software vulnerabilities automatically in a periodic fashion. Amazon Inspector
automatically discovers EC2 instances and scans them for software vulnerabilities and
unintended network exposure. Amazon Inspector uses AWS Systems Manager (SSM) and the
SSM Agent to collect information about the software application inventory of the EC2
instances. This data is then scanned by Amazon Inspector for software
vulnerabilities12. Amazon Inspector also integrates with other AWS services, such as Amazon
EventBridge and AWS Security Hub, to automate discovery, expedite vulnerability routing, and
shorten mean time to remediate (MTTR) vulnerabilities 2.

QUESTION NO: 441

Which AWS service can identify when an Amazon EC2 instance was terminated?

A. AWS Identity and Access Management (IAM)

B. AWS CloudTrail

C. AWS Compute Optimizer

D. Amazon EventBridge

Answer: B

AWS CloudTrail is the AWS service that can identify when an Amazon EC2 instance was
terminated. AWS CloudTrail is a service that records API calls and events for AWS accounts and
resources. AWS CloudTrail can capture the TerminateInstances event, which is triggered when
an EC2 instance is terminated by a user or an AWS service. The event contains information
such as the instance ID, the user identity, the source IP address, the time, and the reason for the
termination12. Customers can use the CloudTrail console, the AWS CLI, or the AWS SDKs to view
and search for the TerminateInstances events in their event history or in their S3 buckets where
they store their CloudTrail logs13.

QUESTION NO: 442

A company needs to categorize and track AWS usage cost based on business
categories.

Which AWS service or feature should the company use to meet these
requirements?

A. Cost allocation tags

B. AWS Organizations

C. AWS Security Hub

 D. AWS Cost and Usage Report

Answer: A

The AWS service or feature that the company should use to categorize and track AWS usage cost
based on business categories is cost allocation tags. Cost allocation tags are key-value pairs that
users can attach to AWS resources to organize and track their AWS costs. Users can use cost
allocation tags to filter and group their AWS costs by categories such as project, department,
environment, or application. Users can also use cost allocation tags to generate detailed billing
reports that show the costs associated with each tag 3. AWS Organizations, AWS Security Hub, and
AWS Cost and Usage Report are other AWS services or features that can help users with different
aspects of their AWS usage, such as managing multiple accounts, monitoring security issues, or
analyzing billing data, but they do not enable users to categorize and track AWS costs based on
business categories.

QUESTION NO: 443

Which options are AWS Cloud Adoption Framework (AWS CAF) cloud transformation
journey

recommendations? (Select TWO.)

A. Envision phase

B. Align phase

C. Assess phase

D. Mobilize phase

E. Migrate and modernize phase

Answer: AB

The AWS Cloud Adoption Framework (AWS CAF) cloud transformation journey is a four-
phase process that helps customers plan and execute their cloud migration and digital
transformation. The four phases are:
• Envision phase: This phase focuses on demonstrating how cloud will help accelerate the
business outcomes of the customer. It involves identifying and prioritizing
transformation opportunities across four domains: business, people, governance, and
platform. It also involves associating the transformation initiatives with key stakeholders
and measurable business outcomes1.
 • Align phase: This phase focuses on identifying capability gaps across six perspectives:
business, people, governance, platform, security, and operations. It also involves
identifying cross-organizational dependencies and surfacing stakeholder concerns and
challenges. The goal of this phase is to create strategies for improving the cloud
readiness, ensure stakeholder alignment, and facilitate relevant organizational change
management activities1.
• Launch phase: This phase focuses on delivering pilot initiatives in production and
demonstrating incremental business value. Pilots should be highly impactful and
influence future direction. The customer should learn from the pilots and adjust their
approach before scaling to full production1.
• Scale phase: This phase focuses on expanding production pilots and business value to
the desired scale and ensuring that the business benefits associated with the cloud
investments are realized and sustained1.

QUESTION NO: 444

Which AWS service requires the customer to be fully responsible for applying
operating system patches?

A. Amazon DynamoDB

B. AWS Lambda

C. AWS Fargate

D. Amazon EC2

Answer: D

Amazon EC2 is the AWS service that requires the customer to be fully responsible for applying
operating system patches. Amazon EC2 is a service that provides secure, resizable compute
capacity in the cloud. Customers can launch virtual servers called instances and choose from
various configurations of CPU, memory, storage, and networking resources 1. Customers have
full control and access to their instances, which means they are also responsible for managing
and maintaining them, including applying operating system patches 2. Customers can use AWS
Systems Manager Patch Manager, a feature of AWS Systems Manager, to automate the
process of patching their EC2 instances with both security-related updates and other types of
updates3.
A company wants an AWS service to collect and process 10 TB of data locally
and transfer the data to AWS. The company has intermittent connectivity.

Which AWS service will meet these requirements?

A. AWS Database Migration Service (AWS DMS)

B. AWS DataSync

C. AWS Backup

D. AWS Snowball Edge

Answer: D

The correct answer is D. AWS Snowball Edge.

AWS Snowball Edge is a physical device that can be used to collect and process data
locally and then transfer it to AWS. It is designed for situations where there is limited
or intermittent network connectivity, or where bandwidth costs are high. AWS
Snowball Edge can store up to 80 TB of data and has compute and storage capabilities
to run applications on the device1.
AWS Database Migration Service (AWS DMS) is a service that helps migrate
databases to AWS. It does not collect or process data locally, nor does it work
offline2.
AWS DataSync is a service that helps transfer data between on-premises storage
systems and AWS storage services. It does not collect or process data locally, and it
requires a network connection to work3.
AWS Backup is a service that helps automate and manage backups across AWS
services. It does not collect or process data locally, nor does it transfer data to AWS. It
only backs up data that is already in AWS4.
References:
1:
AWS Snowball Edge 2: AWS Database Migration Service (AWS DMS) 3: AWS
DataSync 4: AWS Backup
QUESTION NO: 445

A company plans to migrate to the AWS Cloud. The company wants to use the AWS
Cloud Adoption Framework (AWS CAF) to define and track business outcomes as
part of its cloud transformation journey.

Which AWS CAF governance perspective capability will meet these requirements?

A. Benefits management

B. Risk management

C. Application portfolio management

D. Cloud financial management

Answer: A

The correct answer is A. Benefits management.

Benefits management is the AWS CAF governance perspective capability that helps
you define and track business outcomes as part of your cloud transformation journey.
Benefits management helps you align your cloud initiatives with your business
objectives, measure the value and impact of your cloud investments, and
communicate the benefits of cloud adoption to your stakeholders12.
Risk management is the AWS CAF governance perspective capability that helps you
identify and mitigate the potential risks associated with cloud adoption, such as
security, compliance, legal, and operational risks12.
Application portfolio management is the AWS CAF governance perspective
capability that helps you assess and optimize your existing application portfolio for
cloud migration or modernization. Application portfolio management helps you
categorize your applications based on their business value and technical fit, prioritize
them for cloud adoption, and select the best migration or modernization strategy for
each application12.
Cloud financial management is the AWS CAF governance perspective capability that
helps you manage and optimize the costs and value of your cloud resources. Cloud
financial management helps you plan and budget for cloud adoption, track and
allocate cloud costs, implement cost optimization strategies, and report on cloud
financial performance12.
References:
1:AWS Cloud Adoption Framework: Governance Perspective 2: All you need to know
about AWS Cloud Adoption Framework — Governance Perspective

QUESTION NO: 446

Which perspective in the AWS Cloud Adoption Framework (AWS CAF) includes a
capability for well-designed data and analytics architecture?

A. Security

B. Governance

C. Operations

D. Platform

Answer: D

The correct answer is D. Platform.

The Platform perspective in the AWS Cloud Adoption Framework (AWS CAF)
includes a capability for well-designed data and analytics architecture. This capability
helps you design, implement, and optimize your data and analytics solutions on AWS,
using services such as Amazon S3, Amazon Redshift, Amazon EMR, Amazon
Kinesis, Amazon Athena, and Amazon QuickSight. A well-designed data and
analytics architecture enables you to collect, store, process, analyze, and visualize data
from various sources, and derive insights that can drive your business decisions12.
The Security perspective does not include a capability for data and analytics
architecture, but it does include a capability for data protection, which helps you
secure your data at rest and in transit using encryption, key management, access
control, and auditing13.
The Governance perspective does not include a capability for data and analytics
architecture, but it does include a capability for data governance, which helps you
manage the quality, availability, usability, integrity, and security of your data assets 14.
The Operations perspective does not include a capability for data and analytics
architecture, but it does include a capability for data operations, which helps you
monitor, troubleshoot, and optimize the performance and availability of your data
pipelines and workloads1 .
References:
1:Foundational capabilities - An Overview of the AWS Cloud Adoption Framework 2:
[AWS Cloud Adoption Framework: Platform Perspective] 3: [AWS Cloud Adoption
Framework: Security Perspective] 4: [AWS Cloud Adoption Framework: Governance
Perspective] : [AWS Cloud Adoption Framework: Operations Perspective]

QUESTION NO: 447

A company needs an automated vulnerability management service that

continually scans AWS workloads for software vulnerabilities.

Which AWS service will meet these requirements?

A. Amazon GuardDuty

B. Amazon Inspector

C. AWS Security Hub

D. AWS Shield

Answer: B

The correct answer is B. Amazon Inspector.

Amazon Inspector is an automated vulnerability management service that continually
scans AWS workloads for software vulnerabilities and unintended network exposure.
Amazon Inspector automatically discovers workloads, such as Amazon EC2
instances, containers, and Lambda functions, and scans them for software
vulnerabilities and unintended network exposure12.
Amazon GuardDuty is a threat detection service that monitors your AWS accounts
and workloads for malicious or unauthorized activity. Amazon GuardDuty does not
scan for software vulnerabilities, but rather analyzes AWS CloudTrail, Amazon VPC
Flow Logs, and DNS logs to detect threats such as compromised credentials,
backdoors, or crypto mining3.
AWS Security Hub is a security and compliance service that aggregates and
prioritizes security findings from multiple AWS services and partner solutions. AWS
Security Hub does not scan for software vulnerabilities, but rather provides a
comprehensive view of your security posture across your AWS accounts4.
AWS Shield is a managed service that protects your web applications and network
resources from distributed denial-of-service (DDoS) attacks. AWS Shield does not
scan for software vulnerabilities, but rather provides detection and mitigation of
DDoS attacks at the network and application layers5.
References:
1:Automated Software Vulnerability Management - Amazon Inspector - AWS 3:
[Amazon GuardDuty – Intelligent Threat Detection Made Easy] 2: AWS Re-Launches
Amazon Inspector with New Architecture and Features - InfoQ 4: [AWS Security Hub
– Unified Security and Compliance Center] 5: [AWS Shield – Managed DDoS
Protection]

QUESTION NO: 448

A company is assessing its AWS Business Support plan to determine if the plan
still meets the company's needs. The company is considering switching to AWS
Enterprise Support.

Which additional benefit will the company receive with AWS Enterprise
Support?

A. A full set of AWS Trusted Advisor checks

B. Phone, email, and chat access to cloud support engineers 24 hours a

day, 7 days a week

C. A designated technical account manager (TAM) to assist in monitoring

and optimization

D. A consultative review and architecture guidance for the company's

applications

Answer: C

The additional benefit that the company will receive with AWS Enterprise Support is
C. A designated technical account manager (TAM) to assist in monitoring and
optimization.
A TAM is a dedicated point of contact who works with the customer to understand
their use cases, applications, and goals, and provides proactive guidance and best
practices to help them optimize their AWS environment. A TAM also helps the
customer with case management, escalations, service updates, and feature requests12.
A full set of AWS Trusted Advisor checks is available for customers with Business,
Enterprise On-Ramp, or Enterprise Support plans1. Phone, email, and chat access to
cloud support engineers 24/7 is available for customers with Business, Enterprise On-
Ramp, or Enterprise Support plans1. A consultative review and architecture guidance
for the company’s applications is available for customers with Enterprise On-Ramp or
Enterprise Support plans1. Therefore, these benefits are not exclusive to AWS
Enterprise Support.
Reference:
1: AWS Support Plan Comparison | Developer, Business, Enterprise …

QUESTION NO: 449

A developer has been hired by a large company and needs AWS credentials.

Which are security best practices that should be followed? (Select TWO.)

A. Grant the developer access to only the AWS resources needed to perform
the job.

B. Share the AWS account root user credentials with the developer.

C. Add the developer to the administrator's group in AWS IAM.

D. Configure a password policy that ensures the developer's password

cannot be changed.

E. Ensure the account password policy requires a minimum length.

Answer: AE

The security best practices that should be followed are A and E.

A. Grant the developer access to only the AWS resources needed to perform the job.
This is an example of the principle of least privilege, which means giving the
minimum permissions necessary to achieve a task. This reduces the risk of
unauthorized access, data leakage, or accidental damage to AWS resources. You can
use AWS Identity and Access Management (IAM) to create users, groups, roles, and
policies that grant fine-grained access to AWS resources12.
E. Ensure the account password policy requires a minimum length. This is a basic
security measure that helps prevent brute-force attacks or guessing of passwords. A
longer password is harder to crack than a shorter one. You can use IAM to configure a
password policy that enforces a minimum password length, as well as other
requirements such as complexity, expiration, and history34.
B. Share the AWS account root user credentials with the developer. This is a bad
practice that should be avoided. The root user has full access to all AWS resources
and services, and can perform sensitive actions such as changing billing information,
closing the account, or deleting all resources. Sharing the root user credentials exposes
your account to potential compromise or misuse. You should never share your root
user credentials with anyone, and use them only for account administration tasks5 .
C. Add the developer to the administrator’s group in IAM. This is also a bad practice
that should be avoided. The administrator’s group has full access to all AWS
resources and services, which is more than what a developer needs to perform their
job. Adding the developer to the administrator’s group violates the principle of least
privilege and increases the risk of unauthorized access, data leakage, or accidental
damage to AWS resources. You should create a custom group for the developer that
grants only the necessary permissions for their role12.
D. Configure a password policy that ensures the developer’s password cannot be
changed. This is another bad practice that should be avoided. Preventing the developer
from changing their password reduces their ability to protect their credentials and
comply with security policies. For example, if the developer’s password is
compromised, they cannot change it to prevent further unauthorized access. Or if the
company requires periodic password rotation, they cannot update their password to
meet this requirement. You should allow the developer to change their password as
needed, and enforce a password policy that sets reasonable rules for password
management34.

QUESTION NO: 450

A company is moving an on-premises data center to the AWS Cloud. The company
must migrate 50 petabytes of file storage data to AWS with the least possible
operational overhead.

Which AWS service or resource should the company use to meet these
requirements?
 A. AWS Snowmobile

B. AWS Snowball Edge

C. AWS Data Exchange

D. AWS Database Migration Service (AWS DMS)

Answer: A

The AWS service that the company should use to meet these requirements is A. AWS
Snowmobile.
AWS Snowmobile is a service that allows you to migrate large amounts of data to
AWS using a 45-foot long ruggedized shipping container that can store up to 100
petabytes of data. AWS Snowmobile is designed for situations where you need to
move massive amounts of data to the cloud in a fast, secure, and cost-effective way.
AWS Snowmobile has the least possible operational overhead because it eliminates
the need to buy, configure, or manage hundreds or thousands of storage devices12.
AWS Snowball Edge is a service that allows you to migrate data to AWS using a
physical device that can store up to 80 terabytes of data and has compute and storage
capabilities to run applications on the device. AWS Snowball Edge is suitable for
situations where you have limited or intermittent network connectivity, or where
bandwidth costs are high. However, AWS Snowball Edge has more operational
overhead than AWS Snowmobile because you need to request multiple devices and
transfer your data onto them using the client3.
AWS Data Exchange is a service that allows you to find, subscribe to, and use third-
party data in the cloud. AWS Data Exchange is not a data migration service, but rather
a data marketplace that enables data providers and data consumers to exchange data
sets securely and efficiently4.
AWS Database Migration Service (AWS DMS) is a service that helps migrate
databases to AWS. AWS DMS does not migrate file storage data, but rather supports
various database platforms and engines as sources and targets5.
References:
1:AWS Snowmobile – Move Exabytes of Data to the Cloud in Weeks 2: AWS
Snowmobile - Amazon Web Services 3: Automated Software Vulnerability
Management - Amazon Inspector - AWS 4: AWS Data Exchange - Find, subscribe to,
and use third-party data in … 5: AWS Database Migration Service – Amazon Web
Services
QUESTION NO: 451

A company wants to define a central data protection policy that works across
AWS services for compute, storage, and database resources.

Which AWS service will meet this requirement?

A. AWS Batch

B. AWS Elastic Disaster Recovery

C. AWS Backup

D. Amazon FSx

Answer: C

The AWS service that will meet this requirement is C. AWS Backup.
AWS Backup is a service that allows you to define a central data protection policy
that works across AWS services for compute, storage, and database resources. You
can use AWS Backup to create backup plans that specify the frequency, retention, and
lifecycle of your backups, and apply them to your AWS resources using tags or
resource IDs. AWS Backup supports various AWS services, such as Amazon EC2,
Amazon EBS, Amazon RDS, Amazon DynamoDB, Amazon EFS, Amazon FSx, and
AWS Storage Gateway12.
AWS Batch is a service that allows you to run batch computing workloads on AWS.
AWS Batch does not provide a central data protection policy, but rather enables you
to optimize the allocation and utilization of your compute resources3.
AWS Elastic Disaster Recovery is a service that allows you to prepare for and recover
from disasters using AWS. AWS Elastic Disaster Recovery does not provide a central
data protection policy, but rather helps you minimize downtime and data loss by
replicating your applications and data to AWS4.
Amazon FSx is a service that provides fully managed file storage for Windows and
Linux applications. Amazon FSx does not provide a central data protection policy, but
rather offers features such as encryption, snapshots, backups, and replication to
protect your file systems5.
References:
AWS Backup – Centralized backup across AWS services 3: AWS Batch – Run
1:

Batch Computing Jobs on AWS 2: Data Protection Reference Architectures with AWS
Backup 4: AWS Elastic Disaster Recovery – Prepare for and recover from disasters
using AWS 5: Amazon FSx – Fully managed file storage for Windows and Linux
applications

QUESTION NO: 452

A company needs to engage third-party consultants to help maintain and

support its AWS environment and the company's business needs.

Which AWS service or resource will meet these requirements?

A. AWS Support

B. AWS Organizations

C. AWS Service Catalog

D. AWS Partner Network (APN)

Answer: D

The AWS service or resource that will meet these requirements is D. AWS Partner
Network (APN).
AWS Partner Network (APN) is a global community of consulting and technology
partners that offer a wide range of services and solutions for AWS customers. APN
partners can help customers design, architect, build, migrate, and manage their
workloads and applications on AWS. APN partners have access to various resources,
training, tools, and support to enhance their AWS expertise and deliver value to
customers12.
AWS Support is a service that provides technical assistance and guidance for AWS
customers. AWS Support offers different plans with varying levels of response time,
access channels, and features. AWS Support does not directly engage third-party
consultants, but rather connects customers with AWS experts and resources3.
AWS Organizations is a service that allows customers to manage multiple AWS
accounts within a single organization. AWS Organizations enables customers to
create groups of accounts, apply policies, automate account creation, and consolidate
billing. AWS Organizations does not directly engage third-party consultants, but
rather helps customers simplify and optimize their AWS account management4.
AWS Service Catalog is a service that allows customers to create and manage
catalogs of IT services that are approved for use on AWS. AWS Service Catalog
enables customers to control the configuration, deployment, and governance of their
IT services. AWS Service Catalog does not directly engage third-party consultants,
but rather helps customers standardize and streamline their IT service delivery5.
References:
1:AWS Partner Network (APN) - Amazon Web Services (AWS) 2: Find an APN
Partner - Amazon Web Services (AWS) 3: AWS Support – Amazon Web Services 4:
AWS Organizations – Amazon Web Services 5: AWS Service Catalog – Amazon
Web Services

QUESTION NO: 453

A company wants to use the AWS Cloud to deploy an application globally.

Which architecture deployment model should the company use to meet this
requirement?

A. Multi-Region

B. Single-Region

C. Multi-AZ

D. Single-AZ

Answer: A

The architecture deployment model that the company should use to meet this
requirement is A. Multi-Region.
A multi-region deployment model is a cloud computing architecture that distributes an
application and its data across multiple geographic regions. A multi-region
deployment model enables a company to achieve global reach, high availability,
disaster recovery, and performance optimization. By deploying an application in
multiple regions, a company can serve customers from the nearest region, reduce
latency, increase redundancy, and comply with data sovereignty regulations12.
A single-region deployment model is a cloud computing architecture that runs an
application and its data within a single geographic region. A single-region deployment
model is simpler and cheaper than a multi-region deployment model, but it has limited
scalability, availability, and performance. A single-region deployment model may not
be suitable for a company that wants to deploy an application globally, as it may face
challenges such as network latency, regional outages, or regulatory compliance12.
A multi-AZ (Availability Zone) deployment model is a cloud computing architecture
that distributes an application and its data across multiple isolated locations within a
single region. An Availability Zone is a physically separate location within an AWS
Region that has independent power, cooling, and networking. A multi-AZ deployment
model enhances the availability and durability of an application by providing
redundancy and fault tolerance within a region34.
A single-AZ deployment model is a cloud computing architecture that runs an
application and its data within a single Availability Zone. A single-AZ deployment
model is the simplest and most cost-effective option, but it has no redundancy or fault
tolerance. A single-AZ deployment model may not be suitable for a company that
wants to deploy an application globally, as it may face challenges such as network
latency, regional outages, or regulatory compliance34.
References:
1:AWS Cloud Computing - W3Schools 2: Understand the Different Cloud Computing
Deployment Models Unit - Trailhead 3: Regions and Availability Zones - Amazon
Elastic Compute Cloud 4: AWS Reference Architecture Diagrams

QUESTION NO: 454

Which option is a customer responsibility under the AWS shared responsibility

model?

A. Maintenance of underlying hardware of Amazon EC2 instances

B. Application data security

C. Physical security of data centers

D. Maintenance of VPC components

Answer: B
The option that is a customer responsibility under the AWS shared responsibility
model is B. Application data security.
According to the AWS shared responsibility model, AWS is responsible for the
security of the cloud, while the customer is responsible for the security in the cloud.
This means that AWS manages the security of the underlying infrastructure, such as
the hardware, software, networking, and facilities that run the AWS services, while
the customer manages the security of their applications, data, and resources that they
use on top of AWS12.
Application data security is one of the customer responsibilities under the AWS
shared responsibility model. This means that the customer is responsible for
protecting their application data from unauthorized access, modification, deletion, or
leakage. The customer can use various AWS services and features to help with
application data security, such as encryption, key management, access control,
logging, and auditing12.
Maintenance of underlying hardware of Amazon EC2 instances is not a customer
responsibility under the AWS shared responsibility model. This is part of the AWS
responsibility to secure the cloud. AWS manages the physical servers that host the
Amazon EC2 instances and ensures that they are updated, patched, and replaced as
needed13.
Physical security of data centers is not a customer responsibility under the AWS
shared responsibility model. This is also part of the AWS responsibility to secure the
cloud. AWS operates and controls the facilities where the AWS services are hosted
and ensures that they are protected from unauthorized access, environmental hazards,
fire, and theft14.
Maintenance of VPC components is not a customer responsibility under the AWS
shared responsibility model. This is a shared responsibility between AWS and the
customer. AWS provides the VPC service and ensures that it is secure and reliable,
while the customer configures and manages their own VPCs and related components,
such as subnets, route tables, security groups, network ACLs, gateways, and
endpoints15.
References:
1:Shared Responsibility Model - Amazon Web Services (AWS) 2: AWS Cloud
Computing - W3Schools 3: [Amazon EC2 FAQs - Amazon Web Services] 4: [AWS
Security - Amazon Web Services] 5: [Amazon Virtual Private Cloud (VPC) - Amazon
Web Services]
QUESTION NO: 455

Which AWS service uses AWS Compute Optimizer to provide sizing

recommendations based on workload metrics?

A. Amazon EC2

B. Amazon RDS

C. Amazon Lightsail

D. AWS Step Functions

Answer: A

Amazon EC2 is a web service that provides secure, resizable compute capacity in the
cloud. It allows you to launch virtual servers, called instances, with different
configurations of CPU, memory, storage, and networking resources. AWS Compute
Optimizer analyzes the specifications and utilization metrics of your Amazon EC2
instances and generates recommendations for optimal instance types that can reduce
costs and improve performance. You can view the recommendations on the AWS
Compute Optimizer console or the Amazon EC2 console12.
Amazon RDS, Amazon Lightsail, and AWS Step Functions are not supported by AWS
Compute Optimizer. Amazon RDS is a managed relational database service that lets
you set up, operate, and scale a relational database in the cloud. Amazon Lightsail is an
easy-to-use cloud platform that offers everything you need to build an application or
website, plus a cost-effective, monthly plan. AWS Step Functions lets you coordinate
multiple AWS services into serverless workflows so you can build and update apps
quickly3 .

QUESTION NO: 456

Which capabilities are in the platform perspective of the AWS Cloud Adoption
Framework (AWS CAF)? (Select TWO.)

A. Performance and capacity management

B. Data engineering
 C. Continuous integration and continuous delivery (CI/CD)

D. Infrastructure protection

E. Change and release management

Answer: BC

These are two of the seven capabilities that are in the platform perspective of the AWS
Cloud Adoption Framework (AWS CAF). The platform perspective helps you build an
enterprise-grade, scalable, hybrid cloud platform, modernize existing workloads, and
implement new cloud-native solutions1. The other five capabilities are:
• Platform architecture – Establish and maintain guidelines, principles, patterns, and
guardrails for your cloud environment.
• Platform engineering – Build a compliant multi-account cloud environment with
enhanced security features, and packaged, reusable cloud products.
• Platform operations – Manage and optimize your cloud environment with automation,
monitoring, and incident response.
• Application development – Develop and deploy cloud-native applications using modern
architectures and best practices.
• Application migration – Migrate your existing applications to the cloud using proven
methodologies and tools.
Performance and capacity management, infrastructure protection, and change and
release management are not capabilities of the platform perspective. They are part of
the operations perspective, which helps you achieve operational excellence in the
cloud2. The operations perspective comprises six capabilities:
• Performance and capacity management – Monitor and optimize the performance and
capacity of your cloud workloads.
• Infrastructure protection – Protect your cloud infrastructure from unauthorized access,
malicious attacks, and data breaches.
• Change and release management – Manage changes and releases to your cloud
workloads using automation and governance.
• Configuration management – Manage the configuration of your cloud resources and
applications using automation and version control.
• Incident management – Respond to incidents affecting your cloud workloads using best
practices and tools.
• Service continuity management – Ensure the availability and resilience of your cloud
workloads using backup, recovery, and disaster recovery strategies.

QUESTION NO: 457

How does the AWS Enterprise Support Concierge team help users?

A. Supporting application development

B. Providing architecture guidance

C. Answering billing and account inquiries

D. Answering questions regarding technical support cases

Answer: C

The AWS Enterprise Support Concierge team is a group of billing and account experts
who specialize in working with enterprise customers. They can help customers with
questions about billing, account management, cost optimization, and other non-
technical issues. They can also assist customers with navigating and optimizing their
AWS environment, such as setting up consolidated billing, applying for service limit
increases, or requesting refunds.
References:
• AWS Support Plan Comparison
• AWS Enterprise Support Plan
• Answer Explained: Which AWS Support plan provides access to AWS Concierge Support
team for account assistance?

QUESTION NO: 458

A company has 5 TB of data stored in Amazon S3. The company plans to

occasionally run queries on the data for analysis.

Which AWS service should the company use to run these queries in the MOST
cost-effective manner?

A. Amazon Redshift

B. Amazon Athena

C. Amazon Kinesis

D. Amazon RDS

Answer: B
Amazon Athena is a serverless, interactive analytics service that allows users to run
SQL queries on data stored in Amazon S3. It is ideal for occasional queries on large
datasets, as it does not require any server provisioning, configuration, or management.
Users only pay for the queries they run, based on the amount of data scanned. Amazon
Athena supports various data formats, such as CSV, JSON, Parquet, ORC, and Avro, and
integrates with AWS Glue Data Catalog to create and manage schemas. Amazon
Athena also supports querying data from other sources, such as on-premises or other
cloud systems, using data connectors1.
Amazon Redshift is a fully managed data warehouse service that allows users to run
complex analytical queries on petabyte-scale data. However, it requires users to
provision and maintain clusters of nodes, and pay for the storage and compute capacity
they use. Amazon Redshift is more suitable for frequent and consistent queries on
structured or semi-structured data2.
Amazon Kinesis is a platform for streaming data on AWS, enabling users to collect,
process, and analyze real-time data. It is not designed for querying data stored in
Amazon S3. Amazon Kinesis consists of four services: Kinesis Data Streams, Kinesis
Data Firehose, Kinesis Data Analytics, and Kinesis Video Streams 3.
Amazon RDS is a relational database service that provides six database engines:
Amazon Aurora, PostgreSQL, MySQL, MariaDB, Oracle Database, and SQL Server. It
simplifies database administration tasks such as backup, patching, scaling, and
replication. However, it is not optimized for querying data stored in Amazon S3. Amazon
RDS is more suitable for transactional workloads that require high performance and
availability4.
References:
• Interactive SQL - Serverless Query Service - Amazon Athena - AWS
• [Amazon Redshift – Data Warehouse Solution - AWS]
• [Amazon Kinesis - Streaming Data Platform - AWS]
• [Amazon Relational Database Service (RDS) – AWS]

QUESTION NO: 459

A company needs to search for text in documents that are stored in Amazon S3.

Which AWS service will meet these requirements?

A. Amazon Kendra

B. Amazon Rekognition
 C. Amazon Polly

D. Amazon Lex

Answer: A

Amazon Kendra is a highly accurate and easy to use intelligent search service powered
by machine learning. It enables users to easily find the content they are looking for, even
when it is scattered across multiple locations and content repositories within their
organization. Amazon Kendra supports natural language queries, and can search for
text in documents stored in Amazon S3, as well as other sources such as SharePoint,
OneDrive, Salesforce, ServiceNow, and more1.
Amazon Rekognition is a computer vision service that makes it easy to add image and
video analysis to applications. It can detect objects, faces, text, scenes, activities, and
emotions in images and videos. However, it is not designed for searching for text in
documents stored in Amazon S32.
Amazon Polly is a text-to-speech service that turns text into lifelike speech. It can create
audio versions of books, articles, podcasts, and more. However, it is not designed for
searching for text in documents stored in Amazon S33.
Amazon Lex is a service for building conversational interfaces using voice and text. It
can create chatbots that can interact with users using natural language. However, it is
not designed for searching for text in documents stored in Amazon S3 4.
References:
• Amazon Kendra – Intelligent Search Service Powered by Machine Learning
• Amazon Rekognition – Video and Image - AWS
• Amazon Polly – Text-to-Speech Service - AWS
• Amazon Lex – Build Conversation Bots - AWS

QUESTION NO: 460

A company wants to migrate a database from an on-premises environment to

Amazon RDS.

After the migration is complete, which management task will the company still
be responsible for?

A. Hardware lifecycle management

B. Application optimization
 C. Server maintenance

D. Power, network, and cooling provisioning

Answer: B

Amazon RDS is a managed database service that handles most of the common
database administration tasks, such as hardware provisioning, server maintenance,
backup and recovery, patching, scaling, and replication. However, Amazon RDS does not
optimize the application that interacts with the database. The company is still
responsible for tuning the performance, security, and availability of the application
according to its business requirements and best practices 12.
References:
• What is Amazon Relational Database Service (Amazon RDS)?
• Perform common DBA tasks for Amazon RDS DB instances

QUESTION NO: 461

A company is assessing its AWS Business Support plan to determine if the plan
still meets the company's needs. The company is considering switching to
AWS Enterprise Support.

Which additional benefit will the company receive with AWS Enterprise
Support?

A. A full set of AWS Trusted Advisor checks

B. Phone, email, and chat access to cloud support engineers 24 hours a

day, 7 days a week

C. A designated technical account manager (TAM) to assist in monitoring

and optimization

D. A consultative review and architecture guidance for the company's

applications

Answer: C

AWS Enterprise Support provides customers with a designated technical account

manager (TAM) who is a single point of contact for all technical and operational issues.
The TAM provides consultative architectural and operational guidance delivered in the
context of the customer’s applications and use-cases to help them achieve the greatest
value from AWS. The TAM also helps customers with proactive services, such as
strategic business reviews, security improvement programs, guided Well-Architected
reviews, cost optimization workshops, and more1.
A full set of AWS Trusted Advisor checks is not an additional benefit of AWS Enterprise
Support, as it is also included in the AWS Business Support plan 2. AWS Trusted Advisor
is a tool that provides best practice recommendations for cost optimization,
performance, security, fault tolerance, and service limits.
Phone, email, and chat access to cloud support engineers 24 hours a day, 7 days a
week is not an additional benefit of AWS Enterprise Support, as it is also included in the
AWS Business Support plan2. Cloud support engineers can help customers with
technical issues, such as troubleshooting, configuration, usage, and service features.
A consultative review and architecture guidance for the company’s applications is not
an additional benefit of AWS Enterprise Support, as it is also included in the AWS
Business Support plan2. Customers can request a consultative review from a solutions
architect who will provide best practices and recommendations based on the
customer’s use-cases and goals.

QUESTION NO: 462

Which AWS service converts text to lifelike voices?

A. Amazon Transcribe

B. Amazon Rekognition

C. Amazon Polly

D. Amazon Textract

Answer: C

Amazon Polly is a service that turns text into lifelike speech, allowing you to create
applications that talk, and build entirely new categories of speech-enabled
products. Polly’s Text-to-Speech (TTS) service uses advanced deep learning
technologies to synthesize natural sounding human speech1. Amazon Polly supports
dozens of languages and a wide range of natural-sounding voices. You can customize
and control the speech output by using lexicons and SSML tags. You can also store and
redistribute the speech output in standard audio formats like MP3 and OGG 2.
Amazon Transcribe is a service that converts speech to text, enabling you to create text
transcripts from audio or video files. It can recognize multiple speakers, different
languages, accents, dialects, and background noises. It can also add punctuation and
formatting to the transcripts. Amazon Transcribe is useful for applications such as
subtitling, captioning, transcription, and voice search.
Amazon Rekognition is a service that provides image and video analysis using
computer vision and deep learning. It can detect objects, faces, text, scenes, activities,
and emotions in images and videos. It can also perform face recognition, face
comparison, face search, celebrity recognition, and facial analysis. Amazon Rekognition
is useful for applications such as security, social media, e-commerce, and media and
entertainment.
Amazon Textract is a service that extracts text and data from scanned documents
using optical character recognition (OCR) and machine learning. It can identify the
contents of fields in forms and tables, as well as the relationships between them. It can
also preserve the layout and structure of the original document. Amazon Textract is
useful for applications such as data entry, document management, compliance, and
analytics.
References:
• Text to Speech Software – Amazon Polly – Amazon Web Services
• What is Text to Speech – Amazon Web Services (AWS)
• AWS Amazon Polly - Text to Speech Converter - CodeCanyon
• Amazon’s Text-To-Speech AI Service Sounds More Natural And … - Forbes
• Working with AWS Amazon Polly Text-to-Speech (TTS) Service
• [Automatic Speech Recognition - Amazon Transcribe - AWS]
• [Amazon Rekognition – Video and Image - AWS]
• [Extract Text & Data - OCR - Amazon Textract - AWS]

QUESTION NO: 463

A company wants to monitor its workload performance. The company wants to

ensure that the cloud services are delivered at a level that meets its
business needs.

Which AWS Cloud Adoption Framework (AWS CAF) perspective will meet these
requirements?
 A. Business

B. Governance

C. Platform

D. Operations

Answer: D

The Operations perspective helps you monitor and manage your cloud workloads to
ensure that they are delivered at a level that meets your business needs. Common
stakeholders include chief operations officer (COO), cloud director, cloud operations
manager, and cloud operations engineers1. The Operations perspective covers
capabilities such as workload health monitoring, incident management, change
management, release management, configuration management, and disaster recovery 2.
The Business perspective helps ensure that your cloud investments accelerate your
digital transformation ambitions and business outcomes. Common stakeholders
include chief executive officer (CEO), chief financial officer (CFO), chief information
officer (CIO), and chief technology officer (CTO). The Business perspective covers
capabilities such as business case development, value realization, portfolio
management, and stakeholder management3.
The Governance perspective helps you orchestrate your cloud initiatives while
maximizing organizational benefits and minimizing transformation-related risks.
Common stakeholders include chief transformation officer, CIO, CTO, CFO, chief data
officer (CDO), and chief risk officer (CRO). The Governance perspective covers
capabilities such as governance framework, budget and cost management, compliance
management, and data governance4.
The Platform perspective helps you build an enterprise-grade, scalable, hybrid cloud
platform, modernize existing workloads, and implement new cloud-native solutions.
Common stakeholders include CTO, technology leaders, architects, and engineers. The
Platform perspective covers capabilities such as platform design and implementation,
workload migration and modernization, cloud-native development, and DevOps5.
References:
• AWS Cloud Adoption Framework: Operations Perspective
• AWS Cloud Adoption Framework - Operations Perspective
• AWS Cloud Adoption Framework: Business Perspective
• AWS Cloud Adoption Framework: Governance Perspective
• AWS Cloud Adoption Framework: Platform Perspective
QUESTION NO: 464

A company wants a list of all users in its AWS account, the status of all of
the users' access keys, and if multi-factor authentication (MFA) has been
configured.

Which AWS service or feature will meet these requirements?

A. AWS Key Management Service (AWS KMS)

B. IAM Access Analyzer

C. IAM credential report

D. Amazon CloudWatch

Answer: C

IAM credential report is a feature that allows you to generate and download a report
that lists all IAM users in your AWS account and the status of their various credentials,
including access keys and MFA devices. You can use this report to audit the security
status of your IAM users and ensure that they follow the best practices for using AWS 1.
AWS Key Management Service (AWS KMS) is a service that allows you to create and
manage encryption keys to protect your data. It does not provide information about IAM
users or their credentials2.
IAM Access Analyzer is a feature that helps you identify the resources in your AWS
account, such as S3 buckets or IAM roles, that are shared with an external entity. It does
not provide information about IAM users or their credentials 3.
Amazon CloudWatch is a service that monitors and collects metrics, logs, and events
from your AWS resources and applications. It does not provide information about IAM
users or their credentials4.
References:
• Getting credential reports for your AWS account - AWS Identity and Access Management
• AWS Key Management Service - Amazon Web Services
• IAM Access Analyzer - AWS Identity and Access Management
• Amazon CloudWatch - Amazon Web Services
QUESTION NO: 465

A company wants to make an upfront commitment for continued use of its

production Amazon EC2 instances in exchange for a reduced overall cost.

Which pricing options meet these requirements with the LOWEST cost? (Select
TWO.)

A. Spot Instances

B. On-Demand Instances

C. Reserved Instances

D. Savings Plans

E. Dedicated Hosts

Answer: CD

Reserved Instances (RIs) are a pricing model that allows you to reserve EC2 instances
for a specified period of time (one or three years) and receive a significant discount
compared to On-Demand pricing. RIs are suitable for workloads that have predictable
usage patterns and require a long-term commitment. You can choose between three
payment options: All Upfront, Partial Upfront, or No Upfront. The more you pay upfront,
the greater the discount1.
Savings Plans are a flexible pricing model that can help you reduce your EC2 costs by
up to 72% compared to On-Demand pricing, in exchange for a commitment to a
consistent amount of usage (measured in $/hour) for a one or three year term. Savings
Plans apply to usage across EC2, AWS Lambda, and AWS Fargate. You can choose
between two types of Savings Plans: Compute Savings Plans and EC2 Instance Savings
Plans. Compute Savings Plans offer the most flexibility and apply to any instance
family, size, OS, tenancy, or region. EC2 Instance Savings Plans offer the highest
discount and apply to a specific instance family within a region 2.
Spot Instances are a pricing model that allows you to bid for unused EC2 capacity in the
AWS cloud and are available at a discount of up to 90% compared to On-Demand
pricing. Spot Instances are suitable for fault-tolerant or stateless workloads that can run
on heterogeneous hardware and have flexible start and end times. However, Spot
Instances are not guaranteed and can be interrupted by AWS at any time if the demand
for capacity increases or your bid price is lower than the current Spot price3.
On-Demand Instances are a pricing model that allows you to pay for compute capacity
by the hour or second with no long-term commitments. On-Demand Instances are
suitable for short-term, spiky, or unpredictable workloads that cannot be interrupted, or
for applications that are being developed or tested on EC2 for the first time. However,
On-Demand Instances are the most expensive option among the four pricing models 4.
Dedicated Hosts are physical EC2 servers fully dedicated for your use. Dedicated Hosts
can help you reduce costs by allowing you to use your existing server-bound software
licenses, such as Windows Server, SQL Server, and SUSE Linux Enterprise Server.
Dedicated Hosts can be purchased On-Demand or as part of Savings Plans. Dedicated
Hosts are suitable for workloads that need to run on dedicated physical servers or have
strict licensing requirements. However, Dedicated Hosts are not the lowest cost option
among the four pricing models.

QUESTION NO: 466

A company wants an AWS service to provide product recommendations based on

its customer data.

Which AWS service will meet this requirement?

A. Amazon Polly

B. Amazon Personalize

C. Amazon Comprehend

D. Amazon Rekognition

Answer: B

Amazon Personalize is an AWS service that helps developers quickly build and
deploy a custom recommendation engine with real-time personalization and user
segmentation1. It uses machine learning (ML) to analyze customer data and provide
relevant recommendations based on their preferences, behavior, and context. Amazon
Personalize can be used for various use cases such as optimizing recommendations,
targeting customers more accurately, maximizing the value of unstructured text, and
promoting items using business rules1.
The other options are not suitable for providing product recommendations based on
customer data. Amazon Polly is a service that converts text into lifelike speech.
Amazon Comprehend is a service that uses natural language processing (NLP) to
extract insights from text and documents. Amazon Rekognition is a service that uses
computer vision (CV) to analyze images and videos for faces, objects, scenes, and
activities.
References:
• 1: Cloud Products - Amazon Web Services (AWS)
• 2: Recommender System – Amazon Personalize – Amazon Web Services
• 3: Top 25 AWS Services List 2023 - GeeksforGeeks
• 4: AWS to Azure services comparison - Azure Architecture Center
• 5: The 25+ Best AWS Cost Optimization Tools (Updated 2023) - CloudZero
• 6: Amazon Polly – Text-to-Speech Service - AWS
• 7: Natural Language Processing - Amazon Comprehend - AWS
• 8: Image and Video Analysis - Amazon Rekognition - AWS

QUESTION NO: 467

A company wants to launch multiple workloads on AWS. Each workload is related

to a different business unit. The company wants to separate and track costs
for each business unit.

Which solution will meet these requirements with the LEAST operational
overhead?

A. Use AWS Organizations and create one account for each business unit.

B. Use a spreadsheet to control the owners and cost of each resource.

C. Use an Amazon DynamoDB table to record costs for each business unit.

D. Use the AWS Billing console to assign owners to resources and track
costs.

Answer: A

AWS Organizations is a service that helps you centrally manage and govern your AWS
environment. You can use AWS Organizations to create multiple accounts for different
business units, and group them into organizational units (OUs) that reflect your
organizational structure1. By doing so, you can separate and track costs for each
business unit using the account ID as a cost allocation tag2. You can also use AWS
Organizations to apply policies and controls to your accounts, such as service control
policies (SCPs) and tag policies1.
The other options are not suitable for meeting the requirements with the least
operational overhead. Using a spreadsheet or a DynamoDB table to control and record
costs for each business unit would require manual data entry and maintenance, which
is prone to errors and inconsistencies. Using the AWS Billing console to assign owners
to resources and track costs would also require manual tagging of each resource, which
is time-consuming and inefficient.
References:
• 1: What Is AWS Organizations? - AWS Organizations
• 2: Cost Tagging and Reporting with AWS Organizations | AWS Cloud Financial
Management

QUESTION NO: 468

A company wants a time-series database service that makes it easier to store

and analyze trillions of events each day.

Which AWS service will meet this requirement?

A. Amazon Neptune

B. Amazon Timestream

C. Amazon Forecast

D. Amazon DocumentDB (with MongoDB compatibility)

Answer: B

Amazon Timestream is a fast, scalable, and serverless time-series database service for
IoT and other operational applications that makes it easy to store and analyze trillions
of events per day up to 1,000 times faster and at as little as 1/10th the cost of relational
databases1. Amazon Timestream saves you time and cost in managing the lifecycle of
time series data, and its purpose-built query engine lets you access and analyze recent
and historical data together with a single query1. Amazon Timestream has built-in time
series analytics functions, helping you identify trends and patterns in near real time 1.
The other options are not suitable for storing and analyzing trillions of events per day.
Amazon Neptune is a graph database service that supports highly connected data sets.
Amazon Forecast is a machine learning service that generates accurate forecasts
based on historical data. Amazon DocumentDB (with MongoDB compatibility) is a
document database service that supports MongoDB workloads.
References:
 • 1: Time Series Database – Amazon Timestream – Amazon Web Services

QUESTION NO: 469

Which AWS services are supported by Savings Plans? (Select TWO.)

A. Amazon EC2

B. Amazon RDS

C. Amazon SageMaker

D. Amazon Redshift

E. Amazon DynamoDB

Answer: AC

The AWS services that are supported by Savings Plans are:

• Amazon EC2: Amazon EC2 is a service that provides scalable computing capacity in the
AWS cloud. You can use Amazon EC2 to launch virtual servers, configure security and
networking, and manage storage. Amazon EC2 is eligible for both Compute Savings
Plans and EC2 Instance Savings Plans12.
• Amazon SageMaker: Amazon SageMaker is a service that helps you build and deploy
machine learning models. You can use Amazon SageMaker to access Jupyter
notebooks, use common machine learning algorithms, train and tune models, and
deploy them to a hosted environment. Amazon SageMaker is eligible for SageMaker
Savings Plans13.
The other options are not supported by Savings Plans. Amazon RDS, Amazon Redshift,
and Amazon DynamoDB are database services that are eligible for Reserved Instances,
but not Savings Plans4.

QUESTION NO: 470

Which AWS service provides a single location to track the progress of

application migrations?
 A. AWS Application Discovery Service

B. AWS Application Migration Service

C. AWS Service Catalog

D. AWS Migration Hub

Answer: D

AWS Migration Hub is a service that provides a single location to track the progress of
application migrations across multiple AWS and partner solutions. It allows you to
choose the AWS and partner migration tools that best fit your needs, while providing
visibility into the status of migrations across your portfolio of applications 1. AWS
Migration Hub supports migration status updates from the following tools: AWS
Application Migration Service, AWS Database Migration Service, CloudEndure Migration,
Server Migration Service, and Migrate for Compute Engine1.
The other options are not correct for the following reasons:
• AWS Application Discovery Service is a service that helps you plan your migration
projects by automatically identifying servers, applications, and dependencies in your on-
premises data centers2. It does not track the progress of application migrations, but
rather provides information to help you plan and scope your migrations.
• AWS Application Migration Service is a service that helps you migrate and modernize
applications from any source infrastructure to AWS with minimal downtime and
disruption3. It is one of the migration tools that can send status updates to AWS
Migration Hub, but it is not the service that provides a single location to track the
progress of application migrations.
• AWS Service Catalog is a service that allows you to create and manage catalogs of IT
services that are approved for use on AWS4. It does not track the progress of application
migrations, but rather helps you manage the provisioning and governance of your IT
services.

References:
• 1: What Is AWS Migration Hub? - AWS Migration Hub
• 2: What Is AWS Application Discovery Service? - AWS Application Discovery Service
• 3: App Migration Tool - AWS Application Migration Service - AWS
• 4: What Is AWS Service Catalog? - AWS Service Catalog

QUESTION NO: 471

Which capabilities are in the platform perspective of the AWS Cloud Adoption
Framework (AWS CAF)? (Select TWO.)
 A. Performance and capacity management

B. Data engineering

C. Continuous integration and continuous delivery (CI/CD)

D. Infrastructure protection

E. Change and release management

Answer: BC

The platform perspective of the AWS Cloud Adoption Framework (AWS CAF) helps you
build an enterprise-grade, scalable, hybrid cloud platform, modernize existing
workloads, and implement new cloud-native solutions1. It comprises seven capabilities,
two of which are data engineering and CI/CD1.
• Data engineering: This capability helps you design and evolve a fit-for-purpose data and
analytics architecture that can reduce complexity, cost, and technical debt while
enabling you to gain actionable insights from exponentially growing data volumes 1. It
involves selecting key technologies for each of your architectural layers, such as
ingestion, storage, catalog, processing, and consumption. It also involves supporting
real-time data processing and adopting a Lake House architecture to facilitate data
movements between data lakes and purpose-built data stores1.
• CI/CD: This capability helps you automate the delivery of your cloud solutions using a
set of practices and tools that enable faster and more reliable deployments 1. It involves
establishing a pipeline that can build, test, and deploy your code across multiple
environments. It also involves adopting a DevOps culture that fosters collaboration,
feedback, and continuous improvement among your development and operations
teams1.

References:
• 1: Platform perspective: infrastructure and applications - An Overview of the AWS Cloud
Adoption Framework

QUESTION NO: 472

A company hosts a large amount of data in AWS. The company wants to identify
if any of the data should be considered sensitive.

Which AWS service will meet the requirement?

 A. Amazon Inspector

B. Amazon Macie

C. AWS Identity and Access Management (IAM)

D. Amazon CloudWatch

Answer: B

Amazon Macie is a fully managed service that uses machine learning and pattern
matching to help you detect, classify, and better protect your sensitive data stored in the
AWS Cloud1. Macie can automatically discover and scan your Amazon S3 buckets for
sensitive data such as personally identifiable information (PII), financial information,
healthcare information, intellectual property, and credentials 1. Macie also provides you
with a dashboard that shows the type, location, and volume of sensitive data in your
AWS environment, as well as alerts and findings on potential security issues 1.
The other options are not suitable for identifying sensitive data in AWS. Amazon
Inspector is a service that helps you find security vulnerabilities and deviations from
best practices in your Amazon EC2 instances2. AWS Identity and Access Management
(IAM) is a service that helps you manage access to your AWS resources by creating
users, groups, roles, and policies3. Amazon CloudWatch is a service that helps you
monitor and troubleshoot your AWS resources and applications by collecting metrics,
logs, events, and alarms4.
References:
• 1: What Is Amazon Macie? - Amazon Macie
• 2: What Is Amazon Inspector? - Amazon Inspector
• 3: What Is IAM? - AWS Identity and Access Management
• 4: What Is Amazon CloudWatch? - Amazon CloudWatch

QUESTION NO: 473

Which options are AWS Cloud Adoption Framework (AWS CAF) people perspective
capabilities? (Select TWO.)

A. Organizational alignment

B. Portfolio management

C. Organization design

D. Risk management

E. Modern application development

Answer: AC

The AWS Cloud Adoption Framework (AWS CAF) people perspective capabilities
are the organizational skills and processes that enable effective cloud adoption.
According to the AWS CAF people perspective whitepaper1, there are seven
capabilities in this perspective, two of which are:
• Organizational alignment: This capability helps you align your organizational
structure, roles, and responsibilities to support your cloud transformation
goals and objectives. It involves assessing your current and desired state of
alignment, identifying gaps and misalignments, and designing and
implementing changes to optimize your cloud performance1.
• Organization design: This capability helps you design and evolve your
organization to enable agility, innovation, and collaboration in the cloud. It
involves defining your cloud operating model, identifying the skills and
competencies needed for cloud roles, and creating career paths and
development plans for your cloud workforce1.
The other options are not capabilities in the AWS CAF people perspective. Portfolio
management, risk management, and modern application development are capabilities
in the AWS CAF business perspective, governance perspective, and platform
perspective respectively2.
References:
• 1: AWS Cloud Adoption Framework: People Perspective - AWS Cloud Adoption
Framework: People Perspective
• 2: AWS Cloud Adoption Framework - AWS Cloud Adoption Framework

QUESTION NO: 474

Which Amazon EC2 instance pricing model can provide discounts of up to 90%?

A. Reserved Instances

B. On-Demand

C. Dedicated Hosts

D. Spot Instances
Answer: D

Spot Instances are Amazon EC2 instances that are available at a discounted price compared to
On-Demand pricing. Spot Instances use spare EC2 capacity that is not being used by other
customers, and the price fluctuates based on supply and demand. Customers can request Spot
Instances for their applications and specify the maximum price they are willing to pay per hour.
If the Spot price is lower than the customer’s bid, the Spot Instance is launched and the
customer pays the current Spot price. However, if the Spot price rises above the customer’s bid,
the Spot Instance is terminated by AWS and the customer is charged for the partial hour of
usage. Therefore, Spot Instances can provide discounts of up to 90% or more, but they are not
suitable for applications that require continuous or predictable availability. Spot Instances are
recommended for applications that are flexible, fault-tolerant, or have low priority, such as batch
processing, data analysis, or testing and development.

QUESTION NO: 475

A company must be able to develop, test, and launch an application in the AWS Cloud quickly.

Which advantage of cloud computing will meet these requirements?

A. Stop guessing capacity

B. Trade fixed expense for variable expense

C. Achieve economies of scale

D. Increase speed and agility

Answer: D

One of the benefits of cloud computing is that it enables customers to increase speed and
agility in developing, testing, and launching applications. Cloud computing provides on-demand
access to a variety of IT resources, such as compute, storage, networking, databases, and
analytics, without requiring upfront investments or long-term commitments. Customers can
provision and release resources in minutes, scale up and down as needed, and experiment with
new technologies and features. This allows customers to accelerate their innovation cycles,
deliver faster time-to-market, and respond to changing customer needs and demands

QUESTION NO: 476

A company has teams that have different job roles and responsibilities. The company's employees often
change teams. The company needs to manage permissions for the employees so that the permissions
are appropriate for the job responsibilities.

Which IAM resource should the company use to meet this requirement with the LEAST operational
overhead?
A. IAM user groups

B. IAM roles

C. IAM instance profiles

D. IAM policies for individual users

Answer: B

IAM roles are a way of granting temporary permissions to entities that need to access AWS
resources, such as users, applications, or services. IAM roles allow customers to assign
permissions to entities without having to create or manage IAM users or credentials for them.
IAM roles can be assumed by different entities depending on the trust policy attached to the
role. For example, IAM roles can be assumed by IAM users in the same or different AWS
accounts, AWS services such as EC2 or Lambda, or external identities such as federated users
or web identities. IAM roles can also be switched by IAM users to temporarily change their
permissions. IAM roles are recommended for managing permissions for employees who often
change teams, because they allow customers to define permissions based on job roles and
responsibilities, and easily assign or revoke them as needed. IAM roles also reduce the
operational overhead of creating, updating, or deleting IAM users or credentials for each
employee or team change.

QUESTION NO: 477

A company is storing sensitive customer data in an Amazon S3 bucket. The company wants to protect
the data from accidental deletion or overwriting.

Which S3 feature should the company use to meet these requirements?

A. S3 Lifecycle rules

B. S3 Versioning

C. S3 bucket policies

D. S3 server-side encryption

Answer: B

S3 Versioning is a feature that allows you to keep multiple versions of an object in the same
bucket. You can use S3 Versioning to protect your data from accidental deletion or overwriting
by enabling it on a bucket or a specific object. S3 Versioning also allows you to restore previous
versions of an object if needed. S3 Lifecycle rules are used to automate the transition of objects
between storage classes or to expire objects after a certain period of time. S3 bucket policies
are used to control access to the objects in a bucket. S3 server-side encryption is used to
encrypt the data at rest in S3. References: S3 Versioning, S3 Lifecycle rules, S3 bucket
policies, S3 server-side encryption

QUESTION NO: 478

A company plans to migrate to the AWS Cloud. The company is gathering information about its on-
premises infrastructure and requires information such as the hostname, IP address, and MAC address.

Which AWS service will meet these requirements?

A. AWS DataSync

B. AWS Application Migration Service

C. AWS Application Discovery Service

D. AWS Database Migration Service (AWS DMS)

Answer: C

AWS Application Discovery Service is a service that helps you plan your migration to the AWS
Cloud by collecting usage and configuration data about your on-premises servers and
databases. This data includes information such as the hostname, IP address, and MAC address
of each server, as well as the performance metrics, network connections, and processes
running on them. You can use AWS Application Discovery Service to discover your on-premises
inventory, map the dependencies between servers and applications, and estimate the cost and
effort of migrating to AWS. You can also export the data to other AWS services, such as AWS
Migration Hub and AWS Database Migration Service, to support your migration tasks. AWS
Application Discovery Service offers two ways of performing discovery: agentless discovery and
agent-based discovery. Agentless discovery uses a virtual appliance that you deploy on your
VMware vCenter to collect data from your virtual machines and hosts. Agent-based discovery
uses an agent that you install on each of your physical or virtual servers to collect data. You can
choose the method that best suits your environment and needs. AWS DataSync is a service that
helps you transfer data between your on-premises storage and AWS storage services, such as
Amazon S3, Amazon EFS, and Amazon FSx for Windows File Server. AWS DataSync does not
collect information about your on-premises infrastructure, but rather focuses on optimizing the
data transfer speed, security, and reliability. AWS Application Migration Service is a service that
helps you migrate your applications from your on-premises or cloud environment to AWS
without making any changes to the applications, their architecture, or the migrated servers.
AWS Application Migration Service does not collect information about your on-premises
infrastructure, but rather uses a lightweight agent to replicate your servers as Amazon Machine
Images (AMIs) and launch them as EC2 instances on AWS. AWS Database Migration Service is
a service that helps you migrate your databases from your on-premises or cloud environment to
AWS, either as a one-time migration or as a continuous replication. AWS Database Migration
Service does not collect information about your on-premises infrastructure, but rather uses a
source and a target endpoint to connect to your databases and transfer the
data. References: AWS Application Discovery Service, AWS DataSync, AWS Application
Migration Service, [AWS Database Migration Service]

QUESTION NO: 479

Which of the following is a software development framework that a company can use to define cloud
resources as code and provision the resources through AWS CloudFormation?

A. AWS CLI

B. AWS Developer Center

C. AWS Cloud Development Kit (AWS CDK)

D. AWS CodeStar

Answer: C

AWS Cloud Development Kit (AWS CDK) is a software development framework that allows you
to define cloud resources as code using familiar programming languages, such as TypeScript,
Python, Java, .NET, and Go (in Developer Preview). You can use AWS CDK to model your
application resources using high-level constructs that provide sensible defaults and best
practices, or use low-level constructs that provide full access to the underlying AWS
CloudFormation resources. AWS CDK synthesizes your code into AWS CloudFormation
templates that you can deploy using the AWS CDK CLI or the AWS Management Console. AWS
CDK also integrates with other AWS services, such as AWS CodeCommit, AWS CodeBuild, AWS
CodePipeline, AWS Lambda, Amazon EC2, Amazon S3, and more, to help you automate your
development and deployment processes. AWS CDK is an open-source framework that you can
extend and contribute to. References: Cloud Development Framework - AWS Cloud
Development Kit - AWS, AWS Cloud Development Kit Documentation, AWS Cloud Development
Kit - Wikipedia, AWS CDK Intro Workshop | AWS CDK Workshop

QUESTION NO: 480

Which AWS Cloud Adoption Framework (AWS CAF) capability belongs to the people perspective?

A. Data architecture

B. Event management

C. Cloud fluency

D. Strategic partnership
Answer: C

Cloud fluency is a capability that belongs to the people perspective of the AWS Cloud Adoption
Framework (AWS CAF). Cloud fluency is the ability of the workforce to understand the benefits,
challenges, and best practices of cloud computing, and to apply them to their roles and
responsibilities. Cloud fluency helps the organization to adopt a cloud mindset, culture, and
skills, and to leverage the full potential of the cloud. Cloud fluency can be achieved through
various methods, such as training, certification, mentoring, coaching, and hands-on experience.
Cloud fluency is one of the four capabilities of the people perspective, along with culture,
organizational structure, and leadership. The other three capabilities belong to different
perspectives of the AWS CAF. Data architecture is a capability of the platform perspective,
which helps you design and implement data solutions that meet your business and technical
requirements. Event management is a capability of the operations perspective, which helps you
monitor and respond to events that affect the availability, performance, and security of your
cloud resources. Strategic partnership is a capability of the business perspective, which helps
you establish and maintain relationships with external stakeholders, such as customers,
partners, suppliers, and regulators, to create value and achieve your business
goals. References: AWS Cloud Adoption Framework: People Perspective, AWS CAF - Cloud
Adoption Framework - W3Schools

QUESTION NO: 481

A company is building an application that needs to deliver images and videos globally with minimal
latency.

Which approach can the company use to accomplish this in a cost effective manner?

A. Deliver the content through Amazon CloudFront.

B. Store the content on Amazon S3 and enable S3 cross-region replication.

C. Implement a VPN across multiple AWS Regions.

D. Deliver the content through AWS PrivateLink.

Answer: A

Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data,
videos, applications, and APIs to customers globally with low latency, high transfer speeds, all
within a developer-friendly environment. It works seamlessly with services including AWS Shield
for DDoS mitigation, Amazon S3, Elastic Load Balancing or Amazon EC2 as origins for your
applications, and Lambda@Edge to run custom code closer to customers’ users and to
customize the user experience. By using CloudFront, you can cache your content at the edge
locations that are closest to your end users, reducing the network latency and improving the
performance of your application. CloudFront also offers a pay-as-you-go pricing model, so you
only pay for the data transfer and requests that you use.

QUESTION NO: 482

A company has a centralized group of users with large file storage requirements that have exceeded the
space available on premises. The company wants to extend its file storage capabilities for this group
while retaining the performance benefit of sharing content locally.

What is the MOST operationally efficient AWS solution for this scenario?

A. Create an Amazon S3 bucket for each user. Mount each bucket by using an S3 file system mounting
utility.

B. Configure and deploy an AWS Storage Gateway file gateway. Connect each user's workstation to the
file gateway.

C. Move each user's working environment to Amazon Workspaces. Set up an Amazon WorkDocs account
for each user.

D. Deploy an Amazon EC2 instance and attach an Amazon Elastic Block Store (Amazon EBS) Provisioned
IOPS volume. Share the EBS volume directly with the users.

Answer: B

AWS Storage Gateway is a hybrid cloud storage service that allows you to extend your on-
premises file storage capabilities to the AWS Cloud. AWS Storage Gateway file gateway enables
you to store and access your files in Amazon S3 using industry-standard file protocols such as
NFS and SMB. File gateway caches frequently accessed files locally, providing low-latency
access to your data. File gateway also optimizes the transfer of data between your on-premises
environment and AWS, minimizing the amount of bandwidth consumed. By using file gateway,
you can retain the performance benefit of sharing content locally while leveraging the
scalability, durability, and cost-effectiveness of Amazon S3. References: AWS Storage
Gateway, File Gateway

QUESTION NO: 483

A company is running and managing its own Docker environment on Amazon EC2 instances. The
company wants an alternative to help manage cluster size, scheduling, and environment maintenance.

Which AWS service meets these requirements?

A. AWS Lambda

B. Amazon RDS
C. AWS Fargate

D. Amazon Athena

Answer: C

AWS Fargate is a serverless compute engine for containers that works with both Amazon
Elastic Container Service (Amazon ECS) and Amazon Elastic Kubernetes Service (Amazon EKS).
AWS Fargate allows you to run containers without having to manage servers or clusters of
Amazon EC2 instances. With AWS Fargate, you only pay for the compute resources you use to
run your containers, and you don’t need to worry about scaling, patching, securing, or
maintaining the underlying infrastructure. AWS Fargate simplifies the deployment and
management of containerized applications, and enables you to focus on building and running
your applications instead of managing the infrastructure. References: AWS Fargate, What is
AWS Fargate?

QUESTION NO: 484

What does the concept of agility mean in AWS Cloud computing? (Select TWO.)

A. The speed at which AWS resources are implemented

B. The speed at which AWS creates new AWS Regions

C. The ability to experiment quickly

D. The elimination of wasted capacity

E. The low cost of entry into cloud computing

Answer: AC

Agility in AWS Cloud computing means the ability to rapidly provision and deprovision
AWS resources as needed, and the ability to experiment quickly with new ideas and
solutions. Agility helps businesses to respond to changing customer demands, market
opportunities, and competitive threats, and to innovate faster and cheaper. Agility also
reduces the risk of failure, as businesses can test and validate their assumptions before
committing to large-scale deployments. Some of the benefits of agility in AWS Cloud
computing are:
• The speed at which AWS resources are implemented: AWS provides a variety of services
and tools that allow you to create, configure, and launch AWS resources in minutes,
using the AWS Management Console, the AWS Command Line Interface (AWS CLI), the
AWS Software Development Kits (AWS SDKs), or the AWS CloudFormation templates.
You can also use the AWS Cloud Development Kit (AWS CDK) to define your AWS
resources as code using familiar programming languages, and synthesize them into
AWS CloudFormation templates. You can also use the AWS Service Catalog to create
and manage standardized portfolios of AWS resources that meet your organizational
policies and best practices. AWS also offers on-demand, pay-as-you-go pricing models,
 so you only pay for the resources you use, and you can scale them up or down as your
needs change12345
• The ability to experiment quickly: AWS enables you to experiment quickly with new ideas
and solutions, without having to invest in upfront capital or long-term commitments. You
can use AWS to create and test multiple prototypes, hypotheses, and minimum viable
products (MVPs) in parallel, and measure their performance and feedback. You can also
use AWS to leverage existing services and solutions, such as AWS Marketplace, AWS
Solutions, and AWS Quick Starts, that can help you accelerate your innovation process.
AWS also supports a culture of experimentation and learning, by providing tools and
resources for continuous integration and delivery (CI/CD), testing, monitoring, and
analytics.

References: Six advantages of cloud computing - Overview of Amazon Web Services, AWS
Cloud Development Kit (AWS CDK), AWS Service Catalog, AWS Pricing, AWS
CloudFormation, [Experimentation and Testing - AWS Well-Architected Framework],
[AWS Marketplace], [AWS Solutions], [AWS Quick Starts], [AWS Developer Tools]

QUESTION NO: 485

What can a cloud practitioner use to retrieve AWS security and compliance documents and submit them
as evidence to an auditor or regulator?

A. AWS Certificate Manager

B. AWS Systems Manager

C. AWS Artifact

D. Amazon Inspector

Answer: C

AWS Artifact is a service that provides on-demand access to AWS security and compliance
documents, such as AWS ISO certifications, Payment Card Industry (PCI) reports, and Service
Organization Control (SOC) reports. You can download these documents and submit them as
evidence to your auditors or regulators to demonstrate the security and compliance of the AWS
infrastructure and services that you use. AWS Artifact also allows you to review, accept, and
manage AWS agreements, such as the Business Associate Addendum (BAA) for customers
who are subject to the Health Insurance Portability and Accountability Act
(HIPAA). References: AWS Artifact, What is AWS Artifact?

QUESTION NO: 486

A company wants to integrate its online shopping website with social media login credentials.

Which AWS service can the company use to make this integration?
A. AWS Directory Service

B. AWS Identity and Access Management (IAM)

C. Amazon Cognito

D. AWS IAM Identity Center (AWS Single Sign-On)

Answer: C

Amazon Cognito is a service that enables you to add user sign-up and sign-in features to your
web and mobile applications. Amazon Cognito also supports social and enterprise identity
federation, which means you can allow your users to sign in with their existing credentials from
identity providers such as Google, Facebook, Apple, and Amazon. Amazon Cognito integrates
with OpenID Connect (OIDC) and Security Assertion Markup Language (SAML) 2.0 protocols to
facilitate the authentication and authorization process. Amazon Cognito also provides
advanced security features, such as adaptive authentication, user verification, and multi-factor
authentication (MFA). References: Amazon Cognito, What is Amazon Cognito?

QUESTION NO: 487

Which of the following is a fully managed MySQL-compatible database?

A. Amazon S3

B. Amazon DynamoDB

C. Amazon Redshift

D. Amazon Aurora

Answer: D

Amazon Aurora is a fully managed MySQL-compatible database that combines the

performance and availability of traditional enterprise databases with the simplicity and
cost-effectiveness of open-source databases. Amazon Aurora is part of the Amazon
Relational Database Service (Amazon RDS) family, which means it inherits the benefits
of a fully managed service, such as automated backups, patches, scaling, monitoring,
and security. Amazon Aurora also offers up to five times the throughput of standard
MySQL, as well as high availability, durability, and fault tolerance with up to 15 read
replicas, cross-Region replication, and self-healing storage. Amazon Aurora is
compatible with the latest versions of MySQL, as well as PostgreSQL, and supports
various features and integrations that enhance its functionality and usability 123
References: Amazon Aurora, Amazon RDS, AWS — Amazon Aurora Overview

QUESTION NO: 488

A customer runs an On-Demand Amazon Linux EC2 instance for 3 hours, 5 minutes, and 6 seconds.

For how much time will the customer be billed?

A. 3 hours, 5 minutes

B. 3 hours, 5 minutes, and 6 seconds

C. 3 hours, 6 minutes

D. 4 hours

Answer: C

Amazon EC2 usage is calculated by either the hour or the second based on the size of the
instance, operating system, and the AWS Region where the instances are launched. Pricing is
per instance-hour consumed for each instance, from the time an instance is launched until it’s
terminated or stopped. Each partial instance-hour consumed is billed per-second for Linux
instances and as a full hour for all other instance types 1. Therefore, the customer will be billed
for 3 hours and 6 minutes for running an On-Demand Amazon Linux EC2 instance for 3 hours, 5
minutes, and 6 seconds. References: Understand Amazon EC2 instance-hours billing

QUESTION NO: 489

Which AWS service supports a hybrid architecture that gives users the ability to extend AWS
infrastructure, AWS services, APIs, and tools to data centers, co-location environments, or on-premises
facilities?

A. AWS Snowmobile

B. AWS Local Zones

C. AWS Outposts

D. AWS Fargate

Answer: C

AWS Outposts is a service that delivers AWS infrastructure and services to virtually any on-
premises or edge location for a truly consistent hybrid experience. AWS Outposts allows you to
extend and run native AWS services on premises, and is available in a variety of form factors,
from 1U and 2U Outposts servers to 42U Outposts racks, and multiple rack deployments. With
AWS Outposts, you can run some AWS services locally and connect to a broad range of
services available in the local AWS Region. Run applications and workloads on premises using
familiar AWS services, tools, and APIs2. AWS Outposts is the only AWS service that supports a
hybrid architecture that gives users the ability to extend AWS infrastructure, AWS services, APIs,
and tools to data centers, co-location environments, or on-premises facilities. References: On-
Premises Infrastructure - AWS Outposts Family

QUESTION NO: 490

A company website is experiencing DDoS attacks.

Which AWS service can help protect the company website against these attacks?

A. AWS Resource Access Manager

B. AWS Amplify

C. AWS Shield

D. Amazon GuardDuty

Answer: C

AWS Shield is a managed DDoS protection service that safeguards applications running
on AWS from distributed denial of service (DDoS) attacks. DDoS attacks are malicious
attempts to disrupt the normal functioning of a website or application by overwhelming
it with a large volume of traffic from multiple sources. AWS Shield provides two tiers of
protection: Standard and Advanced. AWS Shield Standard is automatically enabled for
all AWS customers at no additional cost. It protects your AWS resources, such as
Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53, from the most
common and frequently occurring network and transport layer DDoS attacks. AWS
Shield Advanced is an optional paid service that provides additional protection for your
AWS resources and applications, such as Amazon Elastic Compute Cloud (Amazon
EC2), Elastic Load Balancing (ELB), Amazon Simple Storage Service (Amazon S3),
Amazon Relational Database Service (Amazon RDS), and AWS Elastic Beanstalk. AWS
Shield Advanced offers enhanced detection and mitigation capabilities, 24/7 access to
the AWS DDoS Response Team (DRT), real-time visibility and reporting, and cost
protection against DDoS-related spikes in your AWS bill12
References: AWS Shield, What is a DDOS Attack & How to Protect Your Site Against One

QUESTION NO: 491

A company wants a customized assessment of its current on-premises environment. The company
wants to understand its projected running costs in the AWS Cloud.

Which AWS service or tool will meet these requirements?

A. AWS Trusted Advisor

B. Amazon Inspector

C. AWS Control Tower

D. Migration Evaluator

Answer: D

Migration Evaluator is an AWS service that provides a customized assessment of your current
on-premises environment and helps you build a data-driven business case for migration to AWS.
Migration Evaluator collects and analyzes data from your on-premises servers, such as CPU,
memory, disk, network, and utilization metrics, and compares them with the most cost-effective
AWS alternatives. Migration Evaluator also helps you understand your existing software
licenses and running costs, and provides recommendations for Bring Your Own License (BYOL)
and License Included (LI) options in AWS. Migration Evaluator generates a detailed report that
shows your projected running costs in the AWS Cloud, along with potential savings and
benefits. You can use this report to support your decision-making and planning for cloud
migration. References: Cloud Business Case & Migration Plan - Amazon Migration Evaluator -
AWS, Getting started with Migration Evaluator

QUESTION NO: 492

A company that has multiple business units wants to centrally manage and govern its AWS Cloud
environments. The company wants to automate the creation of AWS accounts, apply service control
policies (SCPs), and simplify billing processes.

Which AWS service or tool should the company use to meet these requirements?

A. AWS Organizations

B. Cost Explorer

C. AWS Budgets

D. AWS Trusted Advisor

Answer: A

AWS Organizations is an AWS service that enables you to centrally manage and govern your
AWS Cloud environments across multiple business units. AWS Organizations allows you to
create an organization that consists of AWS accounts that you create or invite to join. You can
group your accounts into organizational units (OUs) and apply service control policies (SCPs) to
them. SCPs are a type of policy that specify the maximum permissions for the accounts in your
organization, and can help you enforce compliance and security requirements. AWS
Organizations also simplifies billing processes by enabling you to consolidate and pay for all
member accounts with a single payment method. You can also use AWS Organizations to
automate the creation of AWS accounts by using APIs or AWS CloudFormation
templates. References: What is AWS Organizations?, Policy-Based Management - AWS
Organizations

QUESTION NO: 493

According to security best practices, how should an Amazon EC2 instance be given access to an Amazon
S3 bucket?

A. Hard code an IAM user's secret key and access key directly in the application, and upload the file.

B. Store the IAM user's secret key and access key in a text file on the EC2 instance, read the keys, then
upload the file.

C. Have the EC2 instance assume a role to obtain the privileges to upload the file.

D. Modify the S3 bucket policy so that any service can upload to it at any time.

Answer: C

According to security best practices, the best way to give an Amazon EC2 instance
access to an Amazon S3 bucket is to have the EC2 instance assume a role to obtain the
privileges to upload the file. A role is an AWS Identity and Access Management (IAM)
entity that defines a set of permissions for making AWS service requests. You can use
roles to delegate access to users, applications, or services that don’t normally have
access to your AWS resources. For example, you can create a role that allows EC2
instances to access S3 buckets, and then attach the role to the EC2 instance. This way,
the EC2 instance can assume the role and obtain temporary security credentials to
access the S3 bucket. This method is more secure and scalable than storing or
hardcoding IAM user credentials on the EC2 instance, as it avoids the risk of exposing
or compromising the credentials. It also allows you to manage the permissions centrally
and dynamically, and to audit the access using AWS CloudTrail. For more information
on how to create and use roles for EC2 instances, see Using an IAM role to grant
permissions to applications running on Amazon EC2 instances 1
The other options are not recommended for security reasons. Hardcoding or storing
IAM user credentials on the EC2 instance is a bad practice, as it exposes the credentials
to potential attackers or unauthorized users who can access the instance or the
application code. It also makes it difficult to rotate or revoke the credentials, and to
track the usage of the credentials. Modifying the S3 bucket policy to allow any service
to upload to it at any time is also a bad practice, as it opens the bucket to potential data
breaches, data loss, or data corruption. It also violates the principle of least privilege,
which states that you should grant only the minimum permissions necessary for a task.
References: Using an IAM role to grant permissions to applications running on Amazon
EC2 instances

QUESTION NO: 494

What is the purpose of having an internet gateway within a VPC?

A. To create a VPN connection to the VPC

B. To allow communication between the VPC and the internet

C. To impose bandwidth constraints on internet traffic

D. To load balance traffic from the internet across Amazon EC2 instances

Answer: B

An internet gateway is a service that allows for internet traffic to enter into a VPC. Otherwise, a
VPC is completely segmented off and then the only way to get to it is potentially through a VPN
connection rather than through internet connection. An internet gateway is a logical connection
between an AWS VPC and the internet. It supports IPv4 and IPv6 traffic. It does not cause
availability risks or bandwidth constraints on your network traffic 1. An internet gateway enables
resources in your public subnets (such as EC2 instances) to connect to the internet if the
resource has a public IPv4 address or an IPv6 address. Similarly, resources on the internet can
initiate a connection to resources in your subnet using the public IPv4 address or IPv6 address 2.
An internet gateway also provides a target in your VPC route tables for internet-routable traffic.
For communication using IPv4, the internet gateway also performs network address translation
(NAT). For communication using IPv6, NAT is not needed because IPv6 addresses are
public2. To enable access to or from the internet for instances in a subnet in a VPC using an
internet gateway, you must create an internet gateway and attach it to your VPC, add a route to
your subnet’s route table that directs internet-bound traffic to the internet gateway, ensure that
instances in your subnet have a public IPv4 address or an IPv6 address, and ensure that your
network access control lists and security group rules allow the desired internet traffic to flow to
and from your instance2. References: Connect to the internet using an internet gateway, AWS
Internet Gateway and VPC Routing

QUESTION NO: 495

A company is hosting an application in the AWS Cloud. The company wants to verify that underlying
AWS services and general AWS infrastructure are operating normally.

Which combination of AWS services can the company use to gather the required information? (Select
TWO.)

A. AWS Personal Health Dashboard

B. AWS Systems Manager

C. AWS Trusted Advisor

D. AWS Service Health Dashboard

E. AWS Service Catalog

Answer: AD

AWS Personal Health Dashboard and AWS Service Health Dashboard are two AWS services
that can help the company to verify that underlying AWS services and general AWS
infrastructure are operating normally. AWS Personal Health Dashboard provides a personalized
view into the performance and availability of the AWS services you are using, as well as alerts
that are automatically triggered by changes in the health of those services. In addition to event-
based alerts, Personal Health Dashboard provides proactive notifications of scheduled
activities, such as any changes to the infrastructure powering your resources, enabling you to
better plan for events that may affect you. These notifications can be delivered to you via email
or mobile for quick visibility, and can always be viewed from within the AWS Management
Console. When you get an alert, it includes detailed information and guidance, enabling you to
take immediate action to address AWS events impacting your resources 3. AWS Service Health
Dashboard provides a general status of AWS services, and the Service health view displays the
current and historical status of all AWS services. This page shows reported service events for
services across AWS Regions. You don’t need to sign in or have an AWS account to access the
AWS Service Health Dashboard – Service health page. You can also subscribe to RSS feeds for
specific services or regions to receive notifications about service events 4. References: Getting
started with your AWS Health Dashboard – Your account health, Introducing AWS Personal
Health Dashboard

QUESTION NO: 496

A company needs to migrate a PostgreSQL database from on-premises to Amazon RDS.

Which AWS service or tool should the company use to meet this requirement?
A. Cloud Adoption Readiness Tool

B. AWS Migration Hub

C. AWS Database Migration Service (AWS DMS)

D. AWS Application Migration Service

Answer: C

AWS Database Migration Service (AWS DMS) is a managed and automated service that
helps you migrate your databases from your on-premises or cloud environment to AWS,
either as a one-time migration or as a continuous replication. AWS DMS supports
migration between 20-plus database and analytics engines, such as PostgreSQL, Oracle,
MySQL, SQL Server, MongoDB, Amazon Aurora, Amazon RDS, Amazon Redshift, and
Amazon S3. AWS DMS also provides schema conversion and validation tools, as well as
monitoring and security features. AWS DMS is a cost-effective and reliable solution for
database migration, as you only pay for the compute resources and additional log
storage used during the migration process, and you can minimize the downtime and
data loss with Multi-AZ and ongoing replication12
To migrate a PostgreSQL database from on-premises to Amazon RDS using AWS DMS,
you need to perform the following steps:
• Create an AWS DMS replication instance in the same AWS Region as your target
Amazon RDS PostgreSQL DB instance. The replication instance is a server that runs the
AWS DMS replication software and connects to your source and target endpoints. You
can choose the instance type, storage, and network settings based on your migration
requirements3
• Create a source endpoint that points to your on-premises PostgreSQL database. You
need to provide the connection details, such as the server name, port, database name,
user name, and password. You also need to specify the engine name as postgres and
the SSL mode as required4
• Create a target endpoint that points to your Amazon RDS PostgreSQL DB instance. You
need to provide the connection details, such as the server name, port, database name,
user name, and password. You also need to specify the engine name as postgres and
the SSL mode as verify-full.
• Create a migration task that defines the migration settings and options, such as the
replication instance, the source and target endpoints, the migration type (full load, full
load and change data capture, or change data capture only), the table mappings, the
task settings, and the task monitoring role. You can also use the AWS Schema
Conversion Tool (AWS SCT) to convert your source schema to the target schema and
apply it to the target endpoint before or after creating the migration task.
• Start the migration task and monitor its progress and status using the AWS DMS
console, the AWS CLI, or the AWS DMS API. You can also use AWS CloudFormation to
automate the creation and execution of the migration task.
The other options are not suitable for migrating a PostgreSQL database from on-
premises to Amazon RDS. Cloud Adoption Readiness Tool is a tool that helps you
assess your readiness for cloud adoption based on six dimensions: business, people,
process, platform, operations, and security. It does not perform any database migration
tasks. AWS Migration Hub is a service that helps you track and manage the progress of
your application migrations across multiple AWS and partner services, such as AWS
DMS, AWS Application Migration Service, AWS Server Migration Service, and
CloudEndure Migration. It does not perform any database migration tasks itself, but
rather integrates with other migration services. AWS Application Migration Service is a
service that helps you migrate your applications from your on-premises or cloud
environment to AWS without making any changes to the applications, their architecture,
or the migrated servers. It does not support database migration, but rather replicates
your servers as Amazon Machine Images (AMIs) and launches them as EC2 instances
on AWS.
References: AWS Database Migration Service, What is AWS Database Migration
Service?, Working with an AWS DMS replication instance, Creating source and target
endpoints for PostgreSQL, [Creating a target endpoint for Amazon RDS for PostgreSQL],
[Creating a migration task for AWS DMS], [AWS Schema Conversion Tool], [Starting a
migration task for AWS DMS], [AWS CloudFormation], [Cloud Adoption Readiness Tool],
[AWS Migration Hub], [AWS Application Migration Service]

QUESTION NO: 497

Which cloud concept is demonstrated by using AWS Compute Optimizer?

A. Security validation

B. Rightsizing

C. Elasticity

D. Global reach

Answer: B

Rightsizing is the cloud concept that is demonstrated by using AWS Compute Optimizer.
Rightsizing is the process of adjusting the type and size of your cloud resources to match the
optimal performance and cost for your workloads. AWS Compute Optimizer is a service that
analyzes the configuration and utilization metrics of your AWS resources, such as Amazon EC2
instances, Amazon EBS volumes, AWS Lambda functions, and Amazon ECS services on AWS
Fargate. It reports whether your resources are optimal, and generates optimization
recommendations to reduce the cost and improve the performance of your workloads. AWS
Compute Optimizer uses machine learning to analyze your historical utilization data and
compare it with the most cost-effective AWS alternatives. You can use the recommendations to
evaluate the trade-offs between cost and performance, and decide when to move or resize your
resources to achieve the best results. References: Workload Rightsizing - AWS Compute
Optimizer - AWS, What is AWS Compute Optimizer? - AWS Compute Optimizer

QUESTION NO: 498

A company wants to migrate its on-premises relational databases to the AWS Cloud. The company
wants to use infrastructure as close to its current geographical location as possible.

Which AWS service or resource should the company use to select its Amazon RDS deployment area?

A. Amazon Connect

B. AWS Wavelength

C. AWS Regions

D. AWS Direct Connect

Answer: C

AWS Regions are the AWS service or resource that the company should use to select its
Amazon RDS deployment area. AWS Regions are separate geographic areas where AWS
clusters its data centers. Each AWS Region consists of multiple, isolated, and physically
separate Availability Zones within a geographic area. Each AWS Region is designed to be
isolated from the other AWS Regions to achieve the highest possible fault tolerance and
stability. AWS provides a more extensive global footprint than any other cloud provider, and to
support its global footprint and ensure customers are served across the world, AWS opens new
Regions rapidly. AWS maintains multiple geographic Regions, including Regions in North
America, South America, Europe, China, Asia Pacific, South Africa, and the Middle East. Amazon
RDS is available in several AWS Regions worldwide. To create or work with an Amazon RDS DB
instance in a specific AWS Region, you must use the corresponding regional service endpoint.
You can choose the AWS Region that meets your latency or legal requirements. You can also
use multiple AWS Regions to design a disaster recovery solution or to distribute your read
workload. References: Global Infrastructure Regions & AZs - aws.amazon.com, Regions,
Availability Zones, and Local Zones - Amazon Relational Database Service

QUESTION NO: 499

A developer wants to deploy an application quickly on AWS without manually creating the required
resources. Which AWS service will meet these requirements?

A. Amazon EC2
B. AWS Elastic Beanstalk

C. AWS CodeBuild

D. Amazon Personalize

Answer: B

AWS Elastic Beanstalk is a service that allows you to deploy and manage applications on AWS
without manually creating and configuring the required resources, such as EC2 instances, load
balancers, security groups, databases, and more. AWS Elastic Beanstalk automatically handles
the provisioning, scaling, load balancing, health monitoring, and updating of your application,
while giving you full control over the underlying AWS resources if needed. AWS Elastic
Beanstalk supports a variety of platforms and languages, such as Java, .NET, PHP, Node.js,
Python, Ruby, Go, and Docker. You can use the AWS Management Console, the AWS CLI, the
AWS SDKs, or the AWS Elastic Beanstalk API to create and manage your applications. You can
also use AWS CodeStar, AWS CodeCommit, AWS CodeBuild, AWS CodeDeploy, and AWS
CodePipeline to integrate AWS Elastic Beanstalk with your development and deployment
workflows12

QUESTION NO: 500

An ecommerce company has migrated its IT infrastructure from an on-premises data center to the AWS
Cloud. Which cost is the company's direct responsibility?

A. Cost of application software licenses

B. Cost of the hardware infrastructure on AWS

C. Cost of power for the AWS servers

D. Cost of physical security for the AWS data center

Answer: A

The cost of application software licenses is the company’s direct responsibility when it
migrates its IT infrastructure from an on-premises data center to the AWS Cloud.
Application software licenses are the agreements that grant users the right to use
specific software products, such as operating systems, databases, or applications.
Depending on the type and terms of the license, users may need to pay a fee to the
software vendor or provider to use the software legally and access its features and
updates. When users migrate their IT infrastructure to the AWS Cloud, they can choose
to buy new licenses from AWS, bring their own licenses (BYOL), or use a combination of
both. However, regardless of the option they choose, they are still responsible for
complying with the license terms and paying the license fees to the software vendor or
provider. AWS does not charge users for the application software licenses they bring or
buy, but only for the AWS resources they use to run their applications. Therefore, the
cost of application software licenses is the only cost among the options that is the
company’s direct responsibility. The other costs are either included in the AWS service
fees or covered by AWS.
References: AWS License Manager Pricing, Software licensing: The blind spot in public
cloud costs, Cost Optimization tips for SQL Server Licenses on AWS, Microsoft Licensing on
AWS

QUESTION NO: 501

A company wants to receive a notification when a specific AWS cost threshold is reached.

Which AWS services or tools can the company use to meet this requirement? (Select TWO.)

A. Amazon Simple Queue Service (Amazon SQS)

B. AWS Budgets

C. Cost Explorer

D. Amazon CloudWatch

E. AWS Cost and Usage Report

Answer: BD

AWS Budgets and Amazon CloudWatch are two AWS services or tools that the
company can use to receive a notification when a specific AWS cost threshold is
reached. AWS Budgets allows users to set custom budgets to track their costs and
usage, and respond quickly to alerts received from email or Amazon Simple Notification
Service (Amazon SNS) notifications if they exceed their threshold. Users can create
cost budgets with fixed or variable target amounts, and configure their notifications for
actual or forecasted spend. Users can also set up custom actions to run automatically
or through an approval process when a budget target is exceeded. For example, users
could automatically apply a custom IAM policy that denies them the ability to provision
additional resources within an account. Amazon CloudWatch is a service that monitors
applications, responds to performance changes, optimizes resource use, and provides
insights into operational health. Users can use CloudWatch to collect and track metrics,
which are variables they can measure for their resources and applications. Users can
create alarms that watch metrics and send notifications or automatically make changes
to the resources they are monitoring when a threshold is breached. Users can use
CloudWatch to monitor their AWS costs and usage by creating billing alarms that send
notifications when their estimated charges exceed a specified threshold amount. Users
can also use CloudWatch to monitor their Reserved Instance (RI) or Savings Plans
utilization and coverage, and receive notifications when they fall below a certain level.
References: Cloud Cost And Usage Budgets - AWS Budgets, What is Amazon
CloudWatch?, Creating a billing alarm - Amazon CloudWatch

QUESTION NO: 502

A user has a stateful workload that will run on Amazon EC2 for the next 3 years.

What is the MOST cost-effective pricing model for this workload?

A. On-Demand Instances

B. Reserved Instances

C. Dedicated Instances

D. Spot Instances

Answer: B

Reserved Instances are a pricing model that offers significant discounts on Amazon EC2 usage
compared to On-Demand Instances. Reserved Instances are suitable for stateful workloads that
have predictable and consistent usage patterns for a long-term period. By committing to a one-
year or three-year term, customers can reduce their total cost of ownership and optimize their
cloud spend. Reserved Instances also provide capacity reservation, ensuring that customers
have access to the EC2 instances they need when they need them. References: AWS Pricing
Calculator, Amazon EC2 Pricing, [AWS Cloud Practitioner Essentials: Module 3 - Compute in the
Cloud]

QUESTION NO: 503

To reduce costs, a company is planning to migrate a NoSQL database to AWS.

Which AWS service is fully managed and can automatically scale throughput capacity to meet database
workload demands?

A. Amazon Redshift

B. Amazon Aurora

C. Amazon DynamoDB
D. Amazon RDS

Answer: C

Amazon DynamoDB is a fully managed, serverless, key-value NoSQL database service that can
deliver consistent, single-digit millisecond performance at any scale. DynamoDB can
automatically scale throughput capacity to meet the demands of the database workload,
without requiring any manual intervention. DynamoDB is ideal for NoSQL applications that need
high performance, availability, and scalability. DynamoDB also offers features such as
encryption at rest, point-in-time recovery, global tables, and in-memory
caching. References: What is NoSQL?, Amazon DynamoDB, [AWS Cloud Practitioner Essentials:
Module 4 - Databases in the Cloud]

QUESTION NO: 504

A company is running a monolithic on-premises application that does not scale and is difficult to
maintain. The company has a plan to migrate the application to AWS and divide the application into
microservices.

Which best practice of the AWS Well-Architected Framework is the company following with this plan?

A. Integrate functional testing as part of AWS deployment.

B. Use automation to deploy changes.

C. Deploy the application to multiple locations.

D. Implement loosely coupled dependencies.

Answer: D

The company is following the best practice of implementing loosely coupled dependencies by
migrating the application to AWS and dividing the application into microservices. Loosely
coupled dependencies are a design principle of the AWS Well-Architected Framework that helps
to reduce the interdependencies between components and improve the scalability, reliability,
and performance of the system. By breaking down the monolithic application into smaller,
independent, and modular services, the company can reduce the complexity and maintenance
costs, increase the agility and flexibility, and enable faster and more frequent deployments.
AWS CloudFormation is an AWS service that provides the ability to manage infrastructure as
code. Infrastructure as code is a process of defining and provisioning AWS resources using
code or templates, rather than manual actions or scripts. AWS CloudFormation allows users to
create and update stacks of AWS resources based on predefined templates that describe the
desired state and configuration of the resources. AWS CloudFormation automates and
simplifies the deployment and management of AWS resources, and ensures consistency and
repeatability across different environments and regions. AWS CloudFormation also supports
rollback, change sets, drift detection, and nested stacks features that help users to monitor and
control the changes to their infrastructure. References: Implementing Loosely Coupled
Dependencies, What is AWS CloudFormation?

QUESTION NO: 505

Which AWS service provides the ability to manage infrastructure as code?

A. AWS CodePipeline

B. AWS CodeDeploy

C. AWS Direct Connect

D. AWS CloudFormation

Answer: D

The AWS service that provides the ability to manage infrastructure as code is AWS
CloudFormation. Infrastructure as code is a process of defining and provisioning AWS
resources using code or templates, rather than manual actions or scripts. AWS CloudFormation
allows you to create and update stacks of AWS resources based on predefined templates that
describe the desired state and configuration of the resources. AWS CloudFormation automates
and simplifies the deployment and management of AWS resources, and ensures consistency
and repeatability across different environments and regions. AWS CloudFormation also
supports rollback, change sets, drift detection, and nested stacks features that help you to
monitor and control the changes to your infrastructure1.

QUESTION NO: 506

A company wants to grant users in one AWS account access to resources in another AWS account. The
users do not currently have permission to access the resources.

Which AWS service will meet this requirement?

A. IAM group

B. IAM role

C. IAM tag

D. IAM Access Analyzer

Answer: B

IAM roles are a way to delegate access to resources in different AWS accounts. IAM roles allow
users to assume a set of permissions for a limited time without having to create or share long-
term credentials. IAM roles can be used to grant cross-account access by creating a trust
relationship between the accounts and specifying the permissions that the role can perform.
Users can then switch to the role and access the resources in the other account using
temporary security credentials provided by the role. References: Cross account resource
access in IAM, IAM tutorial: Delegate access across AWS accounts using IAM roles, How to
Enable Cross-Account Access to the AWS Management Console

QUESTION NO: 507

A company is planning to host its workloads on AWS.

Which AWS service requires the company to update and patch the guest operating system?

A. Amazon DynamoDB

B. Amazon S3

C. Amazon EC2

D. Amazon Aurora

Answer: C

Amazon EC2 is an AWS service that provides scalable, secure, and resizable compute capacity
in the cloud. Amazon EC2 allows customers to launch and manage virtual servers, called
instances, that run a variety of operating systems and applications. Customers have full control
over the configuration and management of their instances, including the guest operating
system. Therefore, customers are responsible for updating and patching the guest operating
system on their EC2 instances, as well as any other software or utilities installed on the
instances. AWS provides tools and services, such as AWS Systems Manager and AWS
OpsWorks, to help customers automate and simplify the patching process. References: Shared
Responsibility Model, Shared responsibility model, [Amazon EC2]

QUESTION NO: 508

A company wants to query its server logs to gain insights about its customers' experiences.

Which AWS service will store this data MOST cost-effectively?

A. Amazon Aurora

B. Amazon Elastic File System (Amazon EFS)

C. Amazon Elastic Block Store (Amazon EBS)

D. Amazon S3

Answer: D
Amazon S3 is an AWS service that provides scalable, durable, and cost-effective object storage
in the cloud. Amazon S3 can store any amount and type of data, such as server logs, and offers
various storage classes with different performance and pricing characteristics. Amazon S3 is
the most cost-effective option for storing server logs, as it offers low-cost storage classes, such
as S3 Standard-Infrequent Access (S3 Standard-IA) and S3 Intelligent-Tiering, that are suitable
for infrequently accessed or changing access patterns data. Amazon S3 also integrates with
other AWS services, such as Amazon Athena and Amazon OpenSearch Service, that can query
the server logs directly from S3 without requiring any additional data loading or
transformation. References: Amazon S3, Amazon S3 Storage Classes, Querying Data in
Amazon S3

QUESTION NO: 509

Which AWS service or feature will search for and identify AWS resources that are shared externally?

A. Amazon OpenSearch Service

B. AWS Control Tower

C. AWS IAM Access Analyzer

D. AWS Fargate

Answer: C

AWS IAM Access Analyzer is an AWS service that helps customers identify and review the
resources in their AWS account that are shared with an external entity, such as another AWS
account, a root user, an organization, or a public entity. AWS IAM Access Analyzer uses
automated reasoning, a form of mathematical logic and inference, to analyze the resource-
based policies in the account and generate comprehensive findings that show the access level,
the source of the access, the affected resource, and the condition under which the access
applies. Customers can use AWS IAM Access Analyzer to audit their shared resources, validate
their access policies, and monitor any changes to the resource sharing status. References: AWS
IAM Access Analyzer, Identify and review resources shared with external entities, How AWS IAM
Access Analyzer works

QUESTION NO: 510

Which AWS service or tool helps users visualize, understand, and manage spending and usage over
time?

A. AWS Organizations

B. AWS Pricing Calculator

C. AWS Cost Explorer

D. AWS Service Catalog

Answer: C

AWS Cost Explorer is the AWS service or tool that helps users visualize, understand, and
manage spending and usage over time. AWS Cost Explorer is a web-based interface that allows
users to access interactive graphs and tables that display their AWS costs and usage data.
Users can create custom reports that analyze cost and usage data by various dimensions, such
as service, region, account, tag, and more. Users can also view historical data for up to the last
12 months, forecast future costs for up to the next 12 months, and get recommendations for
cost optimization. AWS Cost Explorer also provides preconfigured views that show common
cost and usage scenarios, such as monthly spend by service, daily spend by linked account, and
Reserved Instance utilization. Users can use AWS Cost Explorer to monitor their AWS spending
and usage trends, identify cost drivers and anomalies, and optimize their resource allocation
and budget planning. References: Cloud Cost Analysis - AWS Cost Explorer - AWS, Analyzing
your costs with AWS Cost Explorer

QUESTION NO: 511

A company is migrating its workloads to the AWS Cloud. The company must retain full control of patch
management for the guest operating systems that host its applications.

Which AWS service should the company use to meet these requirements?

A. Amazon DynamoDB

B. Amazon EC2

C. AWS Lambda

D. Amazon RDS

Answer: B

Amazon EC2 is the AWS service that the company should use to meet its requirements of
retaining full control of patch management for the guest operating systems that host its
applications. Amazon EC2 is a service that provides secure, resizable compute capacity in the
cloud. Users can launch virtual servers, called instances, that run various operating systems,
such as Linux, Windows, macOS, and more. Users have full administrative access to their
instances and can install and configure any software, including patches and updates, on their
instances. Users are responsible for managing the security and maintenance of their instances,
including patching the guest operating system and applications. Users can also use AWS
Systems Manager to automate and simplify the patching process for their EC2 instances. AWS
Systems Manager is a service that helps users manage their AWS and on-premises resources at
scale. Users can use AWS Systems Manager Patch Manager to scan their instances for missing
patches, define patch baselines and maintenance windows, and apply patches automatically or
manually across their instances. Users can also use AWS Systems Manager to monitor the
patch compliance status and patching history of their instances. References: What is Amazon
EC2?, AWS Systems Manager Patch Manager

QUESTION NO: 512

At what support level do users receive access to a support concierge?

A. Basic Support

B. Developer Support

C. Business Support

D. Enterprise Support

Answer: D

Users receive access to a support concierge at the Enterprise Support level. A support
concierge is a team of AWS billing and account experts that specialize in working with
enterprise accounts. They can help users with billing and account inquiries, cost optimization,
FinOps support, cost analysis, and prioritized answers to billing questions. The support
concierge is included as part of the Enterprise Support plan, which also provides access to a
Technical Account Manager (TAM), Infrastructure Event Management, AWS Trusted Advisor,
and 24/7 technical support. References: AWS Support Plan Comparison, AWS Enterprise
Support Plan, AWS Support Concierge

QUESTION NO: 513

Which AWS service can a company use to visually design and build serverless applications?

A. AWS Lambda

B. AWS Batch

C. AWS Application Composer

D. AWS App Runner

Answer: C

AWS Application Composer is a service that allows users to visually design and build serverless
applications. Users can drag and drop components, such as AWS Lambda functions, Amazon
API Gateway endpoints, Amazon DynamoDB tables, and Amazon S3 buckets, to create a
serverless application architecture. Users can also configure the properties, permissions, and
dependencies of each component, and deploy the application to their AWS account with a few
clicks. AWS Application Composer simplifies the design and configuration of serverless
applications, and reduces the need to write code or use AWS CloudFormation
templates. References: AWS Application Composer, AWS releases Application Composer to
make serverless ‘easier’ but initial scope is limited

QUESTION NO: 514

A company wants to migrate to AWS and use the same security software it uses on premises. The
security software vendor offers its security software as a service on AWS.

Where can the company purchase the security solution?

A. AWS Partner Solutions Finder

B. AWS Support Center

C. AWS Management Console

D. AWS Marketplace

Answer: D

AWS Marketplace is an online store that helps customers find, buy, and immediately start using
the software and services that run on AWS. Customers can choose from a wide range of
software products in popular categories such as security, networking, storage, machine
learning, business intelligence, database, and DevOps. Customers can also use AWS
Marketplace to purchase software as a service (SaaS) solutions that are integrated with AWS.
Customers can benefit from simplified procurement, billing, and deployment processes, as well
as flexible pricing options and free trials. Customers can also leverage AWS Marketplace to
discover and subscribe to solutions offered by AWS Partners, such as the security software
vendor mentioned in the question. References: AWS Marketplace, [AWS Marketplace: Software
as a Service (SaaS)], [AWS Cloud Practitioner Essentials: Module 6 - AWS Pricing, Billing, and
Support]

QUESTION NO: 515

A company has deployed an Amazon EC2 instance.

Which option is an AWS responsibility under the AWS shared responsibility model?

A. Managing and encrypting application data

B. Installing updates and security patches of guest operating system

C. Configuration of infrastructure devices

D. Configuration of security groups on each instance

Answer: C

According to the AWS shared responsibility model, AWS is responsible for protecting the
infrastructure that runs all of the services offered in the AWS Cloud, such as data centers,
hardware, software, networking, and facilities 1. This includes the configuration of infrastructure
devices, such as routers, switches, firewalls, and load balancers 2. Customers are responsible for
managing their data, applications, operating systems, security groups, and other aspects of
their AWS environment1. Therefore, options A, B, and D are customer responsibilities, not AWS
responsibilities. References: 1: AWS Well-Architected Framework - Elasticity; 2: Reactive
Systems on AWS - Elastic

QUESTION NO: 516

Elasticity in the AWS Cloud refers to which of the following? (Select TWO.)

A. How quickly an Amazon EC2 instance can be restarted

B. The ability to rightsized resources as demand shifts

C. The maximum amount of RAM an Amazon EC2 instance can use

D. The pay-as-you-go billing model

E. How easily resources can be procured when they are needed

Answer: BE

Elasticity in the AWS Cloud refers to the ability to acquire resources as you need them and
release resources when you no longer need them. In the cloud, you want to do this automatically1.
This means that you can rightsized resources as demand shifts, and you can easily procure
resources when they are needed. Elasticity is not related to how quickly an Amazon EC2
instance can be restarted, the maximum amount of RAM an Amazon EC2 instance can use, or
the pay-as-you-go billing model. These are aspects of scalability, performance, and cost,
respectively2.

For more information on elasticity, you can refer to the following sources:

• Elasticity - AWS Well-Architected Framework

• Elastic - Reactive Systems on AWS

• What is the difference between scalability and elasticity?

QUESTION NO: 517

A company wants to migrate its PostgreSQL database to AWS. The company does not use the database
frequently.

Which AWS service or resource will meet these requirements with the LEAST management overhead?

A. PostgreSQL on Amazon EC2

B. Amazon RDS for PostgreSQL

C. Amazon Aurora PostgreSQL-Compatible Edition

D. Amazon Aurora Serverless

Answer: D

Amazon Aurora Serverless is an on-demand, auto-scaling configuration for Amazon Aurora

PostgreSQL-Compatible Edition. It is a fully managed service that automatically scales up and
down based on the application’s actual needs. Amazon Aurora Serverless is suitable for
applications that have infrequent, intermittent, or unpredictable database workloads, and that
do not require the full power and range of options provided by provisioned Aurora clusters.
Amazon Aurora Serverless eliminates the need to provision and manage database instances,
and reduces the management overhead associated with database administration tasks such as
scaling, patching, backup, and recovery. References: Amazon Aurora Serverless, Choosing
between Aurora Serverless and provisioned Aurora DB clusters, [AWS Cloud Practitioner
Essentials: Module 4 - Databases in the Cloud]

QUESTION NO: 518

A company is using Amazon DynamoDB for its application database.

Which tasks are the responsibility of AWS, according to the AWS shared responsibility model? (Select
TWO.)

A. Classify data.

B. Configure access permissions.

C. Manage encryption options.

D. Provide public endpoints to store and retrieve data.

E. Manage the infrastructure layer and the operating system.

Answer: DE
According to the AWS shared responsibility model, AWS is responsible for security of the cloud,
while customers are responsible for security in the cloud. This means that AWS is responsible
for protecting the infrastructure that runs AWS services, such as hardware, software,
networking, and facilities. Customers are responsible for managing their data, classifying their
assets, and using IAM tools to apply the appropriate permissions. For abstracted services, such
as Amazon DynamoDB, AWS operates the infrastructure layer, the operating system, and
platforms, and provides customers with public endpoints to store and retrieve data. Customers
are responsible for classifying their data, managing their encryption options, and configuring
their access permissions. References: Shared Responsibility Model, Security and compliance in
Amazon DynamoDB, [AWS Cloud Practitioner Essentials: Module 2 - Security in the Cloud]

QUESTION NO: 519

A company wants to create a globally accessible ecommerce platform for its customers. The company
wants to use a highly available and scalable DNS web service to connect users to the platform.

Which AWS service will meet these requirements?

A. Amazon EC2

B. Amazon VPC

C. Amazon Route 53

D. Amazon RDS

Answer: C

Amazon Route 53 is a highly available and scalable Domain Name System (DNS) web service
that can route internet traffic to the company’s ecommerce platform 1. Route 53 can also
register domain names, check the health of resources, and provide global DNS features 2. Route
53 can connect users to the platform by translating human-readable names like
www.example.com into the numeric IP addresses that computers use to communicate with
each other2. References: 1: Amazon Route 53 | DNS Service | AWS; 2: What is Amazon Route 53?
- Amazon Route 53

QUESTION NO: 520

Which maintenance task is the customer's responsibility, according to the AWS shared responsibility
model?

A. Physical connectivity among Availability Zones

B. Network switch maintenance

C. Hardware updates and firmware patches

D. Amazon EC2 updates and security patches

Answer: D

According to the AWS shared responsibility model, customers are responsible for managing
their data, applications, operating systems, security groups, and other aspects of their AWS
environment. This includes installing updates and security patches of the guest operating
system and any application software or utilities installed by the customer on the instances.
AWS is responsible for protecting the infrastructure that runs all of the services offered in the
AWS Cloud, such as data centers, hardware, software, networking, and facilities. This includes
the physical connectivity among Availability Zones, the network switch maintenance, and the
hardware updates and firmware patches. Therefore, option D is the correct answer, and options
A, B, and C are AWS responsibilities, not customer responsibilities. References: : AWS Well-
Architected Framework - Elasticity; : Reactive Systems on AWS - Elastic

QUESTION NO: 521

Which AWS service or feature allows a user to establish a dedicated network connection between a
company's on-premises data center and the AWS Cloud?

A. AWS Direct Connect

B. VPC peering

C. AWS VPN

D. Amazon Route 53

Answer: A

AWS Direct Connect is an AWS service that allows users to establish a dedicated network
connection between their on-premises data center and the AWS Cloud. This connection
bypasses the public internet and provides more predictable network performance, reduced
bandwidth costs, and increased security. Users can choose from different port speeds and
connection types, and use AWS Direct Connect to access AWS services in any AWS Region
globally. Users can also use AWS Direct Connect in conjunction with AWS VPN to create a
hybrid network architecture that combines the benefits of both private and public
connectivity. References: AWS Direct Connect, [AWS Cloud Practitioner Essentials: Module 3 -
Compute in the Cloud]

QUESTION NO: 522

Which options are AWS Cloud Adoption Framework (AWS CAF) security perspective capabilities? (Select
TWO.)
A. Observability

B. Incident and problem management

C. Incident response

D. Infrastructure protection

E. Availability and continuity

Answer: CD

The AWS Cloud Adoption Framework (AWS CAF) security perspective helps users achieve the
confidentiality, integrity, and availability of their data and cloud workloads. It comprises nine
capabilities that are grouped into three categories: preventive, detective, and responsive.
Incident response and infrastructure protection are two of the capabilities in the responsive and
preventive categories, respectively. Incident response helps users prepare for and respond to
security incidents in a timely and effective manner, using tools and processes that leverage
AWS features and services. Infrastructure protection helps users implement security controls
and mechanisms to protect their cloud resources, such as network, compute, storage, and
database, from unauthorized access or malicious attacks. References: Security perspective:
compliance and assurance, AWS Cloud Adoption Framework

QUESTION NO: 523

A company wants to generate a list of 1AM users. The company also wants to view the status
of various credentials that are associated with the users, such as password, access keys: and
multi-factor authentication (MFA) devices

Which AWS service or feature will meet these requirements?

A. 1AM credential report

B. AWS 1AM Identity Center (AWS Single Sign-On)

C. AWS Identity and Access Management Access Analyzer

D. AWS Cost and Usage Report

Answer:

QUESTION NO: 524

Which of the following is an AWS Well-Architected Framework design principle for operational
excellence in the AWS Cloud?

A. Go global in minutes

B. Make frequent, small, reversible changes

C. Implement a strong foundation of identity and access management

D. Stop spending money on hardware infrastructure for data center operations

Answer:

QUESTION NO: 525

Which type of AWS storage is ephemeral and is deleted when an Amazon EC2 instance is
stopped or terminated?

A. Amazon Elastic Block Store (Amazon EBS)

B. Amazon EC2 instance store

C. Amazon Elastic File System (Amazon EFS)

D. Amazon S3

Answer:

QUESTION NO: 526

Which AWS Cloud deployment model uses AWS Outposts as part of the application deployment
infrastructure?

A. On-premises

B. Serverless

C. Cloud-native

D. Hybrid

Answer:

QUESTION NO: 527

A company wants to automatically add and remove Amazon EC2 instances. The company
wants the EC2 instances to adjust to varying workloads dynamically.

Which service or feature will meet these requirements?

A. Amazon DynamoDB

B. Amazon EC2 Spot Instances

C. AWS Snow Family

D. Amazon EC2 Auto Scaling

Answer:

QUESTION NO: 528

Which AWS service could an administrator use to provide desktop environments for several
employees?

A. AWS Organizations

B. AWS Fargate

C. AWS WAF

D. AWS Workspaces

Answer:

QUESTION NO: 529

Which AWS service is a cloud security posture management (CSPM) service that aggregates
alerts from various AWS services and partner products in a standardized format?

A. AWS Security Hub

B. AWS Trusted Advisor

C. Amazon EventBndge

D. Amazon GuardDuty

Answer:
QUESTION NO: 530

Which AWS services can a company use to achieve a loosely coupled architecture? (Select
TWO.)

A. Amazon Workspaces

B. Amazon Simple Queue Service (Amazon SQS)

C. Amazon Connect

D. AWS Trusted Advisor

E. AWS Step Functions

Answer:

QUESTION NO: 531

A team of researchers is going to collect data at remote locations around the world Many
locations do not have internet connectivity. The team needs to capture the data in the field, and
transfer it to the AWS Cloud later

Which AWS service will support these requirements?

A. AWS Outposts

B. AWS Transfer Family

C. AWS Snow Family

D. AWS Migration Hub

Answer:

QUESTION NO: 532

A company wants to migrate its on_premises workloads to the AWS Cloud. The company wants
to separate workloads for chargeback to different departments.

Which AWS services or features will meet these requirements? (Select TWO.)

A. Placement groups

B. Consolidated billing
C. Edge locations

D. AWS Config

E. Multiple AWS accounts

Answer:

QUESTION NO: 533

A cloud practitioner needs to obtain AWS compliance reports before migrating an environment
to the AWS Cloud How can these reports be generated?

A. Contact the AWS Compliance team

B. Download the reports from AWS Artifact

C. Open a case with AWS Support

D. Generate the reports with Amazon Made

Answer:

QUESTION NO: 534

A company wants to manage its AWS Cloud resources through a web interface.

Which AWS service will meet this requirement?

A. AWS Management Console

B. AWS CLI

C. AWS SDK

D. AWS Cloud

Answer:

QUESTION NO: 535

A company needs a fully managed file server that natively supports Microsoft workloads and
file systems The file server must also support the SMB protocol.
Which AWS service should the company use to meet these requirements?

A. Amazon Elastic File System (Amazon EFS)

B. Amazon FSx for Lustre

C. Amazon FSx for Windows File Server

D. Amazon Elastic Block Store (Amazon EBS)

Answer:

QUESTION NO: 536

A company needs to block SQL injection attacks.

Which AWS service or feature can meet this requirement?

A. AWS WAF

B. AWS Shield

C. Network ACLs

D. Security groups

Answer:

QUESTION NO: 536

A company has a physical tape library to store data backups. The tape library is running out of
space. The company needs to extend the tape library's capacity to the AWS Cloud.

Which AWS service should the company use to meet this requirement?

A. Amazon Elastic File System (Amazon EFS)

B. Amazon Elastic Block Store (Amazon EBS)

C. Amazon S3

D. AWS Storage Gateway

Answer:
QUESTION NO: 538

A user needs a relational database but does not have the resources to manage the hardware,
resiliency, and replication.

Which AWS service option meets the user's requirements'?

A. Run MySQL on Amazon Elastic Container Service (Amazon ECS)

B. Run MySQL on Amazon EC2

C. Choose Amazon RDS for MySQL

D. Choose Amazon ElastiCache for Redis

Answer:

QUESTION NO: 539

Which AWS services make use of global edge locations'? (Select TWO.)

A. AWS Fargate

B. Amazon CloudFront

C. AWS Global Accelerator

D. AWS Wavelength

E. Amazon VPC

Answer:

QUESTION NO: 540

An ecommerce company wants to use Amazon EC2 Auto Scaling to add and remove EC2
instances based on CPU utilization.

Which AWS service or feature can initiate an Amazon EC2 Auto Scaling action to achieve this
goal?

A. Amazon Simple Queue Service (Amazon SQS)

B. Amazon Simple Notification Service (Amazon SNS)

C. AWS Systems Manager

D. Amazon CloudWatch alarm

Answer:

QUESTION NO: 541

Which of the following services can be used to block network traffic to an instance? (Select
TWO.)

A. Security groups

B. Amazon Virtual Private Cloud (Amazon VPC) flow logs

C. Network ACLs

D. Amazon CloudWatch

E. AWS CloudTrail

Answer:

QUESTION NO: 542

Which AWS services or features give users the ability to create a network connection between
two VPCs? (Select TWO.)

A. VPC endpoints

B. Amazon Route 53

C. VPC peering

D. AWS Direct Connect

E. AWS Transit Gateway

Answer:

QUESTION NO: 543

A company wants to quickly implement a continuous integration/continuous delivery (CI/CD)

pipeline.

Which AWS service will meet this requirement?

A. AWS Config

B. Amazon Cognito

C. AWS DataSync

D. AWS CodeStar

Answer:

QUESTION NO: 544

A development team wants to deploy multiple test environments for an application in a fast
repeatable manner.

Which AWS service should the team use?

A. Amazon EC2

B. AWS CloudFormation

C. Amazon QuickSight

D. Amazon Elastic Container Service (Amazon ECS)

Answer:

QUESTION NO: 545

A company wants to establish a private network connection between AWS and its corporate
network.

Which AWS service or feature will meet this requirement?

A. Amazon Connect

B. Amazon Route 53

C. AWS Direct Connect

D. VPC peering

Answer:
QUESTION NO: 546

Which AWS service or feature identifies whether an Amazon S3 bucket or an 1AM role has been
shared with an external entity?

A. AWS Service Catalog

B. AWS Systems Manager

C. AWS 1AM Access Analyzer

D. AWS Organizations

Answer:

QUESTION NO: 547

Which of the following are pillars of the AWS Well-Architected Framework? (Select TWO)

A. High availability

B. Performance efficiency

C. Cost optimization

D. Going global in minutes

E. Continuous development

Answer:

QUESTION NO: 548

A company wants to migrate its database to a managed AWS service that is compatible with
PostgreSQL.

Which AWS services will meet these requirements? (Select TWO)

A. Amazon Athena

B. Amazon RDS

C. Amazon EC2

D. Amazon DynamoDB
E. Amazon Aurora

Answer:

QUESTION NO: 549

Which AWS service is always provided at no charge?

A. Amazon S3

B. AWS Identity and Access Management (1AM)

C. Elastic Load Balancers

D. AWS WAF

Answer:

QUESTION NO: 550

Which characteristic of the AWS Cloud helps users eliminate underutilized CPU capacity'?

A. Agility

B. Elasticity

C. Reliability

D. Durability

Answer:

QUESTION NO: 551

What is a customer responsibility when using AWS Lambda according to the AWS shared
responsibility model?

A. Managing the code within the Lambda function

B. Confirming that the hardware is working in the data center

C. Patching the operating system

D. Shutting down Lambda functions when they are no longer in use

Answer:

QUESTION NO: 552

A company wants to run its workload on Amazon EC2 instances for more than 1 year. This
workload will run continuously.

Which option offers a discounted hourly rate compared to the hourly rate of On-Demand
Instances?

A. AWS Graviton processor

B. Dedicated Hosts

C. EC2 Instance Savings Plans

D. Amazon EC2 Auto Scaling instances

Answer:

QUESTION NO: 553

Which cloud computing advantage is a company applying when it uses AWS Regions to
increase application availability to users in different countries?

A. Pay-as-you-go pricing

B. Capacity forecasting

C. Economies of scale

D. Global reach

Answer:

QUESTION NO: 554

Which of the following is a fully managed graph database service on AWS?

A. Amazon Aurora

B. Amazon FSx

C. Amazon DynamoDB
D. Amazon Neptune

Answer:

QUESTION NO: 555

What is a benefit of using AWS serverless computing?

A. Application deployment and management are not required

B. Application security will be fully managed by AWS

C. Monitoring and logging are not needed

D. Management of infrastructure is offloaded to AWS

Answer:

QUESTION NO: 556

Which AWS service or feature gives users the ability to capture information about network
traffic in a VPC?

A. VPC Flow Logs

B. Amazon Inspector

C. VPC route tables

D. AWS CloudTrail

Answer:

QUESTION NO: 557

A company is migrating its applications from on-premises to the AWS Cloud. The company
wants to ensure that the applications are assigned only the minimum permissions that are
needed to perform all operations.

Which AWS service will meet these requirements'?

A. AWS Identity and Access Management (1AM)

B. Amazon CloudWatch
C. Amazon Macie

D. Amazon GuardDuty

Answer:

QUESTION NO: 558

A company wants to allow users to authenticate and authorize multiple AWS accounts by using
a single set of credentials.

Which AWS service or resource will meet this requirement?

A. AWS Organizations

B. 1AM user

C. AWS 1AM Identity Center (AWS Single Sign-On)

D. AWS Control Tower

Answer:

QUESTION NO: 559

A company is using Amazon DynamoDB.

Which task is the company's responsibility, according to the AWS shared responsibility model?

A. Patch the operating system

B. Provision hosts

C. Manage database access permissions.

D. Secure the operating system

Answer:

QUESTION NO: 560

A company wants durable storage for static content and infinitely scalable data storage
infrastructure at the lowest cost.
Which AWS service should the company choose?

A. Amazon Elastic Block Store (Amazon EBS)

B. Amazon S3

C. AWS Storage Gateway

D. Amazon Elastic File System (Amazon EFS)

Answer:

QUESTION NO: 561

A company wants to run a NoSQL database on Amazon EC2 instances.

Which task is the responsibility of AWS in this scenario"?

A. Update the guest operating system of the EC2 instances

B. Maintain high availability at the database layer

C. Patch the physical infrastructure that hosts the EC2 instances

D. Configure the security group firewall

Answer:

QUESTION NO: 562

Which service enables customers to audit API calls in their AWS accounts'?

A. AWS CloudTrail

B. AWS Trusted Advisor

C. Amazon Inspector

D. AWS X-Ray

Answer:

QUESTION NO: 563

A company needs a bridge between technology and business to help evolve to a culture of
continuous growth and learning.

Which perspective in the AWS Cloud Adoption Framework (AWS CAF) serves as this bridge?

A. People

B. Governance

C. Operations

D. Security

Answer:

QUESTION NO: 564

Which mechanism allows developers to access AWS services from application code?

A. AWS Software Development Kit

B. AWS Management Console

C. AWS CodePipeline

D. AWS Config

Answer:

QUESTION NO: 565

Which AWS service gives users the ability to discover and protect sensitive data that is stored in
Amazon S3 buckets?

A. Amazon Macie

B. Amazon Detective

C. Amazon GuardDuty

D. AWS I AM Access Analyzer

Answer:
QUESTION NO: 566

Which AWS service or resource provides answers to the most frequently asked security-related
questions that AWS receives from its users'?

A. AWS Artifact

B. Amazon Connect

C. AWS Chatbot

D. AWS Knowledge Center

Answer: