AWS Solutions Architect Associate Practice Exam Part 2
You have already completed the quiz before. Hence you can not start it again.
Quiz is loading...
You must sign in or sign up to start the quiz.
You have to finish following quiz, to start this quiz:
Results
0 of 53 questions answered correctly
Time has elapsed
You have reached 0 of 0 points, (0)
Average score
Your score
Categories
Not categorized0%
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
Answered
Review
Question 1 of 53
1. Question
One of your work colleagues has just left and you have been handed some of the infrastructure he set up. In one of the setups you start looking at, he has created multiple components of a single application and all the components are hosted on a single EC2 instance (without an ELB) in a VPC. You have been told that this needs to be set up with two separate SSLs for each component. Which of the following would best achieve the setting up off the two separate SSLs while using still only using one EC2 instance?
Choose the correct answer:
Correct
Correct answer
Create an EC2 instance which has multiple network interfaces with multiple elastic IP addresses
Incorrect
Correct answer
Create an EC2 instance which has multiple network interfaces with multiple elastic IP addresses
Question 2 of 53
2. Question
Your job at a large scientific institution is moving along nicely. It is at the forefront of the latest research on nano-technology, of which you have become very passionate. You have been put in charge of scaling up some existing infrastructure which currently has 9 EC2 instances running in a Placement Group. All these 9 instances were initially launched at the same time and seem to be performing as expected. You decide that you need to add 2 new instances to the group; however, when you attempt to do this you receive a ‘capacity error’. Which of the following actions will most likely fix this problem?
Choose the correct answer:
Correct
Correct answer
Stop and restart the instances in the Placement Group and then try the launch again.
Incorrect
Correct answer
Stop and restart the instances in the Placement Group and then try the launch again.
Question 3 of 53
3. Question
You have been told by your security officer that you need to give a presentation on encryption on data at rest on AWS to 50 of your co-workers. You feel like you understand this extremely well regarding data stored on AWS S3 so you aren’t too concerned, but you begin to panic a little when you realize you also probably need to talk about encryption on data stored on your databases, namely Amazon RDS. Regarding Amazon RDS encryption, which of the following statements is the truest?
Choose the correct answer:
Correct
Correct answer
Encryption can be enabled on RDS instances to encrypt the underlying storage, and this will by default also encrypt snapshots as they are created. No additional configuration needs to be made on the client side for this to work.
Incorrect
Correct answer
Encryption can be enabled on RDS instances to encrypt the underlying storage, and this will by default also encrypt snapshots as they are created. No additional configuration needs to be made on the client side for this to work.
Question 4 of 53
4. Question
BCJC is consulting for a company that runs their current application entirely all on-premise. However, they are expecting a big boost in traffic tomorrow and need to figure out a way to decrease the load to handle the scale. Unfortunately, they cannot migrate their application to AWS in the period required. What could they do with their current on-premise application to help offload some of the traffic and scale to meet the demand expected in 24 hours?
Choose the correct answer:
Correct
Correct answer
Create a CloudFront CDN, enable query string forwarding and TTL of zero on the origin. Offload the DNS to AWS to handle CloudFront CDN traffic but use on-premise load balancers as the origin.
Explanation
The company cannot send or migrate any data to AWS. However, DNS changes and a CloudFront distribution can be provisioned in enough time to help offload some of the demand onto AWS edge locations by creating a whole site CDN.
Incorrect
Correct answer
Create a CloudFront CDN, enable query string forwarding and TTL of zero on the origin. Offload the DNS to AWS to handle CloudFront CDN traffic but use on-premise load balancers as the origin.
Explanation
The company cannot send or migrate any data to AWS. However, DNS changes and a CloudFront distribution can be provisioned in enough time to help offload some of the demand onto AWS edge locations by creating a whole site CDN.
Question 5 of 53
5. Question
You are designing multi-region architecture and you want to send users to a geographic location based on latency- based routing, which seems simple enough; however, you also want to use weighted-based routing among resources within that region. Which of the below setups would best accomplish this?
Choose the correct answer:
Correct
Correct answer
You will need to use complex routing (nested record sets) and ensure that you define the weighted resource record sets first.
Incorrect
Correct answer
You will need to use complex routing (nested record sets) and ensure that you define the weighted resource record sets first.
Question 6 of 53
6. Question
BCJC has a legacy application with licensing that is attached to a single MAC address. Since an EC2 instance can receive a new MAC address when launching new instances, how can you ensure that your EC2 instance can maintain a single MAC address for licensing?
Choose the correct answer:
Correct
Correct answer
Create an ENI and assign it to the EC2 instance. The ENI will have a static MAC address and can be detached and reattached to a new instance if the current instance becomes unavailable.
Explanation
MAC addresses are assigned to an ENI. EC2 allows the creation of an ENI that will maintain state for as long as allowed in the EC2 instance; this works exactly like an Elastic IP address.
Incorrect
Correct answer
Create an ENI and assign it to the EC2 instance. The ENI will have a static MAC address and can be detached and reattached to a new instance if the current instance becomes unavailable.
Explanation
MAC addresses are assigned to an ENI. EC2 allows the creation of an ENI that will maintain state for as long as allowed in the EC2 instance; this works exactly like an Elastic IP address.
Question 7 of 53
7. Question
You have been given a new brief from your supervisor for a client who needs a web application set up on AWS. The most important requirement is that MySQL must be used as the database, and this database must not be hosted in the public cloud, but rather at the client’s data center due to security risks. Which of the following solutions would be the best to assure that the client’s requirements are met?
Choose the correct answer:
Correct
Correct answer
Build the application server on a public subnet and the database at the client’s data center. Connect them with a VPN connection which uses IPsec.
Incorrect
Correct answer
Build the application server on a public subnet and the database at the client’s data center. Connect them with a VPN connection which uses IPsec.
Question 8 of 53
8. Question
Your company has just set up a new document server on it’s AWS VPC, and it has four very important clients that it wants to give access to. These clients also have VPCs on AWS and it is through these VPCs that they will be given accessibility to the document server. In addition, each of the clients should not have access to any of the other clients’ VPCs.
Choose the correct answer:
Correct
Correct answer
Set up VPC peering between your company’s VPC and each of the clients’ VPCs
Incorrect
Correct answer
Set up VPC peering between your company’s VPC and each of the clients’ VPCs
Question 9 of 53
9. Question
You’ve recently migrated an application from a customer’s on-premise data center to the AWS cloud. Currently, you’re using the ELB to serve traffic to the legacy application. The ELP is also using HTTP port 80 as the health check ping port. The application is currently responding by returning a website on port 80 when you test the IP address directly. However, the instance is not registering as healthy even though the appropriate amount of time has passed for the health check to register as healthy.
How might the issue be resolved?
Choose the correct answer:
Correct
Correct answer
Change the ELB listener port from HTTP port 80 toTCP port 80 for the instance to register as healthy
Incorrect
Correct answer
Change the ELB listener port from HTTP port 80 toTCP port 80 for the instance to register as healthy
Question 10 of 53
10. Question
You’ve created a mobile application that serves data stored in an Amazon DynamoDB table. Your primary concern is scalability of the application and being able to handle millions of visitors and data requests. As part of your application, the customer needs access to the data located in the DynamoDB table. Given the application requirements, what would be the best method for designing the application?
Choose the correct answer:
Correct
Correct answer
Let the users sign in to the app using a third party identity provider such as Amazon, Google, or Facebook. Use the AssumeRoleWithWebIdentity API call to assume the role containing the proper permissions to communicate with the DynamoDB table. Write the application in JavaScript and host the JavaScript interface in an S3 bucket.
Explanation
AWS provides a JavaScript SDK, which allows JavaScript to integrate into AWS services such as STS and DynamoDB. Since it is a client-side programming language, using this and hosting it in an S3 bucket, allows the web application to scale. Using a web identity provider, you will not have to manage any user accounts or user databases.
Incorrect
Correct answer
Let the users sign in to the app using a third party identity provider such as Amazon, Google, or Facebook. Use the AssumeRoleWithWebIdentity API call to assume the role containing the proper permissions to communicate with the DynamoDB table. Write the application in JavaScript and host the JavaScript interface in an S3 bucket.
Explanation
AWS provides a JavaScript SDK, which allows JavaScript to integrate into AWS services such as STS and DynamoDB. Since it is a client-side programming language, using this and hosting it in an S3 bucket, allows the web application to scale. Using a web identity provider, you will not have to manage any user accounts or user databases.
Question 11 of 53
11. Question
You have just developed a new mobile application that handles analytics workloads on large scale datasets that are stored on Amazon Redshift. Consequently, the application needs to access Amazon Redshift tables. Which of the below methods would be the best, both practically and security-wise, to access the tables?
Choose the correct answer:
Correct
Correct answer
Use roles that allow a web identity federated user to assume a role that allows access to the RedShift table by providing temporary credentials.
Incorrect
Correct answer
Use roles that allow a web identity federated user to assume a role that allows access to the RedShift table by providing temporary credentials.
Question 12 of 53
12. Question
Given the following IAM policy assign to user “jeff”
EC2 instances tagged “env:production” can not have the Terminate|Start|Stop|Reboot instances actions performed against them
Explanation
Resource tagging will apply to the instances that have the associated tag values. Resource tagging can help prevent instances from being terminated on accident as well.
Incorrect
Correct answer
EC2 instances tagged “env:production” can not have the Terminate|Start|Stop|Reboot instances actions performed against them
Explanation
Resource tagging will apply to the instances that have the associated tag values. Resource tagging can help prevent instances from being terminated on accident as well.
Question 13 of 53
13. Question
A new client may use your company to move all their existing Data Center applications and infrastructure to AWS. This is going to be a huge contract for your company, and you have been handed the entire contract and need to provide an initial scope to this possible new client. One of the things you notice concerning the existing infrastructure is that it has a small amount of legacy applications that you are almost certain will not work on AWS. Which of the following would be the best strategy to employ regarding the migration of these legacy applications?
Choose the correct answer:
Correct
Correct answer
Create a hybrid cloud by configuring a VPN tunnel to the on-premises location of the Data Center.
Incorrect
Correct answer
Create a hybrid cloud by configuring a VPN tunnel to the on-premises location of the Data Center.
Question 14 of 53
14. Question
Once again your security officer is on your case and this time is asking you to make sure the AWS Key Management Service (AWS KMS) is working as it is supposed to. You are initially not too sure how KMS even works, however after some intense late night reading you think you have come up with a reasonable definition. Which of the following best describes how the AWS Key Management Service works?
Choose the correct answer:
Correct
Correct answer
AWS KMS supports two kinds of keys — master keys and data keys. Master keys can be used to directly encrypt and decrypt up to 4 kilobytes of data and can also be used to protect data keys. The data keys are then used to encrypt and decrypt customer data.
Incorrect
Correct answer
AWS KMS supports two kinds of keys — master keys and data keys. Master keys can be used to directly encrypt and decrypt up to 4 kilobytes of data and can also be used to protect data keys. The data keys are then used to encrypt and decrypt customer data.
Question 15 of 53
15. Question
BCJC has a library of on-demand MP4 files needing to be streamed publicly on their new video webinar website. The video files are archived and are expected to be streamed globally, primarily on mobile devices.
Given the requirements what would be the best architecture for BCJC to design?
Choose the correct answer:
Correct
Correct answer
Upload the MP4 files to S3 and create an Elastic Transcoder job that transcodes the MP4 source into HLS chunks. Store the HLS output in S3 and create a CloudFront download distribution to serve the HLS files to end users.
Explanation
CloudFront streaming distributions only support the Adobe RTMP streaming protocol. HLS a progressive download protocol. Configuring the output of the HLS chunks to be an S3 bucket and using the S3 bucket as the origin for streaming would be the most scalable way to solve the criteria. There is not a criteria of protecting the digital content.
Incorrect
Correct answer
Upload the MP4 files to S3 and create an Elastic Transcoder job that transcodes the MP4 source into HLS chunks. Store the HLS output in S3 and create a CloudFront download distribution to serve the HLS files to end users.
Explanation
CloudFront streaming distributions only support the Adobe RTMP streaming protocol. HLS a progressive download protocol. Configuring the output of the HLS chunks to be an S3 bucket and using the S3 bucket as the origin for streaming would be the most scalable way to solve the criteria. There is not a criteria of protecting the digital content.
Question 16 of 53
16. Question
BCJC has hired a third-party security auditor, and the auditor needs read-only access to all AWS resources and logs of all VPC records and events that have occurred on AWS. How can BCJC meet the auditor’s requirements without comprising security in the AWS environment?
Choose the correct answer:
Correct
Correct answer
Enable CloudTrail logging and create an IAM user who has read-only permissions to the required AWS resources, including the bucket containing the CloudTrail logs
Incorrect
Correct answer
Enable CloudTrail logging and create an IAM user who has read-only permissions to the required AWS resources, including the bucket containing the CloudTrail logs
Question 17 of 53
17. Question
You’re working as a consultant for a company that has a three tier application. The application layer of this architecture sends over 20Gbps of data per seconds during peak hours to and from Amazon S3. Currently, you’re running two NAT gateways in two subnets to transfer the data from your private application layer to Amazon S3. You will also need to ensure that the instances receive software patches from a third party repository.
What architecture changes should be made, if any?
Choose the correct answer:
Correct
Correct answer
Keep the NAT gateway and create a VPC S3 endpoint which allows for higher bandwidth throughput as well as tighter security.
Explanation
S3 endpoints use the private AWS network for data transfer. These endpoints do not have the same bandwidth limitations as NAT gateways since it is all done through the internal network. This is also an additional layer of security. In order to ensure that the instances can reach a third party repo a NAT gateway is still required for communication over the internet.
Incorrect
Correct answer
Keep the NAT gateway and create a VPC S3 endpoint which allows for higher bandwidth throughput as well as tighter security.
Explanation
S3 endpoints use the private AWS network for data transfer. These endpoints do not have the same bandwidth limitations as NAT gateways since it is all done through the internal network. This is also an additional layer of security. In order to ensure that the instances can reach a third party repo a NAT gateway is still required for communication over the internet.
Question 18 of 53
18. Question
You are building a large-scale confidential documentation web server on AWS and all of the documentation for it will be stored on S3. One of the requirements is that it cannot be publicly accessible from S3 directly, and you will need to use CloudFront to accomplish this. Which of the methods listed below would satisfy the requirements as outlined?
Choose the correct answer:
Correct
Correct answer
Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAI.
Incorrect
Correct answer
Create an Origin Access Identity (OAI) for CloudFront and grant access to the objects in your S3 bucket to that OAI.
Question 19 of 53
19. Question
You are setting up a VPN for a customer to connect his remote network to his Amazon VPC environment. There are a number of ways to accomplish this and to help you decide you have been given a list of the things that the customer has specified that the network needs to be able to do. They are as follows:
– Predictable network performance – Support for BGP peering and routing policies – A secure IPsec VPN connection but not over the Internet
Which of the following VPN options would best satisfy the customer’s requirements?
Choose the correct answer:
Correct
Correct answer
AWS Direct Connect and IPsec Hardware VPN connection over private lines
Incorrect
Correct answer
AWS Direct Connect and IPsec Hardware VPN connection over private lines
Question 20 of 53
20. Question
Your company has just purchased some very expensive software which also involved the addition of a unique license for it. You have been told to set this up on an AWS EC2 instance; however, one of the problems is that the software license has to be tied to a specific MAC address and from your experience with AWS you know that every time an instance is restarted it will almost certainly lose it’s MAC address. What would be a possible solution to this given the options below?
Choose the correct answer:
Correct
Correct answer
Use a VPC with an elastic network interface that has a fixed MAC Address
Incorrect
Correct answer
Use a VPC with an elastic network interface that has a fixed MAC Address
Question 21 of 53
21. Question
You’ve created a temporary application that accepts image uploads, stores them in S3, and records information about the image in RDS. After building this architecture and accepting images for the duration required, it’s time to delete the CloudFormation template. However, your manager has informed you that for archival reasons the RDS data needs to be stored and the S3 bucket with the images needs to remain. Your manager has also instructed you to ensure that the application can be restored by a CloudFormation template and run next year during the same period.
Knowing that when a CloudFormation template is deleted, it will remove the resources it created, what is the best method for achieving the desired goals?
Choose the correct answer:
Correct
Correct answer
Set the DeletionPolicy on the S3 resource declaration in the CloudFormation template to retain, set the RDS resource declaration DeletionPolicy to snapshot.
Explanation
Setting the DeletionPolicy on the S3 bucket will ensure the S3 bucket is not removed. Keeping the S3 bucket and the name of the S3 bucket ensures it is easy to relaunch the application later with a template. Setting the RDS DeletionPolicy to snapshot ensures the data can be restored when the application needs to be run again later. Setting the DeletionPolicy on RDS to retain would leave the RDS instance running when it would not be used, thus increasing costs when not required.
Incorrect
Correct answer
Set the DeletionPolicy on the S3 resource declaration in the CloudFormation template to retain, set the RDS resource declaration DeletionPolicy to snapshot.
Explanation
Setting the DeletionPolicy on the S3 bucket will ensure the S3 bucket is not removed. Keeping the S3 bucket and the name of the S3 bucket ensures it is easy to relaunch the application later with a template. Setting the RDS DeletionPolicy to snapshot ensures the data can be restored when the application needs to be run again later. Setting the DeletionPolicy on RDS to retain would leave the RDS instance running when it would not be used, thus increasing costs when not required.
Question 22 of 53
22. Question
BCJC is managing a customer’s application which currently includes a three-tier application configuration. The first tier manages the web instances and is configured in a public subnet. The second layer is the application layer. As part of the application code, the application instances upload large amounts of data to Amazon S3. Currently, the private subnets that the application instances are running on have a route to a single NAT t2.micro NAT instance.
The application, during peak loads, becomes slow and customer uploads from the application to S3 are not completing and taking a long time.
Which steps might you take to solve the issue using the most cost efficient method?
Choose the correct answer:
Correct
Correct answer
Create a VPC S3 endpoint
Explanation
Creating a VPC endpoint will reduce the need for the S3 uploads to be sent through a NAT instance. It is the most cost efficient method and the most scalable method as well. The following answers will also get the job done but at additional costs. NAT instances cannot be autoscaled since the traffic is sent through the route table: “Increase the NAT instance size; network throughput increases with an increase in instance size” and “launch an additional NAT instance in another subnet and replace one of the routes in a subnet to the new instance.”
Incorrect
Correct answer
Create a VPC S3 endpoint
Explanation
Creating a VPC endpoint will reduce the need for the S3 uploads to be sent through a NAT instance. It is the most cost efficient method and the most scalable method as well. The following answers will also get the job done but at additional costs. NAT instances cannot be autoscaled since the traffic is sent through the route table: “Increase the NAT instance size; network throughput increases with an increase in instance size” and “launch an additional NAT instance in another subnet and replace one of the routes in a subnet to the new instance.”
Question 23 of 53
23. Question
You are the administrator for a new startup company which has a production account and a development account on AWS. Up until this point, no one has had access to the production account except yourself. There are 20 people on the development account who now need various levels of access provided to them on the production account. 10 of them need read-only access to all resources on the production account, 5 of them need read/write access to EC2 resources, and the remaining 5 only need read-only access to S3 buckets. Which of the following options would be the best way, both practically and security-wise, to accomplish this task?
Choose the correct answer:
Correct
Correct answer
Create 3 roles in the production account with a different policy for each of the access levels needed. Add permissions to each IAM user on the developer account.
Incorrect
Correct answer
Create 3 roles in the production account with a different policy for each of the access levels needed. Add permissions to each IAM user on the developer account.
Question 24 of 53
24. Question
You have a legacy application running that uses an m4.large instance size and cannot scale with Auto Scaling, but only has peak performance 5% of the time. This is a huge waste of resources and money so your Senior Technical Manager has set you the task of trying to reduce costs while still keeping the legacy application running as it should. Which of the following would best accomplish the task your manager has set you?
Choose the correct answer:
Correct
Correct answer
Use a T2 burstable performance instance.
Incorrect
Correct answer
Use a T2 burstable performance instance.
Question 25 of 53
25. Question
BCJC (Big Cloud Jumbo Corp) is designing a high availability solution for a customer. This customer’s requirements are that their application needs to be able to handle an unexpected amount of load and allow site visitors to read data from a DynamoDB table, which contains the results of an online polling system. Given this information, what would be the best and most cost-saving method for architecting and developing this application?
Choose the correct answer:
Correct
Correct answer
Use the JavaScript SDK and build a static HTML page, hosted inside of an Amazon S3 bucket; use CloudFront and Route 53 to serve the website, which uses JavaScript client-side language to communicate with DynamoDB.
Incorrect
Correct answer
Use the JavaScript SDK and build a static HTML page, hosted inside of an Amazon S3 bucket; use CloudFront and Route 53 to serve the website, which uses JavaScript client-side language to communicate with DynamoDB.
Question 26 of 53
26. Question
BCJC has developed a Ruby on Rails content management platform. Currently, BCJC is using OpsWorks with several stacks for dev, staging, and production to deploy and manage the application.
BCJC is about to implement a new feature on the CMS application using Python instead of Ruby.
How should BCJC deploy this new application feature?
Choose the correct answer:
Correct
Correct answer
BCJC should create a new stack that contains a new layer with the Python code. To cut over to the new stack BCJC should consider using Blue/Green deployment
Incorrect
Correct answer
BCJC should create a new stack that contains a new layer with the Python code. To cut over to the new stack BCJC should consider using Blue/Green deployment
Question 27 of 53
27. Question
You’ve been tasked with creating file level restore on your EC2 instances. You need to be able to restore an individual lost file on an EC2 instance within 15 minutes of a reported loss of information. The acceptable RPO is several hours. How would you perform this on an EC2 instance?
Choose the correct answer:
Correct
Correct answer
Take frequent snapshots of EBS volumes, create a volume from an EBS snapshot, attach the EBS volume to the EC2 instance at a different mount location, browse the file system to the file that needs to be restored on the new mount, copy from the new volume to the backup volume
Explanation
The question asks how you restore a “single” file. Restoring a whole volume would actually cause data loss if those other files were being updated.
Incorrect
Correct answer
Take frequent snapshots of EBS volumes, create a volume from an EBS snapshot, attach the EBS volume to the EC2 instance at a different mount location, browse the file system to the file that needs to be restored on the new mount, copy from the new volume to the backup volume
Explanation
The question asks how you restore a “single” file. Restoring a whole volume would actually cause data loss if those other files were being updated.
Question 28 of 53
28. Question
BCJC is running a web application that has a high amount of dynamic content. BCJC is looking to reduce load time by implementing a caching solution that will help reduce load times for clients requesting the application. What is the best possible solution and why?
Choose the correct answer:
Correct
Correct answer
Create a CloudFront distribution, enable query string forwarding, set the TTL to 0: This will keep TCP connections open from CloudFront to origin, reducing the time it takes for TCP handshake to occur.
Explanation
CloudFront uses KeepAlive features to keep TCP connections open from the edge location to the CloudFront origin. This reduces the time it takes for the TCP handshake to occur. Only the initial requests have to perform the full TCP handshake. This will substantially reduce load time for thousands of requests per minute or greater.
Incorrect
Correct answer
Create a CloudFront distribution, enable query string forwarding, set the TTL to 0: This will keep TCP connections open from CloudFront to origin, reducing the time it takes for TCP handshake to occur.
Explanation
CloudFront uses KeepAlive features to keep TCP connections open from the edge location to the CloudFront origin. This reduces the time it takes for the TCP handshake to occur. Only the initial requests have to perform the full TCP handshake. This will substantially reduce load time for thousands of requests per minute or greater.
Question 29 of 53
29. Question
Big Brother Bank has been acquiring smaller banks. BBB has a security requirement that all bank employees are required to log into a central identity solution, so that when they log on they gain access to central bank resources. Given that each bank has their own AWS account, and existing application instances with which to run their bank software, how would BBB connect each bank’s AWS networks to the central VPC, as to allow each bank to use the central identity solution?
Each bank runs their VPC in the US-West-1 region, requires a high availability solution, and regulation does not allow each bank access to the others’ resources. How would you best design this solution?
Choose the correct answer:
Correct
Correct answer
Create a VPC peering connection with BBB’s VPC peered to each branch’s AWS account, ensuring that the peered subnets do not have an overlapping CIDR block range.
Incorrect
Correct answer
Create a VPC peering connection with BBB’s VPC peered to each branch’s AWS account, ensuring that the peered subnets do not have an overlapping CIDR block range.
Question 30 of 53
30. Question
You’re consulting for a new customer, who is attempting to create a hybrid network between AWS and their on-premise data centers. Currently, they have internal databases running on-premise that, due to licensing reasons, cannot be migrated to AWS. The front end of the application has been migrated to AWS and uses the DB hostname “db.internalapp.local” to communicate with the on-premise database servers. Hostnames provide an easy method for updating IP addresses in event of failover instead of having to update the IP address in the code.
Given the current architecture what is the best way to configure internal DNS for this hybrid application? (Choose Two)
Choose the 2 correct answers:
Correct
Correct answer
Use an existing on-premise DNS server to configure hostnames for internal DNS records. Create a new Amazon VPC DHCP Option Set with the internal DNS server’s IP address., Create an EC2 instance DNS server to configure hostnames for internal DNS records, Create a new Amazon VPC DHCP option set with the internal DNS server’s IP address.
Explanation
The application is an internal application. Using a public IP address would cause the application to route externally, which is not part of the desired architecture. Internal Route 53 record sets would not work since Route 53 internal resource record sets only work for requests originating from within the VPC and currently cannot extend to on-premise.
Incorrect
Correct answer
Use an existing on-premise DNS server to configure hostnames for internal DNS records. Create a new Amazon VPC DHCP Option Set with the internal DNS server’s IP address., Create an EC2 instance DNS server to configure hostnames for internal DNS records, Create a new Amazon VPC DHCP option set with the internal DNS server’s IP address.
Explanation
The application is an internal application. Using a public IP address would cause the application to route externally, which is not part of the desired architecture. Internal Route 53 record sets would not work since Route 53 internal resource record sets only work for requests originating from within the VPC and currently cannot extend to on-premise.
Question 31 of 53
31. Question
The company you work for has a huge amount of infrastructure built on AWS. However there has been some concerns recently about the security of this infrastructure, and an external auditor has been given the task of running a thorough check of all of your company’s AWS assets. The auditor will be in the USA while your company’s infrastructure resides in the Asia Pacific (Sydney) region on AWS. Initially, he needs to check all of your VPC assets, specifically, security groups and NACLs You have been assigned the task of providing the auditor with a login to be able to do this. Which of the following would be the best and most secure solution to provide the auditor with so he can begin his initial investigations?
Choose the correct answer:
Correct
Correct answer
Create an IAM user who will have read-only access to your AWS VPC infrastructure and provide the auditor with those credentials.
Incorrect
Correct answer
Create an IAM user who will have read-only access to your AWS VPC infrastructure and provide the auditor with those credentials.
Question 32 of 53
32. Question
BCJC is hosting an Nginx web application. They want to use EMR to create EMR jobs that shift through all of the web server logs and error logs to pull statistics on click stream and errors based off of client IP address.
Given the requirements what would be the best method for collecting the log data and analyzing it automatically?
Choose the correct answer:
Correct
Correct answer
If the application is using TCP, configure proxy protocol to pass the client IP address in a new TCP header. If the application is using, HTTP modify the application code to pull the client IP into the x-forward-for header so the web servers can parse it
Incorrect
Correct answer
If the application is using TCP, configure proxy protocol to pass the client IP address in a new TCP header. If the application is using, HTTP modify the application code to pull the client IP into the x-forward-for header so the web servers can parse it
Question 33 of 53
33. Question
. BCJC is building out an AWS Cloud Environment for a financial regulatory firm. Part of the requirements are being able to monitor all changes in an environment and all traffic sent to and from the environment.
What suggestions would you make to ensure all the requirements for monitoring the financial architecture are satisfied? (Choose Two)
Choose the 2 correct answers:
Correct
Correct answer
Configure an IPS/IDS system, such as Palo Alto Networks, that monitors, filters, and alerts of all potential hazard traffic leaving the VPC., Configure an IPS/IDS to listen and block all suspected bad traffic coming into and out of the VPC. Configure CloudTrail with CloudWatch Logs to monitor all changes within an environment.
Incorrect
Correct answer
Configure an IPS/IDS system, such as Palo Alto Networks, that monitors, filters, and alerts of all potential hazard traffic leaving the VPC., Configure an IPS/IDS to listen and block all suspected bad traffic coming into and out of the VPC. Configure CloudTrail with CloudWatch Logs to monitor all changes within an environment.
Question 34 of 53
34. Question
Due to cost-cutting measurements being implemented by your organization, you have been told that you need to migrate some of your existing resources to another region. The first task you have been given is to copy all of your Amazon Machine Images from Asia Pacific (Sydney) to US West (Oregon). One of the things that you are unsure of is how the PEM keys on your Amazon Machine Images need to be migrated. Which of the following best describes how your PEM keys are affected when AMIs are migrated between regions?
Choose the correct answer:
Correct
Correct answer
The PEM keys will not be copied to the new region but the authorization keys will still be in the operating system of the AMI. You need to ensure when the new AMI is launched that it is launched with the same PEM key name.
Incorrect
Correct answer
The PEM keys will not be copied to the new region but the authorization keys will still be in the operating system of the AMI. You need to ensure when the new AMI is launched that it is launched with the same PEM key name.
Question 35 of 53
35. Question
You are excited that your company has just purchased a Direct Connect link from AWS as everything you now do on AWS should be much faster and more reliable. Your company is based in Sydney, Australia so obviously the Direct Connect Link to AWS will go into the Asia Pacific (Sydney) region. Your first job after the new link purchase is to create a multi-region design across the Asia Pacific(Sydney) region and the US West (N. California) region. You soon discover that all the infrastructure you deploy in the Asia Pacific(Sydney) region is extremely fast and reliable, however the infrastructure you deploy in the US West(N. California) region is much slower and unreliable. Which of the following would be the best option to make the US West(N. California) region a more reliable connection?
Choose the correct answer:
Correct
Correct answer
Create a public virtual interface to the US West region’s public end points and use VPN over the public virtual interface to protect the data.
Incorrect
Correct answer
Create a public virtual interface to the US West region’s public end points and use VPN over the public virtual interface to protect the data.
Question 36 of 53
36. Question
After configuring a whole site CDN on CloudFront you receive the following error: This distribution is not configured to allow the HTTP request method that was used for this request. The distribution supports only cachable requests.
What is the most likely cause of this?
Choose the correct answer:
Correct
Correct answer
Allowed HTTP methods on that specific origin is only accepting GET, HEAD
Incorrect
Correct answer
Allowed HTTP methods on that specific origin is only accepting GET, HEAD
Question 37 of 53
37. Question
In an attempt to cut costs your accounts manager has come to you and tells you that he thinks that if the company starts to use consolidated billing that it will save some money. He also wants the billing set up in such a way that it is relatively simple, and it gives insights into the environment regarding utilization of resources. Which of the following consolidated billing setups would satisfy your account manager’s needs?
Choose the 2 correct answers:
Correct
Correct answer
Use one master account and many sub accounts., Use one account but multiple VPCs to break out environments.
Incorrect
Correct answer
Use one master account and many sub accounts., Use one account but multiple VPCs to break out environments.
Question 38 of 53
38. Question
Your final task that will complete a cloud migration for a customer is to set up an Active Directory service for him so that he can use Microsoft Active Directory with the newly-deployed AWS services. After reading the AWS documentation for this, you discover there are 3 options available to set up the AWS Directory Service. You call the customer for more information about his requirements, and he tells you he has 10,000 users on his AD service and wants to be able to use his existing on-premises directory with AWS services. Which of the following options for setting up the AWS Directory Service would be the most appropriate for your customer?
Choose the correct answer:
Correct
Incorrect
Question 39 of 53
39. Question
. BCJC has two batch processing applications that consume financial data about the day’s stock transactions. Each transaction needs to be stored durably and guarantee that a record of each application is delivered so the audit and billing batch processing applications can process the data. However, the two applications run separately and several hours apart and need access to the same transaction information. After reviewing the transaction information for the day, the information no longer needs to be stored.
What is the best way to architect this application?
Choose the correct answer:
Correct
Correct answer
Use Kinesis to store the transaction information. The billing application will consume data from the stream, the audit application can consume the same data several hours later.
Explanation
Kinesis streams store a rolling “buffer” of data. That data is only removed after the timeout on the Kinesis stream (now customizable). This is ideal because no additional costs or management is required to make the data available and remove the data after the last application consumes it.
Incorrect
Correct answer
Use Kinesis to store the transaction information. The billing application will consume data from the stream, the audit application can consume the same data several hours later.
Explanation
Kinesis streams store a rolling “buffer” of data. That data is only removed after the timeout on the Kinesis stream (now customizable). This is ideal because no additional costs or management is required to make the data available and remove the data after the last application consumes it.
Question 40 of 53
40. Question
After the Government organization you work for suffers it’s 3rd DDOS attack of the year you have been handed one part of a strategy to try and stop this from happening again. You have been told that your job is to minimize the attack surface area. You do have a vague idea of some of the things you need to put in place to achieve this. Which of the following is NOT one of the ways to minimize the attack surface area as a DDOS minimization strategy?
Choose the correct answer:
Correct
Correct answer
Configure services such as Elastic Load Balancing and Auto Scaling to automatically scale.
Incorrect
Correct answer
Configure services such as Elastic Load Balancing and Auto Scaling to automatically scale.
Question 41 of 53
41. Question
You have created a VPC with CIDR block 10.0.0.0/24, which supports 256 IP addresses. You want to now split this into two subnets, each supporting 128 IP addresses. Can this be done and if so how will the allocation of IP addresses be configured?
Choose the correct answer:
Correct
One subnet will use CIDR block 10.0.0.0/25 (for addresses 10.0.0.0 – 10.0.0.127) and the other will use CIDR block 10.0.0.128/25 (for addresses 10.0.0.128 – 10.0.0.255).
Incorrect
One subnet will use CIDR block 10.0.0.0/25 (for addresses 10.0.0.0 – 10.0.0.127) and the other will use CIDR block 10.0.0.128/25 (for addresses 10.0.0.128 – 10.0.0.255).
Question 42 of 53
42. Question
BCJC has an employee that keeps terminating EC2 instances on the production environment. You’ve determined the best way to ensure this doesn’t happen is to add an extra layer of defense against terminating the instances. What is the best method to ensure the employee does not terminate the production instances?
Choose the 2 correct answers:
Correct
Correct answer
Tag the instance with a production-identifying tag and add resource-level permissions to the employee user with an explicit deny on the terminate API call to instances with the production tag., Tag the instance with a production-identifying tag and modify the employees group to allow only start, stop, and reboot api calls and not the terminate instance call.
Explanation
The best method is to add resource level tags to the production EC2 instances and either grant or deny the allowed actions in an IAM policy. An explicit deny will always override an allow. C and D either deny or allow and unless explicitly allowed, it is denied, which is why both are correct.
Incorrect
Correct answer
Tag the instance with a production-identifying tag and add resource-level permissions to the employee user with an explicit deny on the terminate API call to instances with the production tag., Tag the instance with a production-identifying tag and modify the employees group to allow only start, stop, and reboot api calls and not the terminate instance call.
Explanation
The best method is to add resource level tags to the production EC2 instances and either grant or deny the allowed actions in an IAM policy. An explicit deny will always override an allow. C and D either deny or allow and unless explicitly allowed, it is denied, which is why both are correct.
Question 43 of 53
43. Question
BCJC has many employees who need to run internal applications that access the company’s AWS resources. These employees already have user credentials in the company’s current identity authentication system, which does not support SAML 2.0. The company does not want to create a separate IAM user for each company employee.
How should the SSO setup be designed?
Choose the 2 correct answers:
Correct
Correct answer
Create a custom identity broker application which authenticates employees using the existing system and uses the AssumeRole API call to gain temporary, role-based access to AWS., Create a custom identity broker application which authenticates the employees using the existing system, uses the GetFederationToken API call and passes a permission policy to gain temporary access credentials from STS.
Incorrect
Correct answer
Create a custom identity broker application which authenticates employees using the existing system and uses the AssumeRole API call to gain temporary, role-based access to AWS., Create a custom identity broker application which authenticates the employees using the existing system, uses the GetFederationToken API call and passes a permission policy to gain temporary access credentials from STS.
Question 44 of 53
44. Question
The Dynamic Host Configuration Protocol (DHCP) provides a standard for passing configuration information to hosts on a TCP/IP network. You can have multiple sets of DHCP options, but you can associate only one set of DHCP options with a VPC at a time. You have just created your first set of DHCP options, associated it with your VPC but now realize that you have made an error in setting them up and you need to change the options. Which of the following options do you need to take to achieve this?
Choose the correct answer:
Correct
Correct answer
You must create a new set of DHCP options and associate them with your VPC.
Incorrect
Correct answer
You must create a new set of DHCP options and associate them with your VPC.
Question 45 of 53
45. Question
BCJC is running Oracle DB workloads on AWS. Currently, they are running the Oracle RAC configuration on the AWS public cloud. You’ve been tasked with configuring backups on the RAC cluster to enable durability. What is the best method for configuring backups?
Choose the correct answer:
Correct
Correct answer
Create a script that runs snapshots against the EBS volumes to create backups and durability.
Explanation
RAC is not supported by RDS but can be run on EC2. To backup EC2 instances, you can suspend IO for a moment to start the snapshot creation time. Data Guard on Oracle is also an acceptable solution to extend high availability to a RAC cluster running on EC2.
Incorrect
Correct answer
Create a script that runs snapshots against the EBS volumes to create backups and durability.
Explanation
RAC is not supported by RDS but can be run on EC2. To backup EC2 instances, you can suspend IO for a moment to start the snapshot creation time. Data Guard on Oracle is also an acceptable solution to extend high availability to a RAC cluster running on EC2.
Question 46 of 53
46. Question
You have been given the task of designing a backup strategy for your organization’s AWS resources with the only caveat being that you must use the AWS Storage Gateway. Which of the following is the most correct statement surrounding the backup strategy on the AWS Storage Gateway?
Choose the correct answer:
Correct
Correct answer
You should use Gateway-Stored Volumes as it is preferable to Gateway-Cached Volumes as a backup storage medium.
Incorrect
Correct answer
You should use Gateway-Stored Volumes as it is preferable to Gateway-Cached Volumes as a backup storage medium.
Question 47 of 53
47. Question
When you create a subnet, you specify the CIDR block for the subnet. The CIDR block of a subnet can be the same as the CIDR block for the VPC (for a single subnet in the VPC), or a subset (to enable multiple subnets). The allowed block size is between a /28 netmask and /16 netmask. You decide to you create a VPC with CIDR block 10.0.0.0/24. Therefore what is the maximum allowed number of IP addresses and the minimum allowed number of IP addresses according to AWS and what is the number of IP addresses supported by the VPC you created?
Choose the correct answer:
Correct
Correct answer
Maximum is 65,536 and the minimum is 16 and the one created supports 256 IP addresses
Incorrect
Correct answer
Maximum is 65,536 and the minimum is 16 and the one created supports 256 IP addresses
Question 48 of 53
48. Question
You’ve configured an AWS VPC and several EC2 instances running MongoDB with an internal IP address of 10.0.2.1. To simplify failover and connectivity to the instance, you create an internal Route 53 A record called mongodb.example.com. You have a VPN connection from on-premise to your VPC and are attempting to connect an on-premise VMWare instance to mongodb.example.com, but the DNS will not resolve.
Given the current design, why is the internal DNS record not resolving on-premise?
Choose the correct answer:
Correct
Correct answer
Route 53 internal DNS records only work if the DNS request originates from within the VPC.
Explanation
Internal Route 53 resource record sets only work if the originating request is made from within the VPC. Internal Route 53 record sets cannot be extended to on-premise usage.
Incorrect
Correct answer
Route 53 internal DNS records only work if the DNS request originates from within the VPC.
Explanation
Internal Route 53 resource record sets only work if the originating request is made from within the VPC. Internal Route 53 record sets cannot be extended to on-premise usage.
Question 49 of 53
49. Question
BCJC is running an Amazon Redshift cluster with four nodes running 24/7/365 and expects, potentially, to add one on-demand node for one to two days once during the year. Which architecture would have the lowest possible cost for the cluster requirement?
Choose the correct answer:
Correct
Correct answer
Purchase 4 reserved nodes and rely on on-demand instances for the fifth node, if required
Explanation
The fifth node is expected to run, at most, one day. In this situation, purchasing four nodes will reduce overall costs since four nodes will run continuously. Relying on on-demand instances for the fifth node is the best possible cost option in relationship to reserved instances.
Incorrect
Correct answer
Purchase 4 reserved nodes and rely on on-demand instances for the fifth node, if required
Explanation
The fifth node is expected to run, at most, one day. In this situation, purchasing four nodes will reduce overall costs since four nodes will run continuously. Relying on on-demand instances for the fifth node is the best possible cost option in relationship to reserved instances.
Question 50 of 53
50. Question
An online gaming server in which you have recently increased it’s IOPS performance, by creating a RAID 0 configuration has now started to have bottleneck problems due to your instance bandwidth. Which of the following would be the best solution for this to increase throughput?
Choose the correct answer:
Correct
Correct answer
Use instance store backed instances and stripe the attached ephemeral storage devices and use DRBD Asynchronous Replication.
Incorrect
Correct answer
Use instance store backed instances and stripe the attached ephemeral storage devices and use DRBD Asynchronous Replication.
Question 51 of 53
51. Question
BCJC has three consolidated billing accounts; dev, staging, and production. The dev account has purchased two reserved instances with instance type of m4.large in Availability Zone 1a. However, no instances are running on the dev account, but a m4.large is running in the staging account inside of availability zone 1a. Who can receive the pricing?
Choose the correct answer:
Correct
Correct answer
The reserved instance pricing will still be applied because the staging account is running an instance that matches the reservation.
Explanation
Like volume discounts, reserved instances will work across all accounts that are connected to consolidated billing. Since billing is at the payee level, consolidated billing does not care which account purchases or uses a reserved instance. This is a consideration if BCJC wants to host customer accounts as part of their consolidated billing.
Incorrect
Correct answer
The reserved instance pricing will still be applied because the staging account is running an instance that matches the reservation.
Explanation
Like volume discounts, reserved instances will work across all accounts that are connected to consolidated billing. Since billing is at the payee level, consolidated billing does not care which account purchases or uses a reserved instance. This is a consideration if BCJC wants to host customer accounts as part of their consolidated billing.
Question 52 of 53
52. Question
BCJC has a Redshift cluster for petabyte-scale data warehousing. The data within the cluster is easily reproducible from additional data stored on Amazon S3. BCJC wants to reduce the overall total cost of running this Redshift cluster. Which scenario would best meet the needs of the running cluster, while still reducing total overall ownership of the cluster?
Choose the correct answer:
Correct
Correct answer
Disable automated and manual snapshots on the cluster
Explanation
The cluster data is easily populated from Amazon S3. The best overall method for this node would be not to enable backups at all to reduce storage costs on the cluster. The assumption is the data already exists in S3. Keep in mind this is not a likely production setup scenario, but is meant to test on understanding where the costs are incurred in a Redshift environment.
Incorrect
Correct answer
Disable automated and manual snapshots on the cluster
Explanation
The cluster data is easily populated from Amazon S3. The best overall method for this node would be not to enable backups at all to reduce storage costs on the cluster. The assumption is the data already exists in S3. Keep in mind this is not a likely production setup scenario, but is meant to test on understanding where the costs are incurred in a Redshift environment.
Question 53 of 53
53. Question
BCJC is running a MySQL RDS instance inside of AWS; however, a new requirement for disaster recovery is keeping a read replica of the production RDS instance in an on-premise data center. What is the securest way of performing this replication?
Choose the correct answer:
Correct
Correct answer
Create an IPSec VPN connection using either OpenVPN or VPN/VGW through the Virtual Private Cloud service.
Explanation
RDS instances can replicate to on-premise database servers. It is best practice to first create a dump of the database and copy it down, then enable replication, since this uses the MySQL asynchronous replication feature. Latency is an issue when using replication, so consider using a Direct Connect connection depending the use case for this situation
Incorrect
Correct answer
Create an IPSec VPN connection using either OpenVPN or VPN/VGW through the Virtual Private Cloud service.
Explanation
RDS instances can replicate to on-premise database servers. It is best practice to first create a dump of the database and copy it down, then enable replication, since this uses the MySQL asynchronous replication feature. Latency is an issue when using replication, so consider using a Direct Connect connection depending the use case for this situation
Leave a Reply