AWS FREE Practice Exams

Welcome to the FREE AWS Cloud Certification Practice Exam page.

These exams are provided solely as a courtesy for your learning pleasure.

These exams are updated monthly however we will not provide support on these. Updated 06/24/2020

If you require support on your practice exams than consider our practice exams on Udemy.

Good Luck on the exams. You may also want to review the posts I have on these exams that provide a top ten list and a deep dive on this blog site.

AWS Security Specialization Exam

AWS Certified Security Specialty Exam #1

FREE AWS Certified Security Specialty Practice Questions Exam 1

1 / 10

A threat assessment has identified a risk whereby an internal employee could exfiltrate sensitive data from production host running inside AWS (Account 1). The threat was documented as follows:
Threat description: A malicious actor could upload sensitive data from Server X by configuring credentials for an AWS account (Account 2) they control and uploading data to an Amazon S3 bucket
within their control. Server M has outbound internet access configured via a proxy server. Legitimate access to S3 is required so that the application can upload encrypted files to an S3 bucket. Server X is currently using an IAM
instance role. The proxy server is not able to inspect any of the server communication due to TLS
encryption. Which of the following options will mitigate the threat? (Choose two.)

Bypass the proxy and use an S3 VPC endpoint with a policy that whitelists only certain S3 buckets within Account 1.

Block outbound access to public S3 endpoints on the proxy server.

Configure Network ACLs on Server M to deny access to S3 endpoints.

Modify the S3 bucket policy for the legitimate bucket to allow access only from the public IP addresses associated with the application server. E. Remove the IAM instance role from

https://aws.amazon.com/premiumsupport/knowledge-center/connect-s3-vpc-endpoint/

https://aws.amazon.com/blogs/security/iam-policies-and-bucket-policies-and-acls-oh-my-controlling-access-to-s3-resources/

2 / 10

A Systems Engineer has been tasked with configuring outbound mail through Simple Email Service (SES) and requires compliance with current TLS standards.
The mail application should be configured to connect to which of the following endpoints and corresponding ports?

email.us-east-1.amazonaws.com over port 8080

email-pop3.us-east-1.amazonaws.com over port 995

email-smtp.us-east-1.amazonaws.com over port 587

email-imap.us-east-1.amazonaws.com over port 993

https://docs.aws.amazon.com/ses/latest/DeveloperGuide/smtp-connect.html

To set up a STARTTLS connection, the SMTP client connects to the Amazon SES SMTP endpoint on port 25, 587, or 2587, issues an EHLO command, and waits for the server to announce that it supports the STARTTLS SMTP extension. The client then issues the STARTTLS command, initiating TLS negotiation. When negotiation is complete, the client issues an EHLO command over the new encrypted connection, and the SMTP session proceeds normally.

3 / 10

An application is currently secured using network access control lists and security groups. Web servers are located in public subnets behind an Application Load Balancer (ALB); application servers are located
in private subnets. How can edge security be enhanced to safeguard the Amazon EC2 instances against attack? (Choose
two.)

Configure the application’s EC2 instances to use NAT gateways for all inbound traffic.

Move the web servers to private subnets without public IP addresses.

Configure AWS WAF to provide DDoS attack protection for the ALB.

Require all inbound network traffic to route through a bastion host in the private subnet.

4 / 10

The Security Engineer implemented a new vault lock policy for 10TB of data and called initiate-vault-lock 12 hours ago. The Audit team identified a typo that is allowing incorrect access to the vault.
What is the MOST cost-effective way to correct this? (Select One)

Call the abort-vault-lock operation, fix the typo, and call the initiate-vault-lock again

Copy the vault data to Amazon S3, delete the vault, and create a new vault with the data.

Update the policy, keeping the vault lock in place.

Update the policy and call initiate-vault-lock again to apply the new policy.

5 / 10

The Security team believes that a former employee may have gained unauthorized access to AWS resources sometime in the past 3 months by using an identified access key.
What approach would enable the Security team to find out what the former employee may have done
within AWS?

Use the AWS CloudTrail console to search for user activity.

Use the Amazon CloudWatch Logs console to filter CloudTrail data by user.

Use AWS Config to see what actions were taken by the user

Use Amazon Cloudformation to query CloudTrail logs stored in Amazon S3.

Cloudtrail https://docs.aws.amazon.com/athena/latest/ug/cloudtrail-logs.html

Note that it would be possible to use Athena

ou can use Athena to query these log files directly from Amazon S3, specifying the LOCATION of log files. You can do this one of two ways:

By creating tables for CloudTrail log files directly from the CloudTrail console.
By manually creating tables for CloudTrail log files in the Athena console.

6 / 10

A company wants to control access to its AWS resources by using identities and groups that are defined in its existing Microsoft Active Directory.
What must the company create in its AWS account to map permissions for AWS services to Active Directory user attributes?

AWS IAM Groups

AWS IAM Users

AWS IAM Roles

AWS IAM Access Keys

https://aws.amazon.com/blogs/security/how-to-connect-your-on-premises-active-directory-to-aws-using-ad-connector/

https://docs.aws.amazon.com/directoryservice/latest/admin-guide/ms_ad_manage_roles.html

7 / 10

A company is evaluating Amazon S3 as a data storage solution for their daily analyst reports.
The company has implemented stringent requirements concerning the security of the data at test
Specifically, the CISO asked for the use of envelope encryption with separate permissions for the use of
an envelope key, automated rotation of the encryption keys, and visibility into when an encryption key
was used and by whom. Which steps should you take as a security expert take to satisfy the security requirements requested by the
CISO?

Create an Amazon S3 bucket to store the reports and use Server-Side Encryption with Customer- Provided Keys (SSE-C)

Create an Amazon S3 bucket to store the reports and use Server-Side Encryption with Amazon S3Managed Keys (SSE-S3)

Create an Amazon S3 bucket to store the reports and use Server-Side Encryption with AWS KMSManaged Keys (SSE-KMS)

Create an Amazon S3 bucket to store the reports and use Amazon S3 versioning with Server- Side Encryption with Amazon S3-Managed Keys (SSE-S3)

https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingServerSideEncryption.html

8 / 10

Your job is as a Solutions Architect that is designing a solution that includes a managed VPN connection. You need to monitor whether the VPN connection is up or down. What would you use to monitor availability?. Select One

An external service to ping the VPN endpoint from outside the VPC

AWS CloudTrail to monitor the endpoint

The CloudWatch TunnelState Metric

An AWS Lambda function that parses the VPN connection logs.

Specific Metrics https://docs.aws.amazon.com/vpn/latest/s2svpn/monitoring-cloudwatch-vpn.html

9 / 10

Your company is hosting a two-tier application that consists of a publicly accessible web server that communicates with a private database. Only HTTPS port 443 traffic to the web server must be allowed from the internet.
Which of the following options would achieve these requirements? (Select Two.)

Security group rule that allows inbound internet traffic for port 443

Security group rule that drives all inbound internet traffic expect port 443

Network ACL rule that allows port 443 inbound and all ports outbound for internet traffic

Network ACL rule that allows port 443 for both inbound and outbound for all Internet traffic

We need to ensure that traffic is controlled thru appropriate security group rules.

10 / 10

An application is currently secured using network access control lists and security groups. Web servers are located in public subnets behind an Application Load Balancer (ALB); application servers are located in private subnets.
How can edge security be enhanced to safeguard the Amazon EC2 instances against attack? (Choose two.)

Configure the application’s EC2 instances to use NAT gateways for all inbound traffic.

Move the web servers to private subnets without public IP addresses.

Configure AWS WAF to provide DDoS attack protection for the ALB.

Require all inbound network traffic to route through a bastion host in the private subnet.

Your score is

AWS Certified Security Specialty Exam #2

FREE AWS Certified Security Specialty Practice Questions Exam 2

1 / 2

Call the abort-vault-lock operation, fix the typo, and call the initiate-vault-lock again

Copy the vault data to Amazon S3, delete the vault, and create a new vault with the data.

Update the policy, keeping the vault lock in place.

Update the policy and call initiate-vault-lock again to apply the new policy.

2 / 2

Use the AWS CloudTrail console to search for user activity.

Use the Amazon CloudWatch Logs console to filter CloudTrail data by user.

Use AWS Config to see what actions were taken by the user

Use Amazon Cloudformation to query CloudTrail logs stored in Amazon S3.

Cloudtrail https://docs.aws.amazon.com/athena/latest/ug/cloudtrail-logs.html

Note that it would be possible to use Athena

ou can use Athena to query these log files directly from Amazon S3, specifying the LOCATION of log files. You can do this one of two ways:

By creating tables for CloudTrail log files directly from the CloudTrail console.
By manually creating tables for CloudTrail log files in the Athena console.

Your score is

AWS Associate Cloud Architect Exam

0 votes, 0 avg

You have 30 Minutes to complete

Created on October 23, 2019 By

holbrookjp

AWS Certified Solutions Architect – Associate SAA-C01 Practice Exam 1

FREE AWS Certified Solutions Architect – Associate Practice Exam . There are 20 questions per exam.

If you feel you need more questions please go to my Udemy page link below for discount practice exams.

1 / 20

Shared tenancy is the default instance hosting method with EC2. True or False?

True

False

Depends on your credit limit with AWS

Depends on the region

2 / 20

A company is evaluating Amazon S3 as a data storage solution for their daily analyst reports. The company has implemented stringent requirements concerning the security of the data at test
Specifically, the CISO asked for the use of envelope encryption with separate permissions for the use of an envelope key, automated rotation of the encryption keys, and visibility into when an encryption key
was used and by whom. Which steps should a Solutions Architect take to satisfy the security requirements requested by the CISO?

Create an Amazon S3 bucket to store the reports and use Server-Side Encryption with Customer- Provided Keys (SSE-C)

Create an Amazon S3 bucket to store the reports and use Amazon S3 versioning with Server- Side Encryption with Amazon S3-Managed Keys (SSE-S3)

Create an Amazon S3 bucket to store the reports and use Server-Side Encryption with AWS KMSManaged Keys (SSE-KMS)

Create an Amazon S3 bucket to store the reports and use Server-Side Encryption with Amazon S3Managed Keys (SSE-S3)

3 / 20

A company has publicly hosted web applications and an internal Intranet protected by a proxy and a firewall.

Which technique will help protect against enumeration? Select One

Reject all invalid email received

Allow full DNS zone transfers

Remove C Records

Enable null session pipes.

Remove A records for internal hosts.

DNS Records – “A” records map a domain name to the IP address (IPv4) of the computer hosting the domain. Simply put, an A record is used to find the IP address of a computer connected to the internet from a name. The A in A record stands for Address. Whenever you visit a web site, send an email, connect to Twitter or Facebook or do almost anything on the Internet, the address you enter is a series of words connected with dots.

4 / 20

Which are the follow three items are true about AWS security groups? Select Three

Only “allow” rules are permitted

Instances receive the default security group for the VPC

Cannot layer security groups

Instances receive the default security group for the network

Separate inbound and outbound rules are used

5 / 20

What are two benefits of using a shared tenancy for you VMs in AWS? Select Two

Simpler deployments

Reduced costs

Less control

Lower performance

6 / 20

You have been advised your enterprise must now meet strict compliance standards. This means that the company must have encrypted archival data storage and will be audited. Data will be
accessed infrequently and may be recovered. The company requires that the storage be secure, durable and provided at the most cost effective solution on AWS available.
What type of storage should be specified? Select One

EFS

S3 Standard

EBS

Glacier

S3 RR

7 / 20

You just created a new S3 bucket and added objects. Your NAS administrator is a bit confused and cant understand why there is no obvious hierarchy. What can you do to create a folder like view? Select One.

Use prefixes

Not possible, use EFS if that is required.

Use the folder solution from the marketplace

Use tags

8 / 20

What is “bootstrapping” in the world of AWS EC2 instances considered? Select One

Providing code to be run on an instance at launch

Providing code to be run on an instance after launch

Installing updates to bootprom

Bootstrapping is not possible in EC2 since you can export existing instances

9 / 20

What is the maximum number of security groups we assign to an EC2 instance?

100

Depends on the AMI

10 / 20

A future AWS certified solutions architect is currently designing a solution that can monitor memory and disk space utilization of all EC2 instances running Amazon Linux and Windows. Which solution would meet the requirement?

Marketplace CloudWatch metrics

Default Amazon CloudWatch metrics

Custom Amazon CloudWatch metrics

Metrics need to segmented into two groups. One for Windows and one for Linux.

11 / 20

What S3 related parameters would you configure on S3 objects to ensure limits on the user base who can access S3 objects?

Security Parameters

Firewall

Encryption

ACL

12 / 20

S3 is accessed by Application Programming Interfaces (API) and you are being asked by the developer on the project your consulting about the type of API used. What API type do you tell them?

REST API

OPEN API

SOAP API

Graph API

13 / 20

Your company runs a legacy application with a single-tier architecture on an Amazon EC2 Instance. The application profile is that it requires low disk performance with occasional spikes during business hours. After business hours you can shut the EC2 instance down. Which storage option is MOST appropriate for this workload?

EFS General Purpose SSD (gp2) storage

EBS Provision IOPS SSD (io1) storage

EC2 Instance Storage

EFS Provision IOPS SSD (io1) storage

EBS General Purpose SSD (gp2) storage

14 / 20

In the shared security model the customer and the provider (AWS) have responsibilities for securing resources. What is a requirement that AWS does not handle for the customer? Select One

Host hardware updates for Dell Servers

Customer applications installed on EC2 instances

Data Center Access and Security

Hypervisor software updates for VMWare

15 / 20

Your company is using AWS to host a two-tier application that consists of a publicly accessible web server that communicates with an on premises database. Your CISO has warned you to only HTTPS port 443 traffic to the web server from the internet. Which twp options will meet these requirements? (Select Two.)

Security group rule that allows internet traffic for port 443 for both inbound and outbound ports

Security group rule that allows inbound internet traffic for port 443

Network ACL rule that allows port 443 for both inbound and outbound for all Internet traffic

Security group rule that allows all outbound internet traffic for port 443

Security group rule that provides for 0.0.0.0/x network access

16 / 20

What EC2 instance type would you recommend to a user that needs high end graphics processing? (Select One)

X1e

None of the above

Anyone will support this requirement

17 / 20

How many tags can an AWS S3 object have assigned to it?

100

1000

1010

18 / 20

Your installing a new software and it has a constraint to use a dedicated host in AWS? What type of software would this be?

Likely Oracle or Microsoft

A per processor licensed software

A per vCPU licensed software

SQL Server

19 / 20

When considering the instance root volume in AWS EC2 what would be two factors to choose an EBS backed AMI over an Instance store AMI? Select Two

Your customer could care less about the location of the root volume

Your customer wants support for stop actions

Your customer wants requires that data is not lost because of a failure

Your customer is cheap and wont pay a lot for compute services

20 / 20

What object property defines the performance you will get when reading and writing to the object?

Storage Versioning

Storage Tier

Storage Class

Storage Pricing

Your score is

The average score is 47%

LinkedIn Facebook Twitter VKontakte

0 votes, 0 avg

You have 90 Minutes to complete the exam.

Created on October 24, 2019 By

holbrookjp

AWS Certified Solutions Architect – Associate SAA-C01 Practice Exam 2

FREE AWS Certified Solutions Architect – Associate Practice Exam . There is 50 questions in this exam

If you feel you need more questions please go to my Udemy page link below for discount practice exams.

1 / 50

Which of the following protocols is not commonly used in VPNs? Select One

IPSec

PPTP

L2TP

DHCP

2 / 50

Which of the following provide ways to automate the backup of your RDS database? (Choose two.)

Create a pipeline

S3 life-cycle management policies

Automated snapshots

Automated backups

3 / 50

Which of the following statements are true about edge and region locations? (Choose two.)

There are fewer regions than edge locations.

There are more edge locations than availability zones

There are fewer edge locations than availability zones.

Each availability zone has a corresponding edge location.

4 / 50

Which of the following statements regarding EBS volumes and EC2 instances would not be correct?

You can attach multiple EC2 instances to a single EBS volume at one time.

You can attach multiple EC2 instances to a single EBS volume, but not all at the same time.

You can attach multiple EBS volumes to a single EC2 instance at one time.

Non-root EBS volumes are not deleted when an attached instance is terminated by default.

5 / 50

Your application is using an ELB in front of an Auto Scaling group of web/application servers deployed across two AZs and a Multi-AZ RDS Instance for data persistence.
The database CPU is often above 80% usage and 90% of I/O operations on the database are reads. To improve performance, you recently added a single-node Memcached ElastiCache Cluster to cache
frequent DB query results. In the next weeks the overall workload is expected to grow by 30%. Do you need to change anything in the architecture to maintain the high availability or the application
with the anticipated additional load? Why?

No, if the cache node fails you can always get the same data from the DB without having any availability impact.

Yes, you should deploy the Memcached ElastiCache Cluster with two nodes in the same AZ as the RDS DB master instance to handle the load if one cache node fails

No, if the cache node fails the automated ElastiCache node recovery feature will prevent any availability impact

Yes, you should deploy two Memcached ElastiCache Clusters in different AZs because the RDS instance will not be able to handle the load if the cache node fails.

6 / 50

You would like to understand why your AWS monthly spending is continuing to grow so you can explain where the money is being wasted to your CIO. What tool would provide insight into this challenge?

AWS Budgets

Trusted Advisor

AWS Billing Advisor

Cost Explorer

7 / 50

EBS General Purpose SSD (gp2) storage

EC2 Instance Storage

EBS Provision IOPS SSD (io1) storage

EFS General Purpose SSD (gp2) storage

EFS Provision IOPS SSD (io1) storage

8 / 50

Which of the following S3 storage classes has the highest availability?

S3 Glacier

S3 RR

S3 Standard

S3-IA

9 / 50

Your customer has compared prices between spot instances and reserved instances. The customer would like to know why they should NOT use spot instances. What are two reasons. (Select Two)

The application is flexible when it starts and stops

The application is not flexible when it starts and stops

The application has frequent spikes in traffic

The application is used for batch files

10 / 50

What is the smallest file size that can be stored on standard class S3?

1KB

0 bytes

1KB

1MB

11 / 50

How long does a typical Glacier data retrieval take?

1 Hour

5-7 Hours

Less than 1 Hour

3-5 Hours

12 / 50

A Solutions Architect notices slower response times from an application. The CloudWatch metrics on the MySQL RDS indicate Read IOPS are high and fluctuate significantly when the database is under load.
How should the database environment be re-designed to resolve the IOPS fluctuation?

Scale the web server tier horizontally.

Split the DB layer into separate RDS instances.

Change the storage type to Provisioned IOPS.

Change the RDS instance type to get more RAM.

13 / 50

You are deploying this new application in AWS and would like to ensure the workload can perform extremely well and consistently? What EBS volume would you select?

Shared IOPS

Provisioned IOPS

ElasticCache

Throughput Optimized HDD

14 / 50

Which of the following are SQL-based options in RDS? (Choose two.)

MongoDB

MariaDB

MS-SQL

DB2

15 / 50

Your company is storing data on Amazon Simple Storage Service (S3) and your CIO is mandating that data is encrypted at rest. How can this be achieved? Select Three

Use Amazon S3 server-side encryption with customer-provided keys.

Encrypt the data on the client-side before ingesting to Amazon S3 using their own master key.

Use Amazon S3 server-side encryption with encrypted NAT services

Use Amazon S3 server-side encryption with AWS Key Management Service managed keys.

Use SSL to encrypt the data while in transit to Amazon S3.

16 / 50

You have decided to create peering configuration for two VPCs. What are the two terms used to describe both the initiator and the receiver of the request in AWS?

Requester

Peer

Reciever

Paired

17 / 50

You are working on increasing performance for an application that routinely sees traffic spikes between 8am and 10am every day. However, even with Auto Scaling policies, load increases so quickly that response times impact the user experience. Without knowing anything more than this about what the traffic surge represents, how could you most easily and efficiently ensure that your application can respond to these surges?

Setup scheduled scaling

Setup on demand scaling

Create a script in Lambda to accomadate

Create a script in EC2 to accomadate

18 / 50

You are designing Internet connectivity for your VPC. The Web servers must be available on the Internet. The application must have a highly available architecture. (Choose Two)

Configure a NAT instance in your VPC Create a default route via the NAT instance and associate it with all subnets Configure a DNS A record that points to the NAT instance public IP address.

Assign EIPs to all web servers. Configure a Route53 record set with all EIPs, with health checks and DNS failover.

Configure ELB with an EIP Place all your Web servers behind ELB Configure a Route53 A record that points to the EIP.

Configure a CloudFront distribution and configure the origin to point to the private IP addresses of your Web servers Configure a Route53 CNAME record to your CloudFront distribution

19 / 50

Your customer has stated they need to transfer 30 TB of data into S3 and want to avoid lengthy network exchanges and network saturation. What option would provide your customer with inexpensive data transfer at a large scale?

Avalanche

Glacier

Snowmobile

Snowball

20 / 50

There appears to be an issue an RDS. You would like to access an RDS instance to troubleshoot operating system problems? What do you use?

SSL

RDP

SSH

None of the Above

21 / 50

What is the default visibility of a newly created S3 bucket?

Private

Role Based

IAM Based default

Public

22 / 50

A Solutions Architect is designing a stateful web application that will run for one year (24/7) and then be decommissioned. Load on this platform will be constant, using a number of r4.8xlarge instances. Key
drivers for this system include high availability is not required. What is the MOST cost-effective way to purchase compute for this platform?

Spot Instances

Convertible Reserved Instances

Scheduled Reserved instances

Standard Reserved instances

23 / 50

You would like to more features in Trusted Adviser. Currently, you have developer support and need to upgrade to the next level of support to unlock more features of Trusted Adviser. What level is above Developer?

Business

Enterprise

Corporate

Developer Paid

24 / 50

How does the cost of standard reserved instances compare with the cost of on-demand instances?

Standard reserved instances and on-demand are totally different and thus can not be compared.

Standard reserved instances cost significantly less than on-demand instances.

Standard reserved instances cost almost the same than on-demand instances

Standard reserved instances cost significantly more than on-demand instances.

25 / 50

When considering the instance root volume in AWS EC2 what would be two factors to choose an EBS backed AMI over an Instance store AMI? Select Two

Your customer wants requires that data is not lost because of a failure

Your customer could care less about the location of the root volume

Your customer wants support for stop actions

Your customer is cheap and wont pay a lot for compute services

26 / 50

An ERP application is deployed across multiple AZs in a single region. In the event of failure, the Recovery Time Objective (RTO) must be less than 3 hours, and the Recovery Point Objective (RPO) must
be 15 minutes the customer realizes that data corruption occurred roughly 1.5 hours ago. What DR strategy could be used to achieve this RTO and RPO in the event of this kind of failure?

Take 15 minute DB backups stored In Glacier with transaction logs stored in S3 every 5 minutes.

Take hourly DB backups to EC2 Instance store volumes with transaction logs stored In S3 every 5 minutes.

Use synchronous database master-slave replication between two availability zones.

Take hourly DB backups to S3, with transaction logs stored in S3 every 5 minutes.

27 / 50

What type of replication occurs in a read replica RDS setup?

Synchronous

Neither, its a hybrid form or replication

Asynchronous

Asynchronous and Synchronous

28 / 50

A company has a popular multi-player mobile game hosted in its on-premises datacenter. The current infrastructure can no longer keep up with demand end the company is considering a move to the cloud.
Which solution should a Solutions Architect recommend as me MOST scalable and cost- effective solution to meet these needs?

Amazon EC2 and Amazon Elastic Transcoder

Amazon EC2 and an Application Load Balancer

AWS Lambda and Amazon API Gateway

Amazon S3 and Amazon CloudFront

29 / 50

You are an architect working on adding scalability to an application based on EC2 instances within a public-facing VPC. You want the maximum amount of flexibility in weighting and load balancing options, as you plan to experiment with various routing types to see which handles load most evenly. Which type of load balancer should you use?

Network Load Balancer

Classic or the Application Load Balancers

Classic Load Balancer

Application Load Balancer

30 / 50

How can you control access to S3 buckets and objects? Select Three

IAM Policies

Bucket Policy

ACLs

Nat Services

NACLS

31 / 50

What are the two types of VPNs that would be used in AWS? (Select Two)

Point to Point VPN

Remote Access VPN

Site to Site VPN

Direct Access VPN

32 / 50

Your currently designing a new AWS configuration and would like to interconnect your VPCs and your on premises You want to connect multiple VPC and want to manage as one connection. What would be the AWS service you could select that would meet these requirements?

AWS Transit Gateway

AWS ELB

AWS NAT

AWS Peering

33 / 50

An internet-facing multi-tier web application must be highly available. An ELB Classic Load Balancer is deployed in front of the web tier. Amazon EC2 instances at the web application tier are
deployed evenly across two Availably Zones. The database is deployed using RDS Multi-AZ. A NAT instance is launched for Amazon EC2 instances and database resources to access the Internet. These
instances are not assigned with public IP addresses.
Which component poses a potential single point of failure in this architecture?

EBS

EC2

RDS

Elastic Load Balancer

34 / 50

Your CIO has summoned you into the office on a Friday afternoon since he received the AWS cloud spend bill for last month. He wants to setup an alert that goes to him when a threshold has been exceeded. What tool could you use to enable this request?

Cost Explorer

AWS Billing

AWS Budgets

Need to setup Lambda and workflow to get this done

35 / 50

Which of the following need to be considered across all regions in your account? (Choose two.)

RDS Instances

S3 bucket names

IAM Users

EC2 Instances

36 / 50

Which of the following are valid domain names for S3 buckets? (Choose two.)

s3.amazonaws.com

s3-jp=west-2.amazonaws.com

s3-jp-west-2.amazonaws.com

s3-us-west-2.amazonaws.com

37 / 50

Which of the following are valid reasons for using Multipart Upload for uploading objects to S3? (Choose two.)

You need a solution to connect two VPNs

You need a solution to decrease the time required to upload large files.

You need a solution to decrease the time required to upload small files.

You need a solution that recovers from network issues.

38 / 50

Which instance type is ideal for an application that suffers numerous spikes in usage at unpredictable times?

Dedicated Host

On Demand

Spot

Reserved

39 / 50

Your company needs a storage solution that can support millions of customers accessing billing data. The data should be instantly accessible for users, but individual bills are not accessed that often. What is the most cost-efficient storage for this use case?

Glacier with overnight delivery

Standard S3

S3-IA

Glacier

40 / 50

By default, how long do edge locations cache objects?

Depends, you get what you pay for.

41 / 50

What EC2 instance type would you recommend to a user that needs high end graphics processing? (Select One)

X1e

Anyone will support this requirement

None of the above

42 / 50

Which of the following does a Multi-AZ RDS setup address? (Choose two.)

Cost Efficiency

Performance Improvement

Disaster Recovery

Redundancy

43 / 50

Each EC2 instance in the VPC has an interface. What is this interface called?

Network Address Translation

Elastic Network Adaptor

Elastic Network Interface

Elastic IP

44 / 50

Your CTO has asked about how AWS charges for use of it services. He would like to understand actions that incur costs within AWS. (Choose two.)

Data egress to internet

Transfers between zones in same region

Data ingress to AWS

Transfers between different regions

45 / 50

Which of the following routing policies chooses a route for a user based on the latency of the available region to which traffic can be directed?

Latency Based

Geo Based

Response Based

RTT Based

46 / 50

Which of the following selections will provide performance improvements in an RDS instance that is currently overloaded? (Choose two.)

Upgrade the RDS instance.

Create RDS read replicas of the instance

Configure the instance to use Multi-AZ.

Switch the database engine type

47 / 50

You customer has a heavy load on an RDS data instance. You want to avoid the overhead and cost of upgrading the instance to a larger instance size. What other options should you consider? (Choose two.)

Use an ELB

Use Elasticache

Use Multi-Zone Configs

Create read replicas

48 / 50

Which of the following statements are true about RDS? Select Two

Reserved instances can be used for Multi-AZ deployments

Reserved instances can not be used for Multi-AZ deployments.

Some RDS databases support SQL as an interface.

All RDS databases support SQL as an interface.

49 / 50

Metrics need to segmented into two groups. One for Windows and one for Linux.

Marketplace CloudWatch metrics

Default Amazon CloudWatch metrics

Custom Amazon CloudWatch metrics

50 / 50

Which of the following are available to use as an EBS boot volume? (Choose two.)

General SSD

Cold HDD

Provisioned IOPS

Throughput Optimized

Your score is

The average score is 69%

LinkedIn Facebook Twitter VKontakte

AWS Class Final Practice Exam

0 votes, 0 avg

You have two hours to complete the exam. Good Luck

Created on October 25, 2019 By

holbrookjp

AWS Certified SysOps Administrator – Associate

AWS Certified SysOps Administrator – Associate There are 65 questions in this exam

1 / 65

Where is data stored when placed into S3-IA? (Choose two.)

In a single zone only

In all the regions and zones in the continent

In the region specified at bucket creation

In at least three availability zones

All S3 and S3-IA data is stored in a single region and within at least three availability zones within that region.

2 / 65

What EC2 instance type would you recommend to a user that needs high end graphics processing? (Select One)

None of the above

Anyone will support this requirement

X1e

3 / 65

What is the maximum number of security groups we assign to an EC2 instance?

100

Depends on the AMI

4 / 65

Which of the following are a collection of permissions in IAM?

Policy

Organization

Group

Role

5 / 65

Your customer has called on a Friday afternoon before you leave for home and is asking how why they can not provision more Elastic IPs in a region. What do you tell them?

They are likely not following instructions since there are no preset limits

Validate they 10 in a region. If so call support

Validate they have 5 in a region. If so call support

Remove old EIPs and provision new ones since they hit the max allowed

AWS accounts by default allow five elastic IP addresses per regions. As with most AWS defaults, this can be raised by contacting AWS and providing a reasonable justification.

6 / 65

Reference the graphic for this question.

You just showed up a new cloud job and your being asked to evaluate the spreadsheet from the user. What report is this?

This is a downloadable report from Macie

This is a downloadable report from Trusted Advisor

This is a downloadable report from Opswork

This is a report the customer or someone created

7 / 65

Which of the following statements are true about edge and region locations? (Choose two.)

Each availability zone has a corresponding edge location.

There are more edge locations than availability zones

There are fewer edge locations than availability zones.

There are fewer regions than edge locations.

8 / 65

EFS Provision IOPS SSD (io1) storage

EFS General Purpose SSD (gp2) storage

EBS General Purpose SSD (gp2) storage

EBS Provision IOPS SSD (io1) storage

EC2 Instance Storage

9 / 65

You are responsible for building out an application that serves user bases in the USA, Canada, Brazil, Singapore and India. You want to ensure that the company users receive localized content in their own area. Which of the following routing policies should you consider for this application in Route53?

Geolocation routing

Failover routing

Time based routing

Latency based routing

10 / 65

Shared tenancy is the default instance hosting method with EC2. True or False?

False

Depends on the region

Depends on your credit limit with AWS

True

11 / 65

In the shared security model the customer and the provider (AWS) have responsibilities for securing resources. What is a requirement that AWS does not handle for the customer? Select One

Customer applications installed on EC2 instances

Hypervisor software updates for VMWare

Host hardware updates for Dell Servers

Data Center Access and Security

12 / 65

How can you control access to S3 buckets and objects? Select Three

NACLS

IAM Policies

Bucket Policy

ACLs

Nat Services

13 / 65

You would like deploy a centralized management of users in AWS for your companies cloud resources in AWS. What are the two options to accomplish this?

AWS Policies

Third party solutions such as OKTA

AWS Organizations

AWS KMS

AWS IAM

IAM provides permissions, groups, users, and roles, and AWS Organizations provides logical groupings and account management. Both operate across all AWS resources.

14 / 65

What is “bootstrapping” in the world of AWS EC2 instances considered? Select One

Installing updates to bootprom

Providing code to be run on an instance at launch

Providing code to be run on an instance after launch

Bootstrapping is not possible in EC2 since you can export existing instances

15 / 65

Which of the following protocols is not commonly used in VPNs? Select One

L2TP

PPTP

IPSec

DHCP

16 / 65

You must improve the performance of your existing DynamoDB database. Currently, you believe that CPU utilization is the biggest concern, although you are attempting to proactively provision additional resources rather than reacting to an existing load problem. Which of the following might be your approach?

None, this is a managed service and scales automatically

Setup read replicas

Provision more IOPS to the Db

Stop the database and restart

17 / 65

Referring to the network diagram please specify the result for the customer if the following happened. (Select Two)

1. Customer added a bastion host

2. Customer accidentally removed the NAT Gateway

Customer would have an SSH gateway for use to login via SSH on EC2 VMS

Customer would disrupt all traffic ingressing the public VPC

Customer would shutdown the companies resources to both public and private networks

Customer would disrupt traffic egressing the public VPC

18 / 65

Which of the following are valid S3 request headers? (Choose two.)

x-aws-date

Content Size

x-amz-date

Content-Length

AWS defines several custom request headers, and all begin with x-amz rather than x-aws. Content Length is correct.

19 / 65

No, if the cache node fails you can always get the same data from the DB without having any availability impact.

Yes, you should deploy two Memcached ElastiCache Clusters in different AZs because the RDS instance will not be able to handle the load if the cache node fails.

No, if the cache node fails the automated ElastiCache node recovery feature will prevent any availability impact

Yes, you should deploy the Memcached ElastiCache Cluster with two nodes in the same AZ as the RDS DB master instance to handle the load if one cache node fails

20 / 65

How long does a typical Glacier data retrieval take?

Less than 1 Hour

1 Hour

3-5 Hours

5-7 Hours

21 / 65

What is the default visibility of a newly created S3 bucket?

Private

IAM Based default

Role Based

Public

22 / 65

You are deploying this new application in AWS and would like to ensure the workload can perform extremely well and consistently? What EBS volume would you select?

ElasticCache

Provisioned IOPS

Throughput Optimized HDD

Shared IOPS

23 / 65

Which of the following does a Multi-AZ RDS setup address? (Choose two.)

Disaster Recovery

Redundancy

Cost Efficiency

Performance Improvement

24 / 65

Which of the following are valid domain names for S3 buckets? (Choose two.)

s3.amazonaws.com

s3-jp=west-2.amazonaws.com

s3-jp-west-2.amazonaws.com

s3-us-west-2.amazonaws.com

25 / 65

Which of the following need to be considered across all regions in your account? (Choose two.)

IAM Users

EC2 Instances

RDS Instances

S3 bucket names

26 / 65

How many domain names can you manage using Route53?

100

100 or call support for higher limit

50 or call support for higher limit

27 / 65

Which of the following S3 storage classes has the highest availability?

S3 Glacier

S3 Standard

S3 RR

S3-IA

28 / 65

Which of the following are valid reasons for using Multipart Upload for uploading objects to S3? (Choose two.)

You need a solution to decrease the time required to upload large files.

You need a solution to decrease the time required to upload small files.

You need a solution that recovers from network issues.

You need a solution to connect two VPNs

29 / 65

Which of the following routing policies chooses a route for a user based on the latency of the available region to which traffic can be directed?

Geo Based

Latency Based

RTT Based

Response Based

30 / 65

You are currently being asked by your CIO to ensure that his emails can not be deleted. However, he also asks you to ensure that if they are accidentally deleted that there are audits that can identify this. What are two options you can impose? Select Two

KMS

MFA Delete

Cloudwatch

Versioning

31 / 65

Which of the following are valid reasons to use read replication in RDS? (Choose two.)

You have customers in a region geographically distant from your primary instance and want to improve their read performance when they access your applications hosted in regions closer to them.

Your boss has asked for an automated backup solution that takes advantage of AWS managed services.

You need to perform additional OLTP queries and want to improve the performance of those queries.

Your current database instance is showing memory saturation with current traffic loads.

32 / 65

What type of media distribution on CloudFront should you use for video media streaming?

RTMP Based distribution

MP4 Based distribution

Web Based distribution

Edge Based distribution

An RTMP distribution is the Adobe Real-Time Messaging Protocol and is suitable for using S3 buckets as an origin server to serve streaming media.

33 / 65

Security group rule that allows all outbound internet traffic for port 443

Network ACL rule that allows port 443 for both inbound and outbound for all Internet traffic

Security group rule that provides for 0.0.0.0/x network access

Security group rule that allows inbound internet traffic for port 443

Security group rule that allows internet traffic for port 443 for both inbound and outbound ports

34 / 65

Which of the following are SQL-based options in RDS? (Choose two.)

MariaDB

DB2

MongoDB

MS-SQL

35 / 65

Which of the following provide ways to automate the backup of your RDS database? (Choose two.)

Create a pipeline

Automated backups

Automated snapshots

S3 life-cycle management policies

36 / 65

Which of the following is a valid routing policies for Route 53?

Distributed

ICMP

Geoproximity

Balanced

37 / 65

Your currently considering using CloudFormation for templating your resources in AWS. What are the two supported formats for templates?

JSON

XML

YAML

SAML

YAML and JSON are only supported. Review documentation if this is not clear

38 / 65

You just created a website called ipassedmyawsexam.com. You also would like to add other domains that are similiar such as ipassedmyawsexam.org as well so you’ve recently purchased the additional domains. What DNS record set would you use to point all the domains to the same domain (forward)?

CNAME

AAAA

39 / 65

Which of the following take the place of a traditional firewall appliance in AWS? (Select Two)

Security Groups

NACLS

VPCs

WAF

Network access control lists (NACLs) and security groups are the primary mechanisms within AWS that replace traditional firewalls.

40 / 65

Your installing a new software and it has a constraint to use a dedicated host in AWS? What type of software would this be?

SQL Server

Likely Oracle or Microsoft

A per processor licensed software

A per vCPU licensed software

41 / 65

Which of the following AWS-defined IAM policies offer read and write access to the S3 and EC2 services? (Select Two)

Administrator

EC2 Admin

Network Admin

Power User

42 / 65

A company is evaluating Amazon S3 as a data storage solution for their daily analyst reports. The company has implemented stringent requirements concerning the security of the data at test
Specifically, the CISO asked for the use of envelope encryption with separate permissions for the use of an envelope key, automated rotation of the encryption keys, and visibility into when an encryption key
was used and by whom. Which steps should a Solutions Architect take to satisfy the security requirements requested by the CISO?

Create an Amazon S3 bucket to store the reports and use Amazon S3 versioning with Server- Side Encryption with Amazon S3-Managed Keys (SSE-S3)

Create an Amazon S3 bucket to store the reports and use Server-Side Encryption with Amazon S3Managed Keys (SSE-S3)

Create an Amazon S3 bucket to store the reports and use Server-Side Encryption with AWS KMSManaged Keys (SSE-KMS)

Create an Amazon S3 bucket to store the reports and use Server-Side Encryption with Customer- Provided Keys (SSE-C)

43 / 65

Which are the follow three items are true about AWS security groups? Select Three

Separate inbound and outbound rules are used

Instances receive the default security group for the VPC

Instances receive the default security group for the network

Cannot layer security groups

Only “allow” rules are permitted

44 / 65

When considering the instance root volume in AWS EC2 what would be two factors to choose an EBS backed AMI over an Instance store AMI? Select Two

Your customer could care less about the location of the root volume

Your customer wants requires that data is not lost because of a failure

Your customer is cheap and wont pay a lot for compute services

Your customer wants support for stop actions

45 / 65

Your customer launched an EC2 instance that has two volumes attached which are

Root
An additional volume (Both created with default settings) What would happen to each volume when terminated?

Root volume is persistent so data is available. The additional volume is deleted

I have no idea and need to call support

The volumes are not persistent all data is lost

Root volume is not persistent so data is lost. Additional volume is persistent so data is available

By default, root volumes are terminated on instance deletion and by default, additional EBS volumes attached to an instance are not.

46 / 65

Default Amazon CloudWatch metrics

Metrics need to segmented into two groups. One for Windows and one for Linux.

Marketplace CloudWatch metrics

Custom Amazon CloudWatch metrics

47 / 65

How many availability zones (AZ) can a subnet span?

Two

One

No Limits

Two

A subnet cannot span availability zones but can be added to a single AZ

48 / 65

You are designing Internet connectivity for your VPC. The Web servers must be available on the Internet. The application must have a highly available architecture. (Choose Two)

Configure a NAT instance in your VPC Create a default route via the NAT instance and associate it with all subnets Configure a DNS A record that points to the NAT instance public IP address.

Assign EIPs to all web servers. Configure a Route53 record set with all EIPs, with health checks and DNS failover.

Configure ELB with an EIP Place all your Web servers behind ELB Configure a Route53 A record that points to the EIP.

Configure a CloudFront distribution and configure the origin to point to the private IP addresses of your Web servers Configure a Route53 CNAME record to your CloudFront distribution

49 / 65

What are two benefits of using a shared tenancy for you VMs in AWS? Select Two

Lower performance

Simpler deployments

Reduced costs

Less control

50 / 65

You have decided to create peering configuration for two VPCs. What are the two terms used to describe both the initiator and the receiver of the request in AWS?

Requester

Peer

Paired

Reciever

51 / 65

Take hourly DB backups to EC2 Instance store volumes with transaction logs stored In S3 every 5 minutes.

Use synchronous database master-slave replication between two availability zones.

Take hourly DB backups to S3, with transaction logs stored in S3 every 5 minutes.

Take 15 minute DB backups stored In Glacier with transaction logs stored in S3 every 5 minutes.

52 / 65

Each EC2 instance in the VPC has an interface. What is this interface called?

Elastic Network Adaptor

Elastic Network Interface

Network Address Translation

Elastic IP

53 / 65

Which of the following statements are true about RDS? Select Two

Some RDS databases support SQL as an interface.

Reserved instances can be used for Multi-AZ deployments

All RDS databases support SQL as an interface.

Reserved instances can not be used for Multi-AZ deployments.

54 / 65

You have been tasked with setting up storage for an application that loads large photos from an existing RDS. These photos are then processed by a Lambda function and have metadata added, along with additional filters. The Lambda code is inexpensive and can easily be rerun if needed. You need to decide on where to store the photos once they have been processed. Each photo will likely be accessed between 1 and 5 times over the course of a month and should be quickly accessible. The chief driver for the application and your decision should be cost and user experience. What S3 storage class would you select?

S3 Glacier

S3 IA

S3 Standard

S3 One Zone IA

55 / 65

By default, how long do edge locations cache objects?

Depends, you get what you pay for.

56 / 65

Which of the following selections will provide performance improvements in an RDS instance that is currently overloaded? (Choose two.)

Switch the database engine type

Configure the instance to use Multi-AZ.

Upgrade the RDS instance.

Create RDS read replicas of the instance

57 / 65

What type of replication occurs in a read replica RDS setup?

Asynchronous and Synchronous

Synchronous

Asynchronous

Neither, its a hybrid form or replication

58 / 65

What technology can you use to provide single sign-on to the AWS management console?

JSON

SAML

YAML

OpenID

59 / 65

What are the two types of VPNs that would be used in AWS? (Select Two)

Remote Access VPN

Direct Access VPN

Point to Point VPN

Site to Site VPN

60 / 65

You are auditing the EBS volumes of a number of EC2 instances running three web-facing data-intensive applications. You notice that a number of the volumes are configured as throughput optimized HDDs rather than general-purpose SSD or provisioned IOPS SSD. Why might this decision be appropriate? (Choose two.)

Lowered costs is a primary consideration

The throughput optimized HDDs serve only a test environment rather than a production one.

This applications primarily use large performance-critical workloads.

Data throughput is a primary consideration.

61 / 65

Which of the following are available to use as an EBS boot volume? (Choose two.)

Provisioned IOPS

Cold HDD

General SSD

Throughput Optimized

62 / 65

Glacier

EFS

S3 Standard

S3 RR

EBS

63 / 65

Reffering to the graphic…… If all of the following inbound rules existed on a custom NACL, would SSH traffic be allowed?

Only if IAM is configured

Yes

It depends

SSH is not explicitly mentioned, so it is not allowed on a custom NACL. Every protocol must explicitly be mentioned.

64 / 65

Your company is storing data on Amazon Simple Storage Service (S3) and your CIO is mandating that data is encrypted at rest. How can this be achieved? Select Three

Use Amazon S3 server-side encryption with AWS Key Management Service managed keys.

Use Amazon S3 server-side encryption with encrypted NAT services

Use Amazon S3 server-side encryption with customer-provided keys.

Encrypt the data on the client-side before ingesting to Amazon S3 using their own master key.

Use SSL to encrypt the data while in transit to Amazon S3.

65 / 65

Your customer has asked about CloudFront and would like to have a short training on the subject. They would also like you to identify the pros and cons of using CloudFront. What are two main advantages of using CloudFront?

Security

Integration with other services

Performance

Disaster Recovery

CloudFront is of course used for performance for content and it has a robust integration with AWS services (ELB, EC2, Route 53, etc)

Your score is

The average score is 52%