Are you tired of looking for a source that'll keep you updated on the AWS Certified Cloud Practitioner Exam? Plus, has a collection of affordable, high-quality, and incredibly easy Amazon CLF-C02 Practice Questions? Well then, you are in luck because Salesforcexamdumps.com just updated them! Get Ready to become a AWS Certified Foundational Certified.
PDF
$100 $40
Test Engine
First Try Then Buy!
Last 1 Hour Left To Avail This 80% Discount Offer Coupon Code "SPECIAL80"
Amazon CLF-C02 is a necessary certification exam to get certified. The certification is a reward to the deserving candidate with perfect results. The AWS Certified Foundational Certification validates a candidate's expertise to work with Amazon. In this fast-paced world, a certification is the quickest way to gain your employer's approval. Try your luck in passing the AWS Certified Cloud Practitioner Exam and becoming a certified professional today. Salesforcexamdumps.com is always eager to extend a helping hand by providing approved and accepted Amazon CLF-C02 Practice Questions. Passing AWS Certified Cloud Practitioner will be your ticket to a better future!
Pass with Amazon CLF-C02 Braindumps!
Contrary to the belief that certification exams are generally hard to get through, passing AWS Certified Cloud Practitioner is incredibly easy. Provided you have access to a reliable resource such as Salesforcexamdumps.com Amazon CLF-C02 PDF. We have been in this business long enough to understand where most of the resources went wrong. Passing Amazon AWS Certified Foundational certification is all about having the right information. Hence, we filled our Amazon CLF-C02 Dumps with all the necessary data you need to pass. These carefully curated sets of AWS Certified Cloud Practitioner Practice Questions target the most repeated exam questions. So, you know they are essential and can ensure passing results. Stop wasting your time waiting around and order your set of Amazon CLF-C02 Braindumps now!
We aim to provide all AWS Certified Foundational certification exam candidates with the best resources at minimum rates. You can check out our free demo before pressing down the download to ensure Amazon CLF-C02 Practice Questions are what you wanted. And do not forget about the discount. We always provide our customers with a little extra.
Why Choose Amazon CLF-C02 PDF?
Unlike other websites, Salesforcexamdumps.com prioritize the benefits of the AWS Certified Cloud Practitioner candidates. Not every Amazon exam candidate has full-time access to the internet. Plus, it's hard to sit in front of computer screens for too many hours. Are you also one of them? We understand that's why we are here with the AWS Certified Foundational solutions. Amazon CLF-C02 Question Answers offers two different formats PDF and Online Test Engine. One is for customers who like online platforms for real-like Exam stimulation. The other is for ones who prefer keeping their material close at hand. Moreover, you can download or print Amazon CLF-C02 Dumps with ease.
If you still have some queries, our team of experts is 24/7 in service to answer your questions. Just leave us a quick message in the chat-box below or email at [email protected].
Amazon CLF-C02 Sample Questions
Question # 1
A company has a centralized group of users with large file storage requirements that haveexceeded the space available on premises. The company wants to extend its file storagecapabilities for this group while retaining the performance benefit of sharing content locally.What is the MOST operationally efficient AWS solution for this scenario?
A. Create an Amazon S3 bucket for each user. Mount each bucket by using an S3 filesystem mounting utility. B. Configure and deploy an AWS Storage Gateway file gateway. Connect each user'sworkstation to the file gateway. C. Move each user's working environment to Amazon Workspaces. Set up an AmazonWorkDocs account for each user. D. Deploy an Amazon EC2 instance and attach an Amazon Elastic Block Store (AmazonEBS) Provisioned IOPS volume. Share the EBS volume directly with the users.
Answer: B
Explanation: AWS Storage Gateway is a hybrid cloud storage service that allows you to
extend your on-premises file storage capabilities to the AWS Cloud. AWS Storage
Gateway file gateway enables you to store and access your files in Amazon S3 using
industry-standard file protocols such as NFS and SMB. File gateway caches frequently
accessed files locally, providing low-latency access to your data. File gateway also
optimizes the transfer of data between your on-premises environment and AWS,
minimizing the amount of bandwidth consumed. By using file gateway, you can retain the
performance benefit of sharing content locally while leveraging the scalability, durability,
and cost-effectiveness of Amazon S3. References: AWS Storage Gateway, File Gateway
Question # 2
Which complimentary AWS service or tool creates data-driven business cases for cloudplanning?
A. Migration Evaluator B. AWS Billing Conductor C. AWS Billing Console D. Amazon Forecast
Answer: A
Explanation: Migration Evaluator is a cloud-based service that provides organizations with
a comprehensive assessment of their current IT environment and estimates the cost
savings and performance improvements that can be achieved by migrating to
AWS. Migration Evaluator helps users build a data-driven business case for AWS by discovering over-provisioned on-premises instances, providing recommendations for costeffective
AWS alternatives, and analyzing existing licenses and cost comparisons of Bring
Your Own License (BYOL) and License Included (LI) options
Question # 3
Which AWS services or features provide disaster recovery solutions for Amazon EC2instances? (Select TWO.)
A. EC2 Reserved Instances B. EC2 Amazon Machine Images (AMIs) C. Amazon Elastic Block Store (Amazon EBS) snapshots D. AWS Shield E. Amazon GuardDuty
Answer: B,C
Explanation: The correct answer is B and C. EC2 Amazon Machine Images (AMIs) and
Amazon Elastic Block Store (Amazon EBS) snapshots are two AWS services that provide
disaster recovery solutions for Amazon EC2 instances.
EC2 AMIs are preconfigured templates that contain the software configuration and
data required to launch an EC2 instance. You can create AMIs from your running
EC2 instances and use them to launch new instances in the same or different
AWS Regions. This way, you can quickly recover your EC2 instances in case of a
disaster that affects your primary Region or Availability Zone1.
Amazon EBS snapshots are incremental backups of your Amazon EBS volumes.
You can create snapshots of your volumes and store them in Amazon S3, which is
a highly durable and scalable storage service. You can use snapshots to restore
your volumes to a previous point in time or to create new volumes from
snapshots. Snapshots can also be copied across AWS Regions, enabling you to
recover your data in another Region in case of a disaster2.
The other options are not directly related to disaster recovery for EC2 instances:
EC2 Reserved Instances are a pricing model that allows you to reserve EC2
capacity for a specific period of time and receive a discount on the hourly
charge. Reserved Instances do not provide any disaster recovery benefits, as they
are only a billing option3.
AWS Shield is a managed service that protects your AWS resources from
for all AWS customers at no additional charge, and advanced protection for
customers who need higher levels of detection and mitigation. AWS Shield does
not provide any disaster recovery benefits, as it is only a security service4.
Amazon GuardDuty is a threat detection service that monitors your AWS account
and workloads for malicious or unauthorized activity. Amazon GuardDuty analyzes
various data sources, such as AWS CloudTrail, Amazon VPC Flow Logs, and DNS
logs, to identify potential threats and alert you via Amazon CloudWatch Events or
AWS Lambda. Amazon GuardDuty does not provide any disaster recovery
benefits, as it is only a monitoring service5.
Question # 4
Using AWS Identity and Access Management (IAM) to grant access only to the resourcesneeded to perform a task is a concept known as:
A. restricted access. B. as-needed access. C. least privilege access. D. token access.
Answer: C
Explanation: The concept of granting access only to the resources needed to perform a
task is known as least privilege access. This is a security best practice in IAM that helps to
reduce the risk of unauthorized or malicious actions. By applying least privilege access,
you can limit the permissions of your IAM users, groups, and roles to the minimum required
for their specific tasks. You can also use conditions, permissions boundaries, and IAM
Access Analyzer to further restrict and verify access. References: Security best practices in
IAM, Policies and permissions in IAM, Use IAM policies to grant the least privileges
required to access Amazon RDS resources, How to Design a Least Privilege Architecture
in AWS, 12 Azure & AWS IAM Security Best Practices
Question # 5
Which AWS service or feature provides log information of the inbound and outbound trafficon network interfaces in a VPC?
A. Amazon CloudWatch Logs B. AWS CloudTrail C. VPC Flow Logs D. AWS Identity and Access Management (IAM)
Answer: C
Explanation: VPC Flow Logs is a feature that enables you to capture information about the
IP traffic going to and from network interfaces in your VPC. Flow log data can be published
to the following locations: Amazon CloudWatch Logs, Amazon S3, or Amazon Kinesis Data
Firehose. You can use VPC Flow Logs to monitor network traffic, diagnose security issues,
troubleshoot connectivity problems, and perform network forensics1. References:
Logging IP traffic using VPC Flow Logs - Amazon Virtual Private Cloud
Question # 6
What is the best resource for a user to find compliance-related information and reportsabout AWS?
A. AWS Artifact B. AWS Marketplace C. Amazon Inspector D. Increase operational costs across data centers.
Answer: A
Explanation: AWS Artifact is a self-service portal that provides on-demand access to AWS
security and compliance reports and select online agreements. Users can download
reports such as AWS ISO certifications, PCI reports, SOC reports, and GDPR DPA, and
review and accept agreements such as BAA and NDA. AWS Artifact helps users to
understand and meet compliance requirements for various standards and regulations that
apply to AWS services and infrastructure. AWS Artifact is the best resource for a user to
find compliance-related information and reports about AWS, whereas the other options are
not
Question # 7
A company operates a petabyte-scale data warehouse to analyze its data. The companywants a solution that will not require manual hardware and software management. WhichAWS service will meet these requirements?
A. Amazon DocumentDB (with MongoDB compatibility) B. Amazon Redshift C. Amazon Neptune D. Amazon ElastiCache
Answer: B
Explanation: Amazon Redshift is a fast, fully managed, petabyte-scale data warehouse
service that makes it simple and cost-effective to analyze all your data using your existing
business intelligence tools. You can start small with no commitments, and scale to
petabytes for less than a tenth of the cost of traditional solutions. Amazon Redshift does
not require manual hardware and software management, as AWS handles all the tasks
such as provisioning, patching, backup, recovery, failure detection, and repair12. Amazon
Redshift also offers serverless capabilities, which allow you to access and analyze data
without any configurations or capacity planning. Amazon Redshift automatically scales the
data warehouse capacity to deliver fast performance for even the most demanding and
unpredictable workloads3. Therefore, Amazon Redshift meets the requirements of the
company, compared to the other options.
The other options are not suitable for the company’s requirements, because:
Amazon DocumentDB (with MongoDB compatibility) is a fast, scalable, highly
available, and fully managed document database service that supports MongoDB
workloads. It is not designed for petabyte-scale data warehousing or analytics4.
Amazon Neptune is a fast, reliable, and fully managed graph database service that
makes it easy to build and run applications that work with highly connected
datasets. It is not designed for petabyte-scale data warehousing or analytics5.
Amazon ElastiCache is a fully managed in-memory data store and cache service that supports Redis and Memcached. It is not designed for petabyte-scale data
warehousing or analytics.
References:
What is Amazon Redshift? - Amazon Redshift
Amazon Redshift Features - Amazon Redshift
Amazon Redshift Serverless - Amazon Redshift
What Is Amazon DocumentDB (with MongoDB compatibility)? - Amazon
DocumentDB (with MongoDB compatibility)
What Is Amazon Neptune? - Amazon Neptune
[What Is Amazon ElastiCache for Redis? - Amazon ElastiCache for Redis]
Question # 8
A company wants to move its on-premises databases to managed cloud database servicesby using a simplified migration process. Which AWS service or tool can help the companymeet this requirement?
A. AWS Storage Gateway B. AWS Application Migration Service C. AWS DataSync D. AWS Database Migration Service (AWS DMS)
Answer: D
Explanation: AWS Database Migration Service (AWS DMS) is a cloud service that makes
it possible to migrate relational databases, data warehouses, NoSQL databases, and other
types of data stores. You can use AWS DMS to migrate your data into the AWS Cloud or
between combinations of cloud and on-premises setups. With AWS DMS, you can discover
your source data stores, convert your source schemas, and migrate your data. AWS DMS
supports migration between 20-plus database and analytics engines, such as Oracle to
Amazon Aurora MySQL-Compatible Edition, MySQL to Amazon Relational Database
(RDS) for MySQL, Microsoft SQL Server to Amazon Aurora PostgreSQL-Compatible
Edition, MongoDB to Amazon DocumentDB (with MongoDB compatibility), Oracle to Amazon Redshift, and Amazon Simple Storage Service (S3). You can perform one-time
migrations or replicate ongoing changes to keep sources and targets in sync. AWS DMS
automatically manages the deployment, management, and monitoring of all hardware and
software needed for your migration. AWS DMS is a highly resilient, secure cloud service
that provides database discovery, schema conversion, data migration, and ongoing
replication to and from a wide range of databases and analytics systems12. References:
Database Migration - AWS Database Migration Service - AWS
What is AWS Database Migration Service? - AWS Database Migration Service
Question # 9
A company wants to allow users to authenticate and authorize multiple AWS accounts byusing a single set of credentials.Which AWS service or resource will meet this requirement?
A. AWS Organizations B. IAM user C. AWS IAM Identity Center (AWS Single Sign-On) D. AWS Control Tower
Answer: C
Explanation: AWS IAM Identity Center (AWS Single Sign-On) is a cloud-based service
that makes it easy to centrally manage single sign-on (SSO) access to multiple AWS
accounts and business applications. You can use AWS SSO to enable your users to sign in
to the AWS Management Console or the AWS Command Line Interface (AWS CLI) with
their existing corporate credentials2. You can also manage SSO access and user
permissions across all your AWS accounts in AWS Organizations3. References: AWS
Single Sign-On - AWS Documentation, AWS Organizations - AWS Documentation
Question # 10
An ecommerce company wants to use Amazon EC2 Auto Scaling to add and remove EC2instances based on CPU utilization. Which AWS service or feature can initiate an Amazon EC2 Auto Scaling action to achievethis goal?
A. Amazon Simple Queue Service (Amazon SQS) B. Amazon Simple Notification Service (Amazon SNS) C. AWS Systems Manager D. Amazon CloudWatch alarm
Answer: D
Explanation: Amazon CloudWatch alarm is an AWS service or feature that can initiate an
Amazon EC2 Auto Scaling action based on CPU utilization. Amazon CloudWatch is a
monitoring and observability service that collects and tracks metrics, logs, events, and
alarms for your AWS resources and applications. Amazon CloudWatch alarms are actions
that you can configure to send notifications or automatically make changes to the
resources you are monitoring based on rules that you define67.
Amazon EC2 Auto Scaling is a service that helps you maintain application availability and
allows you to automatically add or remove EC2 instances according to definable
conditions. You can create dynamic scaling policies that track a specific CloudWatch
metric, such as CPU utilization, and define what action to take when the associated
CloudWatch alarm is in ALARM. When the policy is in effect, Amazon EC2 Auto Scaling
adjusts the group’s desired capacity up or down when the threshold of an alarm is
CloudWatch Documentation, 8: Dynamic scaling for Amazon EC2 Auto Scaling, 9: Amazon
EC2 Auto Scaling Documentation
Question # 11
A company needs to track the activity in its AWS accounts, and needs to know when anAPI call is made against its AWS resources. Which AWS tool or service can be used tomeet these requirements?
A. Amazon CloudWatch B. Amazon Inspector C. AWS CloudTrail D. AWS IAM
Answer: C
Explanation: AWS CloudTrail is the service that can be used to meet these requirements.
AWS CloudTrail is a service that records AWS API calls for your account and delivers log
files to you. The recorded information includes the identity of the API caller, the time of the
API call, the source IP address of the API caller, the request parameters, and the response
elements returned by the AWS service1. You can use CloudTrail to track the activity in your
AWS accounts, such as who made an API call, when it was made, and what resources
were affected. You can also use CloudTrail to monitor the compliance, security, and
governance of your AWS environment2. The other services are not designed to track the
activity and API calls in your AWS accounts. Amazon CloudWatch is a service that
monitors and collects metrics, logs, and events from your AWS resources and applications. You can use CloudWatch to set alarms, visualize data, and automate actions
based on predefined thresholds or rules3. Amazon Inspector is a service that helps you
improve the security and compliance of your applications running on AWS. Inspector
automatically assesses applications for exposure, vulnerabilities, and deviations from best
practices4. AWS IAM is a service that enables you to manage access to AWS services and
resources securely. IAM allows you to create and manage AWS users and groups, and use
permissions to allow and deny their access to AWS resources. References: AWS
Which AWS service enables companies to deploy an application dose to end users?
A. Amazon CloudFront B. AWS Auto Scaling C. AWS AppSync D. Amazon Route S3
Answer: A
Explanation:
Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers
data, videos, applications, and APIs to customers globally with low latency, high transfer
speeds, all within a developer-friendly environment. CloudFront enables companies to
deploy an application close to end users by caching the application’s content at edge
locations that are geographically closer to the users. This reduces the network latency and
improves the user experience. CloudFront also integrates with other AWS services, such
as Amazon S3, Amazon EC2, AWS Lambda, AWS Shield, and AWS WAF, to provide a
secure and scalable solution for delivering applications12. References:
What Is Amazon CloudFront? - Amazon CloudFront Amazon CloudFront Features - Amazon CloudFront
Question # 13
A company needs to perform data processing once a week that typically takes about 5hours to complete. Which AWS service should the company use for this workload?
A. AWS Lambda B. Amazon EC2 C. AWS CodeDeploy D. AWS Wavelength
Answer: B
Explanation: Amazon EC2 is the most suitable AWS service for this workload. Amazon
EC2 provides secure, resizable compute capacity in the cloud. You can launch virtual
servers, called instances, and configure them according to your needs. You can choose
from different instance types, sizes, and families, and pay only for the resources you
use. Amazon EC2 also offers features such as auto scaling, load balancing, security
groups, and placement groups to optimize your performance, availability, and
security1. Amazon EC2 is ideal for workloads that require consistent and reliable compute
power, such as data processing, web hosting, gaming, and high-performance computing2.
The other services are not suitable for this workload. AWS Lambda is a serverless compute
service that lets you run code without provisioning or managing servers. You pay only for
the compute time you consume. Lambda is best for short-lived, stateless, and event-driven
workloads that can be completed in under 15 minutes3. AWS CodeDeploy is a deployment
service that automates application deployments to Amazon EC2 instances, on-premises instances, serverless Lambda functions, or Amazon ECS services. CodeDeploy is not a
compute service, but a tool to help you update your applications with minimal downtime4.
AWS Wavelength is a service that delivers ultra-low latency applications for 5G devices.
Wavelength embeds AWS compute and storage services at the edge of
telecommunications providers’ 5G networks. Wavelength is designed for mobile edge
computing, such as interactive gaming, video streaming, and augmented
Which AWS service or tool gives users the ability to connect with AWS and deployresources programmatically?
A. Amazon quickSight B. AWS PrivateLink C. AWS Direct Connect D. AWS SDKs
Answer: D
Explanation: AWS SDKs are a set of tools that allow users to connect with AWS and
deploy resources programmatically. AWS SDKs provide libraries, code samples,
documentation, and other resources to help users write code that interacts with AWS APIs.
AWS SDKs support various programming languages, such as Java, Python, Ruby, .NET,
Node.js, Go, and more. AWS SDKs make it easier for users to access AWS services, such
as Amazon S3, Amazon EC2, Amazon DynamoDB, AWS Lambda, and more, from their
applications. AWS SDKs also handle tasks such as authentication, error handling, retries,
and data serialization, so users can focus on their application logic .
The other options are not AWS services or tools that give users the ability to connect with
AWS and deploy resources programmatically. Amazon QuickSight is a business
intelligence service that lets users create and share interactive dashboards and
visualizations1. AWS PrivateLink is a service that enables users to securely access
services hosted on AWS in a scalable and cost-effective manner2. AWS Direct Connect is
a service that establishes a dedicated network connection between a user’s premises and
AWS3.
Question # 15
Which AWS Cloud service can send alerts to customers if custom spending thresholds areexceeded?
A. AWS Budgets B. AWS Cost Explorer C. AWS Cost Allocation Tags D. AWS Organizations
Answer: A
Explanation: AWS Budgets is a service that allows you to set custom budgets for your
AWS costs and usage, and receive alerts via email or Amazon SNS notifications if you
exceed or are forecasted to exceed your budgeted amount1. You can create budgets
based on different dimensions, such as service, linked account, tag, or purchase option,
and define various types of alerts, such as actual, forecasted, or RI utilization alerts2. You
can also configure custom actions to automatically execute remediation tasks or workflows
when a budget threshold is breached3. AWS Budgets is the only service among the
options that can send alerts to customers if custom spending thresholds are exceeded. The
other options are not AWS services that provide this functionality.
Question # 16
Which AWS feature provides a no-cost platform for AWS users to join community groups,ask questions, find answers, and read community-generated articles about best practices?
A. AWS Knowledge Center B. AWS re:Post C. AWS 10 D. AWS Enterprise Support
Answer: B
Explanation: AWS re:Post is a no-cost platform for AWS users to join community groups,
ask questions, find answers, and read community-generated articles about best practices.
AWS re:Post is a social media platform that connects AWS users with each other and with
AWS experts. Users can create posts, comment on posts, follow topics, and join groups
related to AWS services, solutions, and use cases. AWS re:Post also features live event
feeds, community stories, and AWS Hero profiles. AWS re:Post is a great way to learn from
the AWS community, share your knowledge, and get inspired. References:
AWS re:Post
Join the Conversation
Question # 17
Which AWS service provides command line access to AWS tools and resources directly(torn a web browser?
A. AWS CIoudHSM B. AWS CloudShell C. Amazon Workspaces D. AWS Cloud Map
Answer: B
Explanation: AWS CloudShell is the service that provides command line access to AWS
tools and resources directly from a web browser. AWS CloudShell is a browser-based shell
that makes it easy to securely manage, explore, and interact with your AWS resources. It
comes pre-authenticated with your console credentials and common development and
administration tools are pre-installed, so no local installation or configuration is required.
You can open AWS CloudShell from the AWS Management Console with a single click and
start running commands and scripts using the AWS Command Line Interface (AWS CLI),
Git, or SDKs. AWS CloudShell also provides persistent home directories with 1 GB of
storage per AWS Region12. The other services do not provide command line access to
AWS tools and resources directly from a web browser. AWS CloudHSM is a service that
helps you meet corporate, contractual and regulatory compliance requirements for data
security by using dedicated Hardware Security Module (HSM) appliances within the AWS
Cloud3. Amazon WorkSpaces is a service that provides a fully managed, secure Desktopas-
a-Service (DaaS) solution that runs on AWS4. AWS Cloud Map is a service that makes
it easy for your applications to discover and connect to each other using logical names and
attributes5. References: AWS CloudShell, AWS CloudShell – Command-Line Access to
Which AWS service can run a managed PostgreSQL database that provides onlinetransaction processing (OLTP)?
A. Amazon DynamoDB B. Amazon Athena C. Amazon RDS D. Amazon EMR
Answer: C
Explanation: Amazon RDS is a fully managed relational database service that supports several database engines, including PostgreSQL. Amazon RDS can run a managed
PostgreSQL database that provides online transaction processing (OLTP), which is a type
of database workload that handles frequent read and write operations on small amounts of
data. Amazon RDS for PostgreSQL offers high performance, availability, scalability,
security, and compatibility with the PostgreSQL community edition. Amazon RDS also
provides automated backups, point-in-time recovery, encryption, monitoring, and
maintenance for PostgreSQL databases. References:
Hosted PostgreSQL - Amazon RDS for PostgreSQL
OLTP Database, MySQL And PostgreSQL Managed Database - Amazon Aurora
PostgreSQL options on AWS: Self- managed, managed, and serverless
Question # 19
Which responsibility belongs to AWS when a company hosts its databases on AmazonEC2 instances?
A. Database backups B. Database software patches C. Operating system patches D. Operating system installations
Answer: C
Explanation: When a company hosts its databases on Amazon EC2 instances, AWS and
the customer share the responsibility for the security and management of the database
environment. According to the AWS shared responsibility model, AWS is responsible for
the security of the cloud, while the customer is responsible for the security in the cloud.
This means that AWS is responsible for protecting the infrastructure that runs the EC2
instances, such as the hardware, software, networking, and facilities. The customer is
responsible for properly configuring the security of the provided service, such as the guest
operating system, the database software, the data, and the network traffic12.
One of the tasks that belongs to AWS when a company hosts its databases on Amazon
EC2 instances is operating system patches. AWS provides regular updates and patches to
the operating system of the EC2 instances, which are applied automatically by default. The
customer can also choose to manually apply the patches or schedule them for a specific
time window3. Operating system patches are important for maintaining the security and
performance of the EC2 instances and the databases running on them.
The other tasks that belong to AWS when a company hosts its databases on Amazon EC2
instances are:
Operating system installations: AWS provides a variety of operating system
options for the EC2 instances, such as Linux, Windows, and Amazon Linux. The
customer can choose the operating system that best suits their database needs
and AWS will install it on the EC2 instances4.
Server maintenance: AWS performs regular maintenance and repairs on the
physical servers that host the EC2 instances, ensuring that they are in optimal condition and have adequate power, cooling, and network connectivity5.
Hardware lifecycle: AWS manages the lifecycle of the hardware that supports the
EC2 instances, such as replacing faulty components, upgrading equipment, and
decommissioning old servers.
The tasks that do not belong to AWS when a company hosts its databases on Amazon
EC2 instances are:
Database backups: The customer is responsible for backing up their data and
databases on the EC2 instances, using tools such as Amazon S3, Amazon EBS
snapshots, or AWS Backup. Database backups are essential for data protection
and recovery in case of failures or disasters.
Database software patches: The customer is responsible for applying patches and
updates to the database software on the EC2 instances, such as MySQL,
PostgreSQL, Oracle, or SQL Server. Database software patches are important for
fixing bugs, improving features, and addressing security vulnerabilities.
Database software install: The customer is responsible for installing the database
software on the EC2 instances, choosing the version and configuration that meets
their requirements. AWS provides some preconfigured AMIs (Amazon Machine
Images) that include common database software, or the customer can use their
own custom AMIs.
References:
Shared Responsibility Model - Amazon Web Services (AWS)
Shared responsibility model - Amazon Web Services: Risk and Compliance
Patching Amazon EC2 instances - AWS Systems Manager
Amazon EC2 FAQs - Amazon Web Services
Maintenance and Retirements - Amazon Elastic Compute Cloud
[Hardware Lifecycle - Amazon Web Services (AWS)]
[Backing Up Your Data - Amazon Web Services (AWS)]
[Database Patching - Amazon Web Services (AWS)]
[Installing Database Software on Amazon EC2 Instances - Amazon Web Services
(AWS)]
Question # 20
A developer needs to maintain a development environment infrastructure and a productionenvironment infrastructure in a repeatable fashion Which AWS service should thedeveloper use to meet these requirements?
A. AWS Ground Station B. AWS Shield C. AWS loT Device Defender D. AWS CloudFormation
Answer: D
Explanation: AWS CloudFormation is a service that allows developers to model and
provision their AWS infrastructure in a repeatable and declarative way, using code and
templates. AWS CloudFormation enables developers to define the resources they need for
their development and production environments, such as compute, storage, network, and
application services, and automate their creation and configuration. AWS CloudFormation
also provides features such as change sets, nested stacks, and rollback triggers to help
developers manage and update their infrastructure safely and efficiently12. References: AWS CloudFormation
What is AWS CloudFormation?
Question # 21
Which Amazon EC2 pricing model is the MOST cost efficient for an uninterruptibleworkload that runs once a year for 24 hours?
A. On-Demand Instances B. Reserved Instances C. Spot Instances D. Dedicated Instances
Answer: A
Explanation:
On-Demand Instances are the most cost-efficient pricing model for an uninterruptible
workload that runs once a year for 24 hours. On-Demand Instances let you pay for
compute capacity by the hour or second, depending on which instances you run. No longterm
commitments or up-front payments are required. You can increase or decrease your
compute capacity to meet the demands of your application and only pay the specified
hourly rates for the instance you use1. This model is suitable for developing/testing
applications with short-term or unpredictable workloads2. The other pricing models are not
cost-efficient for this use case. Reserved Instances and Savings Plans require a
commitment to a consistent amount of usage, in USD per hour, for a term of 1 or 3
years. They provide significant discounts compared to On-Demand Instances, but they are
not flexible or scalable for workloads that run only once a year12. Spot Instances are the
cheapest option, but they are not suitable for uninterruptible workloads, as they can be
reclaimed by AWS at any time. They are recommended for applications that have flexible
start and end times, or that are only feasible at very low compute prices12. Dedicated
Instances are designed for compliance and licensing requirements, not for cost
optimization. They are more expensive than the other options, as they run on single-tenant
A company is migrating to the AWS Cloud and plans to run experimental workloads for 3 to6 months on AWS. Which pricing model will meet these requirements?
A. Use Savings Plans for a 3-year term. B. Use Dedicated Hosts. C. Buy Reserved Instances. D. Use On-Demand Instances.
Answer: D
Explanation:
On-Demand Instances are the most flexible and cost-effective pricing model for short-term,
experimental, or unpredictable workloads on AWS. On-Demand Instances let you pay only
for the resources you use, without any long-term commitments or upfront fees. You can
easily start and stop instances as needed, and scale up or down depending on your
demand.
Savings Plans, Reserved Instances, and Dedicated Hosts are all pricing models that
require a commitment for a certain amount of usage or capacity for a one- or three-year
term. These pricing models offer lower prices than On-Demand Instances, but they are not
suitable for workloads that only run for 3 to 6 months or have variable usage patterns.
Savings Plans and Reserved Instances also offer flexibility to change instance types, sizes,
or regions within the same family or pool, while Dedicated Hosts are physical servers that
can only run specific instance types.
Question # 23
A user wants to allow applications running on an Amazon EC2 instance to make calls toother AWS services. The access granted must be secure. Which AWS service or featureshould be used?
A. Security groups B. AWS Firewall Manager C. IAM roles D. IAM user SSH keys
Answer: C
Explanation: IAM roles are a secure way to grant permissions to applications running on
an Amazon EC2 instance to make calls to other AWS services. IAM roles are entities that
have specific permissions policies attached to them. You can create an IAM role and
associate it with an EC2 instance when you launch it or later. The applications on the
instance can then use the temporary credentials provided by the role to access AWS
resources that the role allows. This way, you do not have to store any long-term credentials
or access keys on the instance, which reduces the risk of compromise or misuse12.
The other options are not correct, because:
Security groups are virtual firewalls that control the inbound and outbound traffic
for your EC2 instances. Security groups do not grant permissions to access other
AWS services, but rather filter the network traffic based on rules that you define3.
AWS Firewall Manager is a service that helps you centrally configure and manage
firewall rules across your accounts and resources. AWS Firewall Manager works
with AWS WAF, AWS Shield Advanced, and Amazon VPC security groups. AWS
Firewall Manager does not grant permissions to access other AWS services, but
rather helps you enforce consistent security policies across your AWS
infrastructure4.
IAM user SSH keys are credentials that allow you to connect to your EC2 instance
using SSH. SSH keys do not grant permissions to access other AWS services, but
rather authenticate your identity when you log in to your instance5.
References:
Using an IAM role to grant permissions to applications running on Amazon EC2
instances - AWS Identity and Access Management
IAM roles for Amazon EC2 - Amazon Elastic Compute Cloud
Security groups for your VPC - Amazon Virtual Private Cloud
What is AWS Firewall Manager? - AWS Firewall Manager
Connecting to your Linux instance using SSH - Amazon Elastic Compute Cloud
Question # 24
Which AWS service or feature will search for and identify AWS resources that are sharedexternally?
A. Amazon OpenSearch Service B. AWS Control Tower C. AWS IAM Access Analyzer D. AWS Fargate
Answer: C
Explanation: AWS IAM Access Analyzer is an AWS service that helps customers identify
and review the resources in their AWS account that are shared with an external entity, such
as another AWS account, a root user, an organization, or a public entity. AWS IAM Access
Analyzer uses automated reasoning, a form of mathematical logic and inference, to
analyze the resource-based policies in the account and generate comprehensive findings
that show the access level, the source of the access, the affected resource, and the
condition under which the access applies. Customers can use AWS IAM Access Analyzer
to audit their shared resources, validate their access policies, and monitor any changes to
the resource sharing status. References: AWS IAM Access Analyzer, Identify and review
resources shared with external entities, How AWS IAM Access Analyzer works
Question # 25
Which AWS service or feature improves network performance by sending traffic throughthe AWS worldwide network infrastructure?
A. Route table B. AWS Transit Gateway C. AWS Global Accelerator D. Amazon VPC
Answer: C
Explanation: AWS Global Accelerator is a service that improves network performance by sending traffic
through the AWS worldwide network infrastructure. It uses the AWS global network to
direct TCP or UDP traffic to a healthy application endpoint in the closest AWS Region to
the client. This provides improvements in terms of latency, throughput, and jitter. Global
Accelerator also introduces features such as TCP termination at the edge, jumbo frame
support, and large receive side window and TCP buffers to optimize data transfer12. Route
table, AWS Transit Gateway, and Amazon VPC are not services or features that improve
network performance by sending traffic through the AWS worldwide network
infrastructure. Route table is a resource that defines how traffic is routed within a
VPC3. AWS Transit Gateway is a service that enables you to connect your VPCs and onpremises
networks to a single gateway4. Amazon VPC is a service that lets you provision a
logically isolated section of the AWS Cloud where you can launch AWS resources in a
virtual network that you define5. References: Achieve up to 60% better performance for
internet traffic with AWS Global Accelerator, Improving Performance on AWS and Hybrid
A company wants to establish a schedule for rotating database user credentials.Which AWS service will support this requirement with the LEAST amount of operationaloverhead?
A. AWS Systems Manager B. AWS Secrets Manager C. AWS License Manager D. AWS Managed Services
Answer: B
Explanation: AWS Secrets Manager is a service that helps you protect access to your
applications, services, and IT resources. This service enables you to easily rotate, manage,
and retrieve database credentials, API keys, and other secrets throughout their lifecycle.
Users and applications retrieve secrets with a call to Secrets Manager APIs, eliminating the
need to hardcode sensitive information in plain text. Secrets Manager offers secret rotation
with built-in integration for Amazon RDS, Amazon Redshift, Amazon DocumentDB, and
other AWS services1. You can also extend Secrets Manager to rotate other types of
secrets, such as credentials for Oracle, SQL Server, or MongoDB databases, by using
custom AWS Lambda functions2. Secrets Manager enables you to control access to
secrets using fine-grained permissions and audit secret rotation centrally for resources in
the AWS Cloud, third-party services, and on-premises3. Therefore, AWS Secrets Manager
supports the requirement of rotating database user credentials with the least amount of
operational overhead, compared to the other options. References:
What Is AWS Secrets Manager? - AWS Secrets Manager
Rotating Your AWS Secrets Manager Secrets - AWS Secrets Manager
AWS Secrets Manager Features - AWS Secrets Manager
Question # 27
A company wants to provide managed Windows virtual desktops and applications to itsremote employees over secure network connections. Which AWS services can thecompany use to meet these requirements? (Select TWO.)
A. Amazon Connect B. Amazon AppStream 2.0 C. Amazon Workspaces D. AWS Site-to-Site VPN E. Amazon Elastic Container Service (Amazon ECS)
Answer: B,C
Explanation: Amazon AppStream 2.0 and Amazon WorkSpaces are AWS services that
can be used to provide managed Windows virtual desktops and applications to remote
employees over secure network connections. Amazon AppStream 2.0 is a fully managed
application streaming service that allows users to access Windows desktop applications
from any device, without installing or managing any software. Amazon AppStream 2.0
delivers applications over an encrypted connection and isolates them from the underlying
infrastructure, ensuring security and compliance1. Amazon WorkSpaces is a fully managed
desktop virtualization service that allows users to access Windows or Linux desktops from
any device, with a consistent user experience. Amazon WorkSpaces provides persistent,
cloud-based virtual desktops that can be customized and scaled according to the user’s
needs. Amazon WorkSpaces also offers encryption, backup, and monitoring features to
ensure security and reliability2. References:
Amazon AppStream 2.0
Amazon WorkSpaces
Question # 28
Which option is a customer responsibility when using Amazon DynamoDB under the AWSShared Responsibility Model?
A. Physical security of DynamoDB B. Patching of DynamoDB C. Access to DynamoDB tables D. Encryption of data at rest in DynamoDB
Answer: C
Explanation: According to the AWS Shared Responsibility Model, AWS is responsible for
the security of the cloud, while the customer is responsible for the security in the cloud.
This means that AWS is responsible for protecting the infrastructure that runs AWS
services, such as DynamoDB, while the customer is responsible for properly configuring
the security of the provided service. For abstracted services, such as DynamoDB, the
customer is primarily responsible for managing their data, classifying their assets, and
using IAM tools to apply the appropriate permissions12. Therefore, the customer is
responsible for controlling the access to DynamoDB tables, such as by creating IAM
policies, roles, and users, and using encryption and authentication
mechanisms3. References:
Shared Responsibility Model - Amazon Web Services (AWS)
Security and compliance in Amazon DynamoDB - Amazon DynamoDB
What is Shared Responsibility Model? - Check Point Software
Question # 29
A social media company wants to protect its web application from common web exploitssuch as SQL injections and cross-site scripting. Which AWS service will meet theserequirements?
A. Amazon Inspector B. AWS WAF C. Amazon GuardDuty D. Amazon CloudWatch
Answer: B
Explanation: AWS WAF is a web application firewall service that helps protect web
applications from common web exploits that could affect availability, compromise security,
or consume excessive resources. AWS WAF gives you control over which traffic to allow or
block to your web applications by defining customizable web security rules. You can use
AWS WAF to create rules that block common attack patterns, such as SQL injection or
cross-site scripting, and rules that filter out specific traffic patterns you define1. AWS WAF
also integrates with other AWS services, such as Amazon CloudFront, Amazon API
Gateway, AWS AppSync, and AWS Load Balancer, to provide a comprehensive defense
against web attacks2. Therefore, AWS WAF meets the requirements of the social media
company, compared to the other options.
The other options are not suitable for the social media company’s requirements, because:
Amazon Inspector is an automated security assessment service that helps
improve the security and compliance of applications deployed on AWS. Amazon
Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices. However, Amazon Inspector does not provide a
web application firewall service that can block malicious web requests3.
Amazon GuardDuty is a threat detection service that continuously monitors for
malicious activity and unauthorized behavior to protect your AWS accounts,
workloads, and data stored in Amazon S3. Amazon GuardDuty analyzes and
processes the following data sources: VPC Flow Logs, AWS CloudTrail event logs,
and DNS logs. However, Amazon GuardDuty does not provide a web application
firewall service that can block malicious web requests4.
Amazon CloudWatch is a monitoring and observability service that provides data
and actionable insights to monitor your applications, respond to system-wide
performance changes, optimize resource utilization, and get a unified view of
operational health. Amazon CloudWatch collects monitoring and operational data
in the form of logs, metrics, and events, and visualizes it using automated
dashboards, alarms, and notifications. However, Amazon CloudWatch does not
provide a web application firewall service that can block malicious web requests.
References:
What Is AWS WAF? - AWS WAF, AWS Firewall Manager, and AWS Shield
Advanced
AWS WAF Features - AWS WAF, AWS Firewall Manager, and AWS Shield
Advanced
What Is Amazon Inspector? - Amazon Inspector
What Is Amazon GuardDuty? - Amazon GuardDuty
[What Is Amazon CloudWatch? - Amazon CloudWatch]
Question # 30
Which AWS service or feature allows users to create new AWS accounts, group multipleaccounts to organize workflows, and apply policies to groups of accounts?
A. AWS Identity and Access Management (1AM) B. AWS Trusted Advisor C. AWS CloudFormation D. AWS Organizations
Answer: D
Explanation: AWS Organizations is the AWS service or feature that allows users to create
new AWS accounts, group multiple accounts to organize workflows, and apply policies to
groups of accounts. AWS Organizations enables users to centrally manage and govern
their AWS environment across multiple accounts. Users can create organizational units
(OUs) to group accounts based on their business needs, such as by function, project, or
region. Users can also apply service control policies (SCPs) to OUs or individual accounts
to define the permissions and restrictions for the AWS services and resources that they can
access. AWS Organizations also offers features such as consolidated billing, account
creation automation, and trusted access12. References:
AWS Organizations
What is AWS Organizations?
Question # 31
Which option is a benefit of the economies of scale based on the advantages of cloudcomputing?
A. The ability to trade variable expense for fixed expense B. Increased speed and agility C. Lower variable costs over fixed costs D. Increased operational costs across data centers
Answer: B
Explanation: Economies of scale are the cost advantages that result from increasing the
scale of production or operation. In cloud computing, economies of scale are achieved by
pooling resources and sharing them among multiple users, which reduces the unit cost of
computing and storage. One of the benefits of economies of scale in cloud computing is
increased speed and agility, which means the ability to deploy applications faster and
respond to changing business needs more quickly. Cloud computing allows users to
access computing resources on demand, without having to invest in expensive
infrastructure or wait for lengthy provisioning processes. This enables users to scale up or
down as needed, experiment with new ideas, and deliver value to customers
faster123. References: Economics of Cloud Computing - GeeksforGeeks
What is Cloud Economics? | VMware Glossary
ECONOMIES OF SCALE WITH CLOUD COMPUTING & SERVICES PRACTICE -
IDC-Online
Question # 32
A company wants to migrate its applications to the AWS Cloud. The company plans toidentity and prioritize any business transformation opportunities and evaluate its AWSCloud readiness. Which AWS service or tool should the company use to meet theserequirements?
A. AWS Cloud Adoption Framework (AWS CAF) B. AWS Managed Services (AMS) C. AWS Well-Architected Framework D. AWS Migration Hub
Answer: A
Explanation: AWS Cloud Adoption Framework (AWS CAF) is a set of best practices, tools,
and guidance that helps organizations get started with cloud technologies. AWS CAF helps
organizations identify and prioritize transformation opportunities, evaluate and improve their
cloud readiness, and iteratively evolve their transformation roadmap. AWS CAF groups its
capabilities in six perspectives: Business, People, Governance, Platform, Security, and
Operations. Each perspective comprises a set of capabilities that functionally related
stakeholders own or manage in the cloud transformation journey1
AWS Managed Services (AMS) is a service that operates AWS infrastructure on behalf of
customers, providing a secure AWS Landing Zone, features that help meet various
compliance program requirements, a proven enterprise operating model, on-going cost
optimization, and day-to-day infrastructure management. AMS does not help customers
identify and prioritize business transformation opportunities or evaluate their cloud
readiness2
AWS Well-Architected Framework is a set of six pillars and lenses that help cloud
architects design and run workloads in the cloud. It provides a consistent approach for
customers and AWS Partners to evaluate and implement designs that scale with their
needs. AWS Well-Architected Framework helps customers understand the pros and cons
of decisions they make while building systems on AWS, but it does not help them identify
and prioritize business transformation opportunities3
AWS Migration Hub is a tool that lets customers discover, plan, and track their existing
servers and applications for migration to AWS. It offers journey templates, cross-team
collaboration, application and server discovery, strategy recommendations, orchestration
and simple dashboard. AWS Migration Hub simplifies the migration and modernization
process, but it does not help customers identify and prioritize business transformation
A company has deployed applications on Amazon EC2 instances. The company needs toassess application vulnerabilities and must identify infrastructure deployments that do notmeet best practices. Which AWS service can the company use to meet theserequirements?
A. AWS Trusted Advisor B. Amazon Inspector C. AWSConfig D. Amazon GuardDuty
Answer: B
Explanation: Amazon Inspector is a service that provides automated security assessment
and management for AWS resources, such as Amazon EC2 instances. Amazon Inspector
can scan applications for common vulnerabilities, such as SQL injection, cross-site
scripting, and remote code execution. Amazon Inspector can also check the configuration
of AWS resources against security best practices, such as the CIS Benchmarks and the
AWS Security Best Practices. Amazon Inspector can help customers identify and
remediate security issues, comply with security standards, and improve the security
posture of their AWS environment12. References:
Amazon Inspector
Improved, Automated Vulnerability Management for Cloud Workloads with a New
Amazon Inspector | AWS News Blog
Question # 34
Which AWS service or feature can be used to create a private connection between an onpremisesworkload and an AWS Cloud workload?
A. Amazon Route 53 B. Amazon Macie C. AWS Direct Connect D. AWS PrivaleLink
Answer: C
Explanation: AWS Direct Connect is a service that establishes a dedicated network
connection between your on-premises network and one or more AWS Regions. AWS
Direct Connect can be used to create a private connection between an on-premises
workload and an AWS Cloud workload, bypassing the public internet and reducing network
costs, latency, and bandwidth issues. AWS Direct Connect can also provide increased
security and reliability for your hybrid cloud applications and data transfers. References:
AWS Direct Connect
What is AWS Direct Connect?
AWS Direct Connect User Guide
Question # 35
Which AWS service is used to provide encryption for Amazon EBS?
A. AWS Certificate Manager B. AWS Systems Manager C. AWS KMS D. AWS Config
Answer: C
Explanation: AWS KMS is the service that is used to provide encryption for Amazon EBS.
AWS KMS is a managed service that enables you to easily create and control the
encryption keys used to encrypt your data. Amazon EBS uses AWS KMS to encrypt and
decrypt your EBS volumes and snapshots. You can choose to use either the default AWS
managed CMK or your own customer managed CMK for encryption. AWS KMS also
provides features such as key rotation, audit logging, and access control policies to help
you manage your encryption keys and protect your data12. The other services are not used
to provide encryption for Amazon EBS. AWS Certificate Manager is a service that lets you
provision, manage, and deploy public and private SSL/TLS certificates for use with AWS
services and your internal connected resources3. AWS Systems Manager is a service that
provides a unified user interface to view and manage your AWS resources, automate
common operational tasks, and apply compliance policies4. AWS Config is a service that
enables you to assess, audit, and evaluate the configurations of your AWS
A company has a compute workload that is steady, predictable, and uninterruptible.Which Amazon EC2 instance purchasing options meet these requirements MOST costeffectively?(Select TWO.)
A. On-Demand Instances B. Reserved Instances C. Spot Instances D. Saving Plans E. Dedicated Hosts
Answer: B,D
Explanation:
Reserved Instances and Savings Plans are the most cost-effective purchasing options for a
compute workload that is steady, predictable, and uninterruptible. Reserved Instances
provide a significant discount compared to On-Demand Instances, and Savings Plans offer
flexible and consistent savings on EC2 usage. Both options require a commitment to a
consistent amount of usage, in USD per hour, for a term of 1 or 3 years. On-Demand
Instances are suitable for short-term, irregular, or unpredictable workloads, but they are
more expensive than Reserved Instances or Savings Plans. Spot Instances are the
cheapest option, but they are not suitable for uninterruptible workloads, as they can be
reclaimed by AWS at any time. Dedicated Hosts and Dedicated Instances are designed for
compliance and licensing requirements, not for cost optimization. They are more expensive
than the other options, as they run on single-tenant hardware. References: Instance
Which tool should a developer use lo integrate AWS service features directly into anapplication?
A. AWS Software Development Kit B. AWS CodeDeploy C. AWS Lambda D. AWS Batch
Answer: A
Explanation:
AWS Software Development Kit (SDK) is a set of platform-specific tools for developers that
let them integrate AWS service features directly into their applications. AWS SDKs provide
libraries, code samples, documentation, and other resources to help developers write code
that interacts with AWS APIs. AWS SDKs support various programming languages, such
as Java, Python, Ruby, .NET, Node.js, Go, and more. AWS SDKs make it easier for
developers to access AWS services, such as Amazon S3, Amazon EC2, Amazon
DynamoDB, AWS Lambda, and more, from their applications. AWS SDKs also handle
tasks such as authentication, error handling, retries, and data serialization, so developers
can focus on their application logic.
Question # 38
Which AWS service or tool can be used to set up a firewall to control traffic going into andcoming out of an Amazon VPC subnet?
A. Security group B. AWS WAF C. AWS Firewall Manager D. Network ACL
Answer: D
Explanation: A network ACL (NACL) is an optional layer of security for your VPC that acts
as a firewall for controlling traffic in and out of one or more subnets. You can create a
network ACL and associate it with a subnet to apply rules that allow or deny traffic to or
from the subnet. Network ACLs are stateless, meaning that they evaluate the source and
destination IP addresses for both inbound and outbound traffic. You can also use network ACLs to block IP address ranges that are known to be malicious12.
The other options are not AWS services or tools that can be used to set up a firewall to
control traffic going into and coming out of an Amazon VPC subnet. Security groups are
another layer of security for your VPC that act as a firewall for your EC2 instances. Security
groups are stateful, meaning that they automatically allow return traffic for allowed inbound
traffic. Security groups can only filter traffic based on protocols, ports, and source or
destination IP addresses, not on IP ranges3. AWS WAF is a web application firewall that
helps protect your web applications from common web exploits. AWS WAF can filter web
requests based on rules that you define, such as IP addresses, HTTP headers, HTTP
body, or URI strings. AWS WAF does not apply to non-web traffic or to traffic within a
VPC4. AWS Firewall Manager is a service that helps you centrally configure and manage
firewall rules across your accounts and resources in AWS Organizations. You can use
Firewall Manager to apply AWS WAF rules, AWS Network Firewall policies, and Amazon
VPC security groups across your AWS accounts. AWS Firewall Manager does not provide
a firewall service itself, but rather helps you manage other firewall services
Question # 39
Which of the following is a managed AWS service that is used specifically for extract,transform, and load (ETL) data?
A. Amazon Athena B. AWS Glue C. Amazon S3 D. AWS Snowball Edge
Answer: B
Explanation: AWS Glue is a serverless data integration service that makes it easy to
discover, prepare, move, and integrate data from multiple sources for analytics, machine
learning, and application development. You can use various data integration engines, such
as ETL, ELT, batch, and streaming, and manage your data in a centralized data
catalog. AWS Glue is designed specifically for extract, transform, and load (ETL) data, whereas the other options are not.
Question # 40
A company has a set of ecommerce applications. The applications need to be able to sendmessages to each other. Which AWS service meets this requirement?
A. AWS Auto Scaling B. Elastic Load Balancing C. Amazon Simple Queue Service (Amazon SOS) D. Amazon Kinesis Data Streams
Answer: C
Explanation: Amazon Simple Queue Service (Amazon SQS) is a fully managed message
queuing service that lets you send, store, and receive messages between software
components at any volume, without losing messages or requiring other services to be
available1. Amazon SQS is designed to provide a simple and reliable way for customers to
decouple and connect components (microservices) together using queues2. Queues are
an important mechanism for providing fault tolerance and scalability in distributed systems,
and help decouple different parts of your application3. The other options are not AWS
services that are used specifically for sending messages between applications
Question # 41
Which pricing model will interrupt a running Amazon EC2 instance if capacity becomestemporarily unavailable?
A. On-Demand Instances B. Standard Reserved Instances C. Spot Instances D. Convertible Reserved Instances
Answer: C
Explanation: Spot Instances are a type of EC2 instance that let you bid on unused compute capacity, which AWS offers at a discount of up to 90% compared to On-Demand
prices1. Spot Instances are suitable for fault-tolerant, stateless, or flexible applications that
can handle interruptions2. Spot Instances can be interrupted with a two-minute warning
when EC2 needs the capacity back3. The other options are not pricing models that will
interrupt a running EC2 instance if capacity becomes temporarily unavailable
Question # 42
Which tasks are the customer's responsibility, according to the AWS shared responsibilitymodel? (Select TWO.)
A. Establish the global infrastructure. B. Perform client-side data encryption. C. Configure 1AM credentials. D. Secure edge locations. E. Patch Amazon RDS DB instances.
Answer: B,C
Explanation: According to the AWS shared responsibility model, AWS is responsible for
the security of the cloud, while the customer is responsible for the security in the cloud.
This means that AWS is responsible for protecting the infrastructure that runs all of the
services offered in the AWS Cloud, such as the global network, the hardware, the software,
and the facilities. The customer is responsible for properly configuring the security of the
provided service, such as the guest operating system, the application software, the data,
and the network traffic. For abstracted services, such as Amazon RDS, AWS operates the
infrastructure layer, the operating system, and the database software, while the customer is
responsible for managing their data, classifying their assets, and using IAM tools to apply
the appropriate permissions12.
Therefore, the tasks that are the customer’s responsibility are:
Perform client-side data encryption: The customer is responsible for encrypting
their data before sending it to AWS, and decrypting it after receiving it from AWS. This ensures that the data is protected in transit and at rest. AWS provides various
encryption options, such as AWS Key Management Service (AWS KMS), AWS
CloudHSM, and AWS Certificate Manager (ACM)3.
Configure IAM credentials: The customer is responsible for creating and managing
IAM users, groups, roles, and policies that control the access to AWS resources
and services. IAM credentials include user names, passwords, access keys, and
permissions4.
The tasks that are not the customer’s responsibility are:
Establish the global infrastructure: AWS is responsible for building and maintaining
the global network of regions, availability zones, and edge locations that provide
low latency, high availability, and fault tolerance for the AWS Cloud5.
Secure edge locations: AWS is responsible for protecting the physical security of
the edge locations, which are sites that deliver cached content to end users with
improved performance6.
Patch Amazon RDS DB instances: AWS is responsible for applying patches and
updates to the operating system and the database software of the Amazon RDS
DB instances, which are managed relational database service for MySQL,
PostgreSQL, Oracle, SQL Server, and Amazon Aurora. References:
Shared Responsibility Model - Amazon Web Services (AWS)
Shared responsibility model - Amazon Web Services: Risk and Compliance
Encryption - Amazon Web Services (AWS)
What Is IAM? - AWS Identity and Access Management
Global Infrastructure - Amazon Web Services (AWS)
Amazon CloudFront Features - Content Delivery Network (CDN)
[What Is Amazon Relational Database Service (Amazon RDS)? - Amazon
Relational Database Service]
Question # 43
Which AWS Cloud benefit gives a company the ability to quickly deploy cloud resources toaccess compute, storage, and database infrastructures in a matter of minutes?
A. Elasticity B. Cost savings C. Agility D. Reliability
Answer: C
Explanation: Agility is the AWS Cloud benefit that gives a company the ability to quickly
deploy cloud resources to access compute, storage, and database infrastructures in a
matter of minutes. Agility means that you can reduce the time to make IT resources
available to your developers from weeks to just minutes, resulting in a dramatic increase in
innovation and responsiveness1. AWS provides a range of services and tools that enable
you to launch, scale, and manage your cloud applications with ease and speed, such as
AWS CloudFormation, AWS Elastic Beanstalk, AWS CodeDeploy, and AWS Quick
Starts2345. References:
Six advantages of cloud computing - Overview of Amazon Web Services
[AWS CloudFormation]
[AWS Elastic Beanstalk]
[AWS CodeDeploy]
AWS Quick Starts
Question # 44
A network engineer needs to build a hybrid cloud architecture connecting on-premisesnetworks to the AWS Cloud using AWS Direct Connect. The company has a few VPCs in asingle AWS Region and expects to increase the number of VPCs to hundreds over time.Which AWS service or feature should the engineer use to simplify and scale thisconnectivity as the VPCs increase in number?
A. VPC endpoints B. AWS Transit Gateway C. Amazon Route 53 D. AWS Secrets Manager
Answer: B
Explanation: AWS Transit Gateway is a network transit hub that you can use to
interconnect your VPCs and on-premises networks through a central gateway. AWS
Transit Gateway simplifies and scales the connectivity between your on-premises networks
and AWS, as you only need to create and manage a single connection from the central
gateway to each on-premises network, rather than individual connections to each
VPC. You can also use AWS Transit Gateway to connect to other AWS services, such as
thousands of VPCs per gateway, and enables you to peer Transit Gateways across AWS
Regions3.
The other options are not AWS services or features that can simplify and scale the
connectivity between on-premises networks and hundreds of VPCs using AWS Direct Connect. VPC endpoints enable private connectivity between your VPCs and supported
AWS services, but do not support on-premises networks4. Amazon Route 53 is a DNS
service that helps you route internet traffic to your resources, but does not provide network
connectivity5. AWS Secrets Manager is a service that helps you securely store and
manage secrets, such as database credentials and API keys, but does not relate to
network connectivity
Question # 45
A company needs to evaluate its AWS environment and provide best practicerecommendations in five categories: cost, performance, service limits, fault tolerance, andsecurity. Which AWS service can the company use to meet these requirements
A. AWS Shield B. AWS WAF C. AWS Trusted Advisor D. AWS Service Catalog
Answer: C
Explanation: AWS Trusted Advisor is the service that can meet these requirements. AWS
Trusted Advisor is a service that helps you optimize your AWS environment by providing
recommendations based on AWS best practices. Trusted Advisor continuously evaluates
your AWS resources and services across five categories: cost optimization, performance,
service limits, fault tolerance, and security. You can view the recommendations on the Trusted Advisor console or access them programmatically using the Trusted Advisor API.
You can also set up notifications and alerts for any changes in the status of your
checks. Trusted Advisor can help you improve your AWS environment by reducing costs,
enhancing performance, increasing security, and ensuring reliability12. The other services
are not designed to provide best practice recommendations in five categories. AWS Shield
is a service that protects your AWS resources from distributed denial-of-service (DDoS)
attacks. AWS WAF is a service that helps you protect your web applications from common
web exploits. AWS Service Catalog is a service that enables you to create and manage
catalogs of IT services that are approved for use on AWS34 . References: AWS Trusted
A company wants a customized assessment of its current on-premises environment. Thecompany wants to understand its projected running costs in the AWS Cloud.Which AWS service or tool will meet these requirements?
A. AWS Trusted Advisor B. Amazon Inspector C. AWS Control Tower D. Migration Evaluator
Answer: D
Explanation: Migration Evaluator is an AWS service that provides a customized
assessment of your current on-premises environment and helps you build a data-driven
business case for migration to AWS. Migration Evaluator collects and analyzes data from
your on-premises servers, such as CPU, memory, disk, network, and utilization metrics,
and compares them with the most cost-effective AWS alternatives. Migration Evaluator also
helps you understand your existing software licenses and running costs, and provides
recommendations for Bring Your Own License (BYOL) and License Included (LI) options in
AWS. Migration Evaluator generates a detailed report that shows your projected running
costs in the AWS Cloud, along with potential savings and benefits. You can use this report
to support your decision-making and planning for cloud migration. References: Cloud
Business Case & Migration Plan - Amazon Migration Evaluator - AWS, Getting started with
Migration Evaluator
Question # 47
Which AWS service provides the ability to manage infrastructure as code?
A. AWS CodePipeline B. AWS CodeDeploy C. AWS Direct Connect D. AWS CloudFormation
Answer: D
Explanation: The AWS service that provides the ability to manage infrastructure as code is
AWS CloudFormation. Infrastructure as code is a process of defining and provisioning
AWS resources using code or templates, rather than manual actions or scripts. AWS
CloudFormation allows you to create and update stacks of AWS resources based on
predefined templates that describe the desired state and configuration of the resources.
AWS CloudFormation automates and simplifies the deployment and management of AWS
resources, and ensures consistency and repeatability across different environments and
regions. AWS CloudFormation also supports rollback, change sets, drift detection, and
nested stacks features that help you to monitor and control the changes to your infrastructure1.
Question # 48
A company wants to manage its AWS Cloud resources through a web interface.Which AWS service will meet this requirement?
A. AWS Management Console B. AWS CLI C. AWS SDK D. AWS Cloud
Answer: A
Explanation: AWS Management Console is a web application that allows you to manage
and monitor your AWS Cloud resources through a user-friendly interface. You can use the
AWS Management Console to access and experiment with over 150 AWS services, view
and modify your account and billing information, get in-console help from AWS Support,
and customize your dashboard with widgets that display key metrics and information for
your applications567. You can also use the AWS Management Console to launch and
configure AWS resources using wizards and templates, without writing any
CloudFront Documentation, 4: AWS Global Accelerator - Amazon Web Services, 5: AWS
Global Accelerator Documentation
Question # 50
A company is running and managing its own Docker environment on Amazon EC2instances. The company wants an alternative to help manage cluster size, scheduling, andenvironment maintenance.Which AWS service meets these requirements?
A. AWS Lambda B. Amazon RDS C. AWS Fargate D. Amazon Athena
Answer: C
Explanation: AWS Fargate is a serverless compute engine for containers that works with
both Amazon Elastic Container Service (Amazon ECS) and Amazon Elastic Kubernetes
Service (Amazon EKS). AWS Fargate allows you to run containers without having to manage servers or clusters of Amazon EC2 instances. With AWS Fargate, you only pay for
the compute resources you use to run your containers, and you don’t need to worry about
scaling, patching, securing, or maintaining the underlying infrastructure. AWS Fargate
simplifies the deployment and management of containerized applications, and enables you
to focus on building and running your applications instead of managing the
infrastructure. References: AWS Fargate, What is AWS Fargate?
Question # 51
Which AWS services or features give users the ability to create a network connectionbetween two VPCs? (Select TWO.)
A. VPC endpoints B. Amazon Route 53 C. VPC peering D. AWS Direct Connect E. AWS Transit Gateway
Answer: C,E
Explanation: VPC peering and AWS Transit Gateway are two AWS services or features
that give users the ability to create a network connection between two VPCs. VPC peering
is a networking connection between two VPCs that enables you to route traffic between
them privately. You can create a VPC peering connection between your own VPCs, with a
VPC in another AWS account, or with a VPC in a different AWS Region. Traffic between
peered VPCs never traverses the public internet. VPC peering does not support transitive
peering relationships, which means that if VPC A is peered with VPC B, and VPC B is
peered with VPC C, then VPC A and VPC C are not automatically peered789. AWS Transit
Gateway is a networking service that acts as a regional router for your VPCs and onpremises
networks. You can attach up to 5,000 VPCs and VPN connections to a single
transit gateway and route traffic between them. AWS Transit Gateway simplifies the
management and scalability of your network architecture, as you only need to create and
manage a single connection from the central transit gateway to each connected
network. AWS Transit Gateway supports transitive routing, which means that any network
that is attached to the transit gateway can communicate with any other network that is
attached to the same transit gateway . References: 7: VPC peering - Amazon Virtual
According to security best practices, how should an Amazon EC2 instance be given accessto an Amazon S3 bucket?
A. Hard code an IAM user's secret key and access key directly in the application, andupload the file. B. Store the IAM user's secret key and access key in a text file on the EC2 instance, readthe keys, then upload the file. C. Have the EC2 instance assume a role to obtain the privileges to upload the file. D. Modify the S3 bucket policy so that any service can upload to it at any time.
Answer: C
Explanation: According to security best practices, the best way to give an Amazon EC2
instance access to an Amazon S3 bucket is to have the EC2 instance assume a role to
obtain the privileges to upload the file. A role is an AWS Identity and Access Management
(IAM) entity that defines a set of permissions for making AWS service requests. You can
use roles to delegate access to users, applications, or services that don’t normally have
access to your AWS resources. For example, you can create a role that allows EC2
instances to access S3 buckets, and then attach the role to the EC2 instance. This way,
the EC2 instance can assume the role and obtain temporary security credentials to access
the S3 bucket. This method is more secure and scalable than storing or hardcoding IAM
user credentials on the EC2 instance, as it avoids the risk of exposing or compromising the
credentials. It also allows you to manage the permissions centrally and dynamically, and to
audit the access using AWS CloudTrail. For more information on how to create and use
roles for EC2 instances, see Using an IAM role to grant permissions to applications running
on Amazon EC2 instances1
The other options are not recommended for security reasons. Hardcoding or storing IAM
user credentials on the EC2 instance is a bad practice, as it exposes the credentials to
potential attackers or unauthorized users who can access the instance or the application
code. It also makes it difficult to rotate or revoke the credentials, and to track the usage of
the credentials. Modifying the S3 bucket policy to allow any service to upload to it at any
time is also a bad practice, as it opens the bucket to potential data breaches, data loss, or
data corruption. It also violates the principle of least privilege, which states that you should
grant only the minimum permissions necessary for a task.
References: Using an IAM role to grant permissions to applications running on Amazon
EC2 instances
Question # 53
Which of the following is an AWS Well-Architected Framework design principle foroperational excellence in the AWS Cloud?
A. Go global in minutes B. Make frequent, small, reversible changes C. Implement a strong foundation of identity and access management D. Stop spending money on hardware infrastructure for data center operations
Answer: B
Explanation: Making frequent, small, reversible changes is one of the design principles for
operational excellence in the AWS Cloud, as defined by the AWS Well-Architected
Framework. This principle means that you should design your workloads to allow for rapid
and safe changes, such as deploying updates, rolling back failures, and experimenting with
new features. By making small and reversible changes, you can reduce the risk of errors,
minimize the impact of failures, and increase the speed of recovery2. References: 2: AWS
A user has a stateful workload that will run on Amazon EC2 for the next 3 years.What is the MOST cost-effective pricing model for this workload?
A. On-Demand Instances B. Reserved Instances C. Dedicated Instances D. Spot Instances
Answer: B
Explanation: Reserved Instances are a pricing model that offers significant discounts on
Amazon EC2 usage compared to On-Demand Instances. Reserved Instances are suitable
for stateful workloads that have predictable and consistent usage patterns for a long-term
period. By committing to a one-year or three-year term, customers can reduce their total
cost of ownership and optimize their cloud spend. Reserved Instances also provide
capacity reservation, ensuring that customers have access to the EC2 instances they need
when they need them. References: AWS Pricing Calculator, Amazon EC2 Pricing, [AWS
Cloud Practitioner Essentials: Module 3 - Compute in the Cloud]
Question # 55
A company wants to integrate its online shopping website with social media logincredentials.Which AWS service can the company use to make this integration?
A. AWS Directory Service B. AWS Identity and Access Management (IAM) C. Amazon Cognito D. AWS IAM Identity Center (AWS Single Sign-On)
Answer: C
Explanation: Amazon Cognito is a service that enables you to add user sign-up and signin
features to your web and mobile applications. Amazon Cognito also supports social and enterprise identity federation, which means you can allow your users to sign in with their
existing credentials from identity providers such as Google, Facebook, Apple, and Amazon.
Amazon Cognito integrates with OpenID Connect (OIDC) and Security Assertion Markup
Language (SAML) 2.0 protocols to facilitate the authentication and authorization process.
Amazon Cognito also provides advanced security features, such as adaptive
authentication, user verification, and multi-factor authentication
(MFA). References: Amazon Cognito, What is Amazon Cognito?
Question # 56
Which maintenance task is the customer's responsibility, according to the AWS sharedresponsibility model?
A. Physical connectivity among Availability Zones B. Network switch maintenance C. Hardware updates and firmware patches D. Amazon EC2 updates and security patches
Answer: D
Explanation: According to the AWS shared responsibility model, customers are
responsible for managing their data, applications, operating systems, security groups, and
other aspects of their AWS environment. This includes installing updates and security
patches of the guest operating system and any application software or utilities installed by
the customer on the instances. AWS is responsible for protecting the infrastructure that
runs all of the services offered in the AWS Cloud, such as data centers, hardware,
software, networking, and facilities. This includes the physical connectivity among
Availability Zones, the network switch maintenance, and the hardware updates and
Question # 57
A company is using Amazon DynamoDB for its application database.Which tasks are the responsibility of AWS, according to the AWS shared responsibility model? (Select TWO.)
A. Classify data. B. Configure access permissions. C. Manage encryption options. D. Provide public endpoints to store and retrieve data. E. Manage the infrastructure layer and the operating system.
Answer: D,E
Explanation: According to the AWS shared responsibility model, AWS is responsible for
security of the cloud, while customers are responsible for security in the cloud. This means
that AWS is responsible for protecting the infrastructure that runs AWS services, such as
hardware, software, networking, and facilities. Customers are responsible for managing
their data, classifying their assets, and using IAM tools to apply the appropriate
permissions. For abstracted services, such as Amazon DynamoDB, AWS operates the
infrastructure layer, the operating system, and platforms, and provides customers with
public endpoints to store and retrieve data. Customers are responsible for classifying their
data, managing their encryption options, and configuring their access
permissions. References: Shared Responsibility Model, Security and compliance in
Amazon DynamoDB, [AWS Cloud Practitioner Essentials: Module 2 - Security in the Cloud]
Question # 58
A development team wants to deploy multiple test environments for an application in a fastrepeatable manner.Which AWS service should the team use?
A. Amazon EC2 B. AWS CloudFormation C. Amazon QuickSight D. Amazon Elastic Container Service (Amazon ECS)
Answer: B
Explanation: AWS CloudFormation is a service that allows you to model and provision
your AWS resources using templates. You can define your infrastructure as code and
automate the creation and update of your resources. AWS CloudFormation also supports
nested stacks, change sets, and rollback features to help you manage complex and
dynamic environments34. References:
AWS CloudFormation
AWS Certified Cloud Practitioner Exam Guide
Question # 59
Which of the following services can be used to block network traffic to an instance? (Select TWO.)
A. Amazon OpenSearch Service B. AWS Control Tower C. AWS IAM Access Analyzer D. AWS Fargate
Answer: C
Explanation: AWS IAM Access Analyzer is an AWS service that helps customers identify
and review the resources in their AWS account that are shared with an external entity, such
as another AWS account, a root user, an organization, or a public entity. AWS IAM Access
Analyzer uses automated reasoning, a form of mathematical logic and inference, to
analyze the resource-based policies in the account and generate comprehensive findings
that show the access level, the source of the access, the affected resource, and the
condition under which the access applies. Customers can use AWS IAM Access Analyzer to audit their shared resources, validate their access policies, and monitor any changes to
the resource sharing status. References: AWS IAM Access Analyzer, Identify and review
resources shared with external entities, How AWS IAM Access Analyzer works
Question # 60
Which of the following services can be used to block network traffic to an instance? (SelectTWO.)
A. Security groups B. Amazon Virtual Private Cloud (Amazon VPC) flow logs C. Network ACLs D. Amazon CloudWatch E. AWS CloudTrail
Answer: A,C
Explanation: Security groups and network ACLs are two AWS services that can be used
to block network traffic to an instance. Security groups are virtual firewalls that control the
inbound and outbound traffic for your instances at the instance level. You can specify which
protocols, ports, and source or destination IP addresses are allowed or denied for each
instance. Security groups are stateful, which means that they automatically allow return
traffic for any allowed inbound or outbound traffic123. Network ACLs are virtual firewalls
that control the inbound and outbound traffic for your subnets at the subnet level. You can
create rules to allow or deny traffic based on protocols, ports, and source or destination IP
addresses. Network ACLs are stateless, which means that you have to explicitly allow
return traffic for any allowed inbound or outbound traffic456. References: 1: Security
groups for your VPC - Amazon Virtual Private Cloud, 2: Security Groups for Your VPC -
Amazon Elastic Compute Cloud, 3: AWS Security Groups: Everything You Need to
Know, 4: Network ACLs - Amazon Virtual Private Cloud, 5: Control traffic to subnets using
A company wants to migrate its PostgreSQL database to AWS. The company does not usethe database frequently.Which AWS service or resource will meet these requirements with the LEAST managementoverhead?
A. PostgreSQL on Amazon EC2 B. Amazon RDS for PostgreSQL C. Amazon Aurora PostgreSQL-Compatible Edition D. Amazon Aurora Serverless
Answer: D
Explanation: Amazon Aurora Serverless is an on-demand, auto-scaling configuration for
Amazon Aurora PostgreSQL-Compatible Edition. It is a fully managed service that
automatically scales up and down based on the application’s actual needs. Amazon Aurora
Serverless is suitable for applications that have infrequent, intermittent, or unpredictable
database workloads, and that do not require the full power and range of options provided
by provisioned Aurora clusters. Amazon Aurora Serverless eliminates the need to provision
and manage database instances, and reduces the management overhead associated with
database administration tasks such as scaling, patching, backup, and
recovery. References: Amazon Aurora Serverless, Choosing between Aurora Serverless
and provisioned Aurora DB clusters, [AWS Cloud Practitioner Essentials: Module 4 -
Databases in the Cloud]
Question # 63
Which of the following actions are controlled with AWS Identity and Access Management(IAM)? (Select TWO.)
A. Control access to AWS service APIs and to other specific resources. B. Provide intelligent threat detection and continuous monitoring. C. Protect the AWS environment using multi-factor authentication (MFA). D. Grant users access to AWS data centers. E. Provide firewall protection for applications from common web attacks.
Answer: A,C
Explanation: AWS Identity and Access Management (IAM) is a service that enables you
to manage access to AWS services and resources securely. You can use IAM to perform
the following actions:
Control access to AWS service APIs and to other specific resources: You can
create users, groups, roles, and policies that define who can access which AWS
resources and how. You can also use IAM to grant temporary access to users or
applications that need to perform certain tasks on your behalf3
Protect the AWS environment using multi-factor authentication (MFA): You can
enable MFA for your IAM users and root user to add an extra layer of security to
your AWS account. MFA requires users to provide a unique authentication code
from an approved device or SMS text message, in addition to their user name and
password, when they sign in to AWS4
Question # 64
Which mechanism allows developers to access AWS services from application code?
A. AWS Software Development Kit B. AWS Management Console C. AWS CodePipeline D. AWS Config
Answer: A
Explanation: AWS Software Development Kit (SDK) is a set of platform-specific building
tools for developers. It allows developers to access AWS services from application code
using familiar programming languages. It provides pre-built components and libraries that
can be incorporated into applications, as well as tools to debug, monitor, and optimize
performance2. References: What is SDK? - SDK Explained - AWS
Question # 65
A company has a physical tape library to store data backups. The tape library is runningout of space. The company needs to extend the tape library's capacity to the AWS Cloud.Which AWS service should the company use to meet this requirement?
A. Amazon Elastic File System (Amazon EFS) B. Amazon Elastic Block Store (Amazon EBS) C. Amazon S3 D. AWS Storage Gateway
Answer: D
Explanation: AWS Storage Gateway is a hybrid cloud storage service that provides onpremises
access to virtually unlimited cloud storage. You can use AWS Storage Gateway
to simplify storage management and reduce costs for key hybrid cloud storage use cases.
One of these use cases is tape-based backup, which allows you to store data backups on
virtual tapes in the AWS Cloud. You can use the Tape Gateway feature of AWS Storage
Gateway to extend your existing physical tape library to the AWS Cloud. Tape Gateway
provides a virtual tape infrastructure that scales seamlessly with your backup needs and
eliminates the operational burden of provisioning, scaling, and maintaining a physical tape
Balancer, 5: Which characteristic of the AWS Cloud helps users eliminate …
Question # 67
What is a customer responsibility when using AWS Lambda according to the AWS sharedresponsibility model?
A. Managing the code within the Lambda function B. Confirming that the hardware is working in the data center C. Patching the operating system D. Shutting down Lambda functions when they are no longer in use
Answer: A
Explanation: According to the AWS shared responsibility model, AWS is responsible for
the security of the cloud, while customers are responsible for the security in the cloud. This
means that AWS is responsible for the physical servers, networking, and operating system
that run Lambda functions, while customers are responsible for the security of their code
and AWS IAM to the Lambda service and within their function1. Customers need to
manage the code within the Lambda function, such as writing, testing, debugging,
deploying, and updating the code, as well as ensuring that the code does not contain any
vulnerabilities or malicious code that could compromise the security or performance of the
A company that has multiple business units wants to centrally manage and govern its AWSCloud environments. The company wants to automate the creation of AWS accounts, applyservice control policies (SCPs), and simplify billing processes.Which AWS service or tool should the company use to meet these requirements?
A. AWS Organizations B. Cost Explorer C. AWS Budgets D. AWS Trusted Advisor
Answer: A
Explanation: AWS Organizations is an AWS service that enables you to centrally manage
and govern your AWS Cloud environments across multiple business units. AWS
Organizations allows you to create an organization that consists of AWS accounts that you
create or invite to join. You can group your accounts into organizational units (OUs) and
apply service control policies (SCPs) to them. SCPs are a type of policy that specify the
maximum permissions for the accounts in your organization, and can help you enforce
compliance and security requirements. AWS Organizations also simplifies billing processes
by enabling you to consolidate and pay for all member accounts with a single payment
method. You can also use AWS Organizations to automate the creation of AWS accounts
by using APIs or AWS CloudFormation templates. References: What is AWS
A company is building an application that needs to deliver images and videos globally withminimal latency.Which approach can the company use to accomplish this in a cost effective manner?
A. Deliver the content through Amazon CloudFront. B. Store the content on Amazon S3 and enable S3 cross-region replication. C. Implement a VPN across multiple AWS Regions. D. Deliver the content through AWS PrivateLink.
Answer: A
Explanation:
Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers
data, videos, applications, and APIs to customers globally with low latency, high transfer
speeds, all within a developer-friendly environment. It works seamlessly with services
including AWS Shield for DDoS mitigation, Amazon S3, Elastic Load Balancing or Amazon
EC2 as origins for your applications, and Lambda@Edge to run custom code closer to
customers’ users and to customize the user experience. By using CloudFront, you can
cache your content at the edge locations that are closest to your end users, reducing the
network latency and improving the performance of your application. CloudFront also offers
a pay-as-you-go pricing model, so you only pay for the data transfer and requests that you
use.
Question # 71
A company wants to allow users to authenticate and authorize multiple AWS accounts byusing a single set of credentials.Which AWS service or resource will meet this requirem
A. AWS Organizations B. IAM user C. AWS IAM Identity Center (AWS Single Sign-On) D. AWS Control Tower
Answer: C
Explanation: AWS IAM Identity Center (AWS Single Sign-On) is a cloud-based service
that makes it easy to centrally manage single sign-on (SSO) access to multiple AWS
accounts and business applications. You can use AWS SSO to enable your users to sign in
to the AWS Management Console or the AWS Command Line Interface (AWS CLI) with
their existing corporate credentials2. You can also manage SSO access and user
permissions across all your AWS accounts in AWS Organizations3. References: AWS
Single Sign-On - AWS Documentation, AWS Organizations - AWS Documentation
Question # 72
Which AWS service or feature allows a user to establish a dedicated network connectionbetween a company's on-premises data center and the AWS Cloud?
A. AWS Direct Connect B. VPC peering C. AWS VPN D. Amazon Route 53
Answer: A
Explanation: AWS Direct Connect is an AWS service that allows users to establish a
dedicated network connection between their on-premises data center and the AWS Cloud.
This connection bypasses the public internet and provides more predictable network
performance, reduced bandwidth costs, and increased security. Users can choose from
different port speeds and connection types, and use AWS Direct Connect to access AWS
services in any AWS Region globally. Users can also use AWS Direct Connect in
conjunction with AWS VPN to create a hybrid network architecture that combines the
benefits of both private and public connectivity. References: AWS Direct Connect, [AWS
Cloud Practitioner Essentials: Module 3 - Compute in the Cloud]
Question # 73
A company has deployed an application in the AWS Cloud. The company wants to ensurethat the application is highly resilient.Which component of AWS infrastructure can the company use to meet this requirement?
A. Content delivery network (CDN) B. Edge locations C. Wavelength Zones D. Availability Zones
Answer: D
Explanation: Availability Zones are components of AWS infrastructure that can help the
company ensure that the application is highly resilient. Availability Zones are multiple,
isolated locations within each AWS Region. Each Availability Zone has independent power,
cooling, and physical security, and is connected to the other Availability Zones in the same
Region via low-latency, high-throughput, and highly redundant networking. Availability
Zones allow you to operate production applications and databases that are more highly
available, fault tolerant, and scalable than would be possible from a single data center.
Question # 74
Which AWS service or feature identifies whether an Amazon S3 bucket or an IAM role hasbeen shared with an external entity?
A. AWS Service Catalog B. AWS Systems Manager C. AWS IAM Access Analyzer D. AWS Organizations
Answer: C
Explanation: AWS IAM Access Analyzer is a service that helps you identify the resources
in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are
shared with an external entity. This lets you identify unintended access to your resources
and data, which is a security risk. IAM Access Analyzer uses logic-based reasoning to
analyze the resource-based policies in your AWS environment. For each instance of a
resource shared outside of your account, IAM Access Analyzer generates a
finding. Findings include information about the access and the external principal granted to
it345. References: 3: Using AWS Identity and Access Management Access
Analyzer, 4: IAM Access Analyzer - Amazon Web Services (AWS), 5: Welcome - IAM
Access Analyzer
Question # 75
What can a cloud practitioner use to retrieve AWS security and compliance documents andsubmit them as evidence to an auditor or regulator?
A. AWS Certificate Manager B. AWS Systems Manager C. AWS Artifact D. Amazon Inspector
Answer: C
Explanation: AWS Artifact is a service that provides on-demand access to AWS security
and compliance documents, such as AWS ISO certifications, Payment Card Industry (PCI)
reports, and Service Organization Control (SOC) reports. You can download these
documents and submit them as evidence to your auditors or regulators to demonstrate the
security and compliance of the AWS infrastructure and services that you use. AWS Artifact
also allows you to review, accept, and manage AWS agreements, such as the Business
Associate Addendum (BAA) for customers who are subject to the Health Insurance
Portability and Accountability Act (HIPAA). References: AWS Artifact, What is AWS
Artifact?
Question # 76
A company wants to run its workload on Amazon EC2 instances for more than 1 year. Thisworkload will run continuously.Which option offers a discounted hourly rate compared to the hourly rate of On-DemandInstances?
A. AWS Graviton processor B. Dedicated Hosts C. EC2 Instance Savings Plans D. Amazon EC2 Auto Scaling instances
Answer: C
Explanation: EC2 Instance Savings Plans are a flexible pricing model that offer discounted
hourly rates on Amazon EC2 instance usage for a 1 or 3 year term. EC2 Instance Savings
Plans provide savings up to 72% off On-Demand rates, in exchange for a commitment to a
specific instance family in a chosen AWS Region (for example, M5 in Virginia). These plans
automatically apply to usage regardless of size (for example, m5.xlarge, m5.2xlarge, etc.),
OS (for example, Windows, Linux, etc.), and tenancy (Host, Dedicated, Default) within the
specified family in a Region. With an EC2 Instance Savings Plan, you can change your
instance size within the instance family (for example, from c5.xlarge to c5.2xlarge) or the
operating system (for example, from Windows to Linux), or move from Dedicated tenancy
to Default and continue to receive the discounted rate provided by your EC2 Instance
Savings Plan4567. References: 4: Compute Savings Plans – Amazon Web
Services, 5: What are Savings Plans? - Savings Plans, 6: How To Cut Your AWS Bill With
Savings Plans
Question # 77
A company needs to migrate a PostgreSQL database from on-premises to Amazon RDS.Which AWS service or tool should the company use to meet this requirement?
A. Cloud Adoption Readiness Tool B. AWS Migration Hub C. AWS Database Migration Service (AWS DMS) D. AWS Application Migration Service
Answer: C
Explanation: AWS Database Migration Service (AWS DMS) is a managed and automated
service that helps you migrate your databases from your on-premises or cloud environment
to AWS, either as a one-time migration or as a continuous replication. AWS DMS supports
migration between 20-plus database and analytics engines, such as PostgreSQL, Oracle, MySQL, SQL Server, MongoDB, Amazon Aurora, Amazon RDS, Amazon Redshift, and
Amazon S3. AWS DMS also provides schema conversion and validation tools, as well as
monitoring and security features. AWS DMS is a cost-effective and reliable solution for
database migration, as you only pay for the compute resources and additional log storage
used during the migration process, and you can minimize the downtime and data loss with
Multi-AZ and ongoing replication12
To migrate a PostgreSQL database from on-premises to Amazon RDS using AWS DMS,
you need to perform the following steps:
Create an AWS DMS replication instance in the same AWS Region as your target
Amazon RDS PostgreSQL DB instance. The replication instance is a server that
runs the AWS DMS replication software and connects to your source and target
endpoints. You can choose the instance type, storage, and network settings based
on your migration requirements3
Create a source endpoint that points to your on-premises PostgreSQL database.
You need to provide the connection details, such as the server name, port,
database name, user name, and password. You also need to specify the engine
name as postgres and the SSL mode as required4
Create a target endpoint that points to your Amazon RDS PostgreSQL DB
instance. You need to provide the connection details, such as the server name,
port, database name, user name, and password. You also need to specify the
engine name as postgres and the SSL mode as verify-full.
Create a migration task that defines the migration settings and options, such as
the replication instance, the source and target endpoints, the migration type (full
load, full load and change data capture, or change data capture only), the table
mappings, the task settings, and the task monitoring role. You can also use the
AWS Schema Conversion Tool (AWS SCT) to convert your source schema to the
target schema and apply it to the target endpoint before or after creating the
migration task.
Start the migration task and monitor its progress and status using the AWS DMS
console, the AWS CLI, or the AWS DMS API. You can also use AWS
CloudFormation to automate the creation and execution of the migration task.
The other options are not suitable for migrating a PostgreSQL database from on-premises
to Amazon RDS. Cloud Adoption Readiness Tool is a tool that helps you assess your
readiness for cloud adoption based on six dimensions: business, people, process, platform,
operations, and security. It does not perform any database migration tasks. AWS Migration
Hub is a service that helps you track and manage the progress of your application
migrations across multiple AWS and partner services, such as AWS DMS, AWS
Application Migration Service, AWS Server Migration Service, and CloudEndure Migration.
It does not perform any database migration tasks itself, but rather integrates with other
migration services. AWS Application Migration Service is a service that helps you migrate
your applications from your on-premises or cloud environment to AWS without making any
changes to the applications, their architecture, or the migrated servers. It does not support
database migration, but rather replicates your servers as Amazon Machine Images (AMIs)
and launches them as EC2 instances on AWS.
References: AWS Database Migration Service, What is AWS Database Migration
Service?, Working with an AWS DMS replication instance, Creating source and target
endpoints for PostgreSQL, [Creating a target endpoint for Amazon RDS for PostgreSQL], [Creating a migration task for AWS DMS], [AWS Schema Conversion Tool], [Starting a
At what support level do users receive access to a support concierge?
A. Basic Support B. Developer Support C. Business Support D. Enterprise Support
Answer: D
Explanation: Users receive access to a support concierge at the Enterprise Support level.
A support concierge is a team of AWS billing and account experts that specialize in working
with enterprise accounts. They can help users with billing and account inquiries, cost
optimization, FinOps support, cost analysis, and prioritized answers to billing questions.
The support concierge is included as part of the Enterprise Support plan, which also
provides access to a Technical Account Manager (TAM), Infrastructure Event
Management, AWS Trusted Advisor, and 24/7 technical support. References: AWS
Support Plan Comparison, AWS Enterprise Support Plan, AWS Support Concierge
Question # 79
Which AWS service is always provided at no charge?
A. Amazon S3 B. AWS Identity and Access Management (IAM) C. Elastic Load Balancers D. AWS WAF
Answer: B
Explanation: AWS Identity and Access Management (IAM) is a web service that helps you
securely control access to AWS resources. You can use IAM to create and manage AWS
users and groups, and use permissions to allow and deny their access to AWS
resources. IAM is always provided at no charge12. References: 1: AWS Identity and
Access Management (IAM) - Amazon Web Services (AWS), 2: Which aws service is
always provided at no charge? - Brainly.in
Question # 80
A company must be able to develop, test, and launch an application in the AWS Cloudquickly.Which advantage of cloud computing will meet these requirements?
A. Stop guessing capacity B. Trade fixed expense for variable expense C. Achieve economies of scale D. Increase speed and agility
Answer: D
Explanation: One of the benefits of cloud computing is that it enables customers to
increase speed and agility in developing, testing, and launching applications. Cloud
computing provides on-demand access to a variety of IT resources, such as compute,
storage, networking, databases, and analytics, without requiring upfront investments or
long-term commitments. Customers can provision and release resources in minutes, scale
up and down as needed, and experiment with new technologies and features. This allows
customers to accelerate their innovation cycles, deliver faster time-to-market, and respond
to changing customer needs and demands
Question # 81
A company wants to run a NoSQL database on Amazon EC2 instances.Which task is the responsibility of AWS in this scenario"?
A. Update the guest operating system of the EC2 instances B. Maintain high availability at the database layer C. Patch the physical infrastructure that hosts the EC2 instances D. Configure the security group firewall
Answer: C
Explanation: When you run a NoSQL database on Amazon EC2 instances, you are
responsible for managing the database layer and the guest operating system of the
instances. This means that you need to perform tasks such as updating the operating
system, maintaining high availability, and configuring the security group firewall. AWS is
responsible for managing the physical infrastructure that hosts the EC2 instances. This
means that AWS ensures that the hardware and firmware of the servers, routers, switches,
and other devices are updated and secure. AWS also handles the power, cooling,
networking, and security of the data centers12. References: CLF-C02: Which task is
responsibility of AWS to run NoSQL database on …, Best Practices for Hosting NoSQL
Databases on Amazon EC2
Question # 82
Which service enables customers to audit API calls in their AWS accounts'?
A. AWS CloudTrail B. AWS Trusted Advisor C. Amazon Inspector D. AWS X-Ray
Answer: A
Explanation: AWS CloudTrail is a service that provides a record of actions taken by a
user, role, or an AWS service in your AWS account. CloudTrail captures all API calls for
AWS services as events, including calls from the AWS Management Console, AWS SDKs,
command line tools, and higher-level AWS services. You can use CloudTrail to monitor,
audit, and troubleshoot your AWS account activity34. AWS Trusted Advisor is a service
that provides best practices recommendations for cost optimization, performance, security,
and fault tolerance in your AWS account5. Amazon Inspector is a service that helps you
improve the security and compliance of your applications deployed on AWS by
automatically assessing them for vulnerabilities and deviations from best practices6. AWS
X-Ray is a service that helps you analyze and debug your applications by collecting data
about the requests that your application serves, and providing tools to view, filter, and gain
insights into that data7. References: Logging AWS Audit Manager API calls with
CloudTrail, Logging AWS Account Management API calls using AWS CloudTrail, Review
API calls in your AWS account using CloudTrail, Monitor the usage of AWS API calls using
Amazon CloudWatch, Which service enables customers to audit API calls in their AWS …
Question # 83
Which options are AWS Cloud Adoption Framework (AWS CAF) security perspectivecapabilities? (Select TWO.)
A. Observability B. Incident and problem management C. Incident response D. Infrastructure protection E. Availability and continuity
the confidentiality, integrity, and availability of their data and cloud workloads. It comprises
nine capabilities that are grouped into three categories: preventive, detective, and
responsive. Incident response and infrastructure protection are two of the capabilities in the
responsive and preventive categories, respectively. Incident response helps users prepare
for and respond to security incidents in a timely and effective manner, using tools and
processes that leverage AWS features and services. Infrastructure protection helps users
implement security controls and mechanisms to protect their cloud resources, such as
network, compute, storage, and database, from unauthorized access or malicious
attacks. References: Security perspective: compliance and assurance, AWS Cloud
Adoption Framework
Question # 84
A company is migrating its applications from on-premises to the AWS Cloud. The companywants to ensure that the applications are assigned only the minimum permissions that areneeded to perform all operations.Which AWS service will meet these requirements'?
A. AWS Identity and Access Management (IAM) B. Amazon CloudWatch C. Amazon Macie D. Amazon GuardDuty
Answer: A
Explanation: AWS Identity and Access Management (IAM) is a service that helps you
securely control access to AWS resources for your users. You use IAM to control who can
use your AWS resources (authentication) and what resources they can use and in what
ways (authorization). IAM also enables you to follow the principle of least privilege, which
means granting only the permissions that are necessary to perform a
A company needs to block SQL injection attacks. Which AWS service or feature can meet this requirement?
A. AWS WAF B. AWS Shield C. Network ACLs D. Security groups
Answer: A
Explanation: AWS WAF is a web application firewall that helps protect web applications
from common web exploits, such as SQL injection attacks. It allows customers to create
custom rules that block malicious requests. AWS Shield is a managed service that protects
against distributed denial of service (DDoS) attacks, not SQL injection attacks. Network
ACLs and security groups are network-level security features that filter traffic based on IP
addresses and ports, not web requests or SQL queries. References: [AWS WAF], [AWS
Shield], [Network ACLs], [Security groups]
Question # 87
A company wants durable storage for static content and infinitely scalable data storageinfrastructure at the lowest cost.Which AWS service should the company choose?
A. Amazon Elastic Block Store (Amazon EBS) B. Amazon S3 C. AWS Storage Gateway D. Amazon Elastic File System (Amazon EFS)
Answer: B
Explanation: Amazon S3 is a service that provides durable storage for static content and infinitely scalable data storage infrastructure at the lowest cost. Amazon S3 is an object
storage service that allows you to store and retrieve any amount of data from anywhere on
the internet. Amazon S3 offers industry-leading scalability, availability, and performance, as
well as 99.999999999% (11 9s) of durability and multi-AZ resilience. Amazon S3 also
provides various storage classes that offer different levels of performance and cost
optimization, such as S3 Standard, S3 Intelligent-Tiering, S3 Standard-Infrequent Access
(S3 Standard-IA), S3 One Zone-Infrequent Access (S3 One Zone-IA), and S3
Glacier456. Amazon S3 is ideal for storing static content, such as images, videos,
documents, and web pages, as well as building data lakes, backup and archive solutions,
big data analytics, and machine learning applications456. References: 4: Cloud Storage on
A company wants to migrate its on-premises relational databases to the AWS Cloud. Thecompany wants to use infrastructure as close to its current geographical location aspossible.Which AWS service or resource should the company use to select its Amazon RDSdeployment area?
A. Amazon Connect B. AWS Wavelength C. AWS Regions D. AWS Direct Connect
Answer: C
Explanation:
AWS Regions are the AWS service or resource that the company should use to select its
Amazon RDS deployment area. AWS Regions are separate geographic areas where AWS
clusters its data centers. Each AWS Region consists of multiple, isolated, and physically
separate Availability Zones within a geographic area. Each AWS Region is designed to be
isolated from the other AWS Regions to achieve the highest possible fault tolerance and
stability. AWS provides a more extensive global footprint than any other cloud provider, and
to support its global footprint and ensure customers are served across the world, AWS
opens new Regions rapidly. AWS maintains multiple geographic Regions, including
Regions in North America, South America, Europe, China, Asia Pacific, South Africa, and
the Middle East. Amazon RDS is available in several AWS Regions worldwide. To create
or work with an Amazon RDS DB instance in a specific AWS Region, you must use the
corresponding regional service endpoint. You can choose the AWS Region that meets your
latency or legal requirements. You can also use multiple AWS Regions to design a disaster
recovery solution or to distribute your read workload. References: Global Infrastructure
Regions & AZs - aws.amazon.com, Regions, Availability Zones, and Local Zones - Amazon
Relational Database Service
Question # 89
What does the concept of agility mean in AWS Cloud computing? (Select TWO.)
A. The speed at which AWS resources are implemented B. The speed at which AWS creates new AWS Regions C. The ability to experiment quickly D. The elimination of wasted capacity E. The low cost of entry into cloud computing
Answer: A,C
Explanation: Agility in AWS Cloud computing means the ability to rapidly provision and
deprovision AWS resources as needed, and the ability to experiment quickly with new
ideas and solutions. Agility helps businesses to respond to changing customer demands,
market opportunities, and competitive threats, and to innovate faster and cheaper. Agility
also reduces the risk of failure, as businesses can test and validate their assumptions
before committing to large-scale deployments. Some of the benefits of agility in AWS Cloud
computing are:
The speed at which AWS resources are implemented: AWS provides a variety of
services and tools that allow you to create, configure, and launch AWS resources
in minutes, using the AWS Management Console, the AWS Command Line
Interface (AWS CLI), the AWS Software Development Kits (AWS SDKs), or the
AWS CloudFormation templates. You can also use the AWS Cloud Development
Kit (AWS CDK) to define your AWS resources as code using familiar programming
languages, and synthesize them into AWS CloudFormation templates. You can
also use the AWS Service Catalog to create and manage standardized portfolios
of AWS resources that meet your organizational policies and best practices. AWS
also offers on-demand, pay-as-you-go pricing models, so you only pay for the
resources you use, and you can scale them up or down as your needs
change12345
The ability to experiment quickly: AWS enables you to experiment quickly with new
ideas and solutions, without having to invest in upfront capital or long-term
commitments. You can use AWS to create and test multiple prototypes,
hypotheses, and minimum viable products (MVPs) in parallel, and measure their
performance and feedback. You can also use AWS to leverage existing services
and solutions, such as AWS Marketplace, AWS Solutions, and AWS Quick Starts,
that can help you accelerate your innovation process. AWS also supports a culture
of experimentation and learning, by providing tools and resources for continuous
integration and delivery (CI/CD), testing, monitoring, and analytics.
References: Six advantages of cloud computing - Overview of Amazon Web
Services, AWS Cloud Development Kit (AWS CDK), AWS Service Catalog, AWS
Pricing, AWS CloudFormation, [Experimentation and Testing - AWS Well-Architected
A company wants to migrate to AWS and use the same security software it uses onpremises. The security software vendor offers its security software as a service on AWS.Where can the company purchase the security solution?
A. AWS Partner Solutions Finder B. AWS Support Center C. AWS Management Console D. AWS Marketplace
Answer: D
Explanation: AWS Marketplace is an online store that helps customers find, buy, and
immediately start using the software and services that run on AWS. Customers can choose
from a wide range of software products in popular categories such as security, networking,
storage, machine learning, business intelligence, database, and DevOps. Customers can
also use AWS Marketplace to purchase software as a service (SaaS) solutions that are
integrated with AWS. Customers can benefit from simplified procurement, billing, and
deployment processes, as well as flexible pricing options and free trials. Customers can
also leverage AWS Marketplace to discover and subscribe to solutions offered by AWS
Partners, such as the security software vendor mentioned in the
question. References: AWS Marketplace, [AWS Marketplace: Software as a Service
Which AWS service can a company use to visually design and build serverlessapplications?
A. AWS Lambda B. AWS Batch C. AWS Application Composer D. AWS App Runner
Answer: C
Explanation: AWS Application Composer is a service that allows users to visually design
and build serverless applications. Users can drag and drop components, such as AWS
Lambda functions, Amazon API Gateway endpoints, Amazon DynamoDB tables, and
Amazon S3 buckets, to create a serverless application architecture. Users can also
configure the properties, permissions, and dependencies of each component, and deploy
the application to their AWS account with a few clicks. AWS Application Composer simplifies the design and configuration of serverless applications, and reduces the need to
write code or use AWS CloudFormation templates. References: AWS Application
Composer, AWS releases Application Composer to make serverless ‘easier’ but initial
scope is limited
Question # 92
A company is hosting an application in the AWS Cloud. The company wants to verify thatunderlying AWS services and general AWS infrastructure are operating normally.Which combination of AWS services can the company use to gather the requiredinformation? (Select TWO.)
A. AWS Personal Health Dashboard B. AWS Systems Manager C. AWS Trusted Advisor D. AWS Service Health Dashboard E. AWS Service Catalog
Answer: A,D
Explanation:
AWS Personal Health Dashboard and AWS Service Health Dashboard are two AWS
services that can help the company to verify that underlying AWS services and general
AWS infrastructure are operating normally. AWS Personal Health Dashboard provides a
personalized view into the performance and availability of the AWS services you are using,
as well as alerts that are automatically triggered by changes in the health of those services.
In addition to event-based alerts, Personal Health Dashboard provides proactive
notifications of scheduled activities, such as any changes to the infrastructure powering
Question # 93
A company wants to migrate its on_premises workloads to the AWS Cloud. The companywants to separate workloads for chargeback to different departments.Which AWS services or features will meet these requirements? (Select TWO.)
A. Placement groups B. Consolidated billing C. Edge locations D. AWS Config E. Multiple AWS accounts
Answer: B,E
Explanation: Consolidated billing is a feature of AWS Organizations that enables
customers to consolidate billing and payment for multiple AWS accounts. With consolidated
billing, customers can group multiple AWS accounts under one payer account, making it
easier to manage billing and track costs across multiple accounts. Consolidated billing also
offers benefits such as volume discounts, Reserved Instance discounts, and Savings Plans
discounts. Consolidated billing is offered at no additional cost.
Multiple AWS accounts is a feature of AWS Organizations that enables customers to create
and manage multiple AWS accounts from a central location. With multiple AWS accounts,
customers can isolate workloads for different departments, projects, or environments, and
apply granular access controls and policies to each account. Multiple AWS accounts also
helps customers improve security, compliance, and governance of their AWS
resources56. References: 5: Consolidated billing for AWS Organizations - AWS
Service, 6: Working with AWS Neptune. Neptune is a fully-managed graph … - Medium
Question # 98
To reduce costs, a company is planning to migrate a NoSQL database to AWS.Which AWS service is fully managed and can automatically scale throughput capacity to meet database workload demands?
A. Amazon Redshift B. Amazon Aurora C. Amazon DynamoDB D. Amazon RDS
Answer: C
Explanation: Amazon DynamoDB is a fully managed, serverless, key-value NoSQL
database service that can deliver consistent, single-digit millisecond performance at any
scale. DynamoDB can automatically scale throughput capacity to meet the demands of the
database workload, without requiring any manual intervention. DynamoDB is ideal for
NoSQL applications that need high performance, availability, and scalability. DynamoDB
also offers features such as encryption at rest, point-in-time recovery, global tables, and inmemory
caching. References: What is NoSQL?, Amazon DynamoDB, [AWS Cloud
Practitioner Essentials: Module 4 - Databases in the Cloud]
Question # 99
A company is planning to host its workloads on AWS.Which AWS service requires the company to update and patch the guest operatingsystem?
A. Amazon DynamoDB B. Amazon S3 C. Amazon EC2 D. Amazon Aurora
Answer: C
Explanation: Amazon EC2 is an AWS service that provides scalable, secure, and
resizable compute capacity in the cloud. Amazon EC2 allows customers to launch and
manage virtual servers, called instances, that run a variety of operating systems and
applications. Customers have full control over the configuration and management of their
instances, including the guest operating system. Therefore, customers are responsible for
updating and patching the guest operating system on their EC2 instances, as well as any
other software or utilities installed on the instances. AWS provides tools and services, such
as AWS Systems Manager and AWS OpsWorks, to help customers automate and simplify
the patching process. References: Shared Responsibility Model, Shared responsibility
model, [Amazon EC2]
Question # 100
A company wants to quickly implement a continuous integration/continuous delivery(CI/CD) pipeline.Which AWS service will meet this requirement?
A. AWS Config B. Amazon Cognito C. AWS DataSync D. AWS CodeStar
Answer: D
Explanation: AWS CodeStar is a service that enables you to quickly develop, build, and
deploy applications on AWS. It provides a unified user interface for managing your
application lifecycle, including code repositories, build pipelines, deployments, and project
dashboards. AWS CodeStar also integrates with other AWS services, such as AWS
CodeCommit, AWS CodeBuild, AWS CodeDeploy, and AWS CodePipeline, to create a
complete CI/CD pipeline for your application12. References:
AWS CodeStar
AWS Certified Cloud Practitioner Exam Guide
Question # 101
A developer wants to deploy an application quickly on AWS without manually creating therequired resources. Which AWS service will meet these requirements?
A. Amazon EC2 B. AWS Elastic Beanstalk C. AWS CodeBuild D. Amazon Personalize
Answer: B
Explanation: AWS Elastic Beanstalk is a service that allows you to deploy and manage
applications on AWS without manually creating and configuring the required resources,
such as EC2 instances, load balancers, security groups, databases, and more. AWS
Elastic Beanstalk automatically handles the provisioning, scaling, load balancing, health
monitoring, and updating of your application, while giving you full control over the
underlying AWS resources if needed. AWS Elastic Beanstalk supports a variety of
platforms and languages, such as Java, .NET, PHP, Node.js, Python, Ruby, Go, and
Docker. You can use the AWS Management Console, the AWS CLI, the AWS SDKs, or the
AWS Elastic Beanstalk API to create and manage your applications. You can also use
AWS CodeStar, AWS CodeCommit, AWS CodeBuild, AWS CodeDeploy, and AWS
CodePipeline to integrate AWS Elastic Beanstalk with your development and deployment
workflows12
Question # 102
A company website is experiencing DDoS attacks.Which AWS service can help protect the company website against these attacks?
A. AWS Resource Access Manager B. AWS Amplify C. AWS Shield D. Amazon GuardDuty
Answer: C
Explanation:
AWS Shield is a managed DDoS protection service that safeguards applications running on
AWS from distributed denial of service (DDoS) attacks. DDoS attacks are malicious
attempts to disrupt the normal functioning of a website or application by overwhelming it
with a large volume of traffic from multiple sources. AWS Shield provides two tiers of
protection: Standard and Advanced. AWS Shield Standard is automatically enabled for all
AWS customers at no additional cost. It protects your AWS resources, such as Amazon
CloudFront, AWS Global Accelerator, and Amazon Route 53, from the most common and
frequently occurring network and transport layer DDoS attacks. AWS Shield Advanced is
an optional paid service that provides additional protection for your AWS resources and
applications, such as Amazon Elastic Compute Cloud (Amazon EC2), Elastic Load Balancing (ELB), Amazon Simple Storage Service (Amazon S3), Amazon Relational
Database Service (Amazon RDS), and AWS Elastic Beanstalk. AWS Shield Advanced
offers enhanced detection and mitigation capabilities, 24/7 access to the AWS DDoS
Response Team (DRT), real-time visibility and reporting, and cost protection against
DDoS-related spikes in your AWS bill12
References: AWS Shield, What is a DDOS Attack & How to Protect Your Site Against One
Question # 103
A company wants to generate a list of IAM users. The company also wants to view thestatus of various credentials that are associated with the users, such as password, accesskeys: and multi-factor authentication (MFA) devicesWhich AWS service or feature will meet these requirements?
A. IAM credential report B. AWS IAM Identity Center (AWS Single Sign-On) C. AWS Identity and Access Management Access Analyzer D. AWS Cost and Usage Report
Answer: A
Explanation: An IAM credential report is a feature of AWS Identity and Access
Management (IAM) that allows you to view and download a report that lists all IAM users in
your account and the status of their various credentials, such as passwords, access keys,
and MFA devices. You can use this report to audit the security status of your IAM users
and ensure that they follow the best practices for credential
management1. References: 1: AWS Documentation - IAM User Guide - Getting credential
reports for your AWS account
Question # 104
Which AWS service supports a hybrid architecture that gives users the ability to extendAWS infrastructure, AWS services, APIs, and tools to data centers, co-locationenvironments, or on-premises facilities?
A. AWS Snowmobile B. AWS Local Zones C. AWS Outposts D. AWS Fargate
Answer: C
Explanation: AWS Outposts is a service that delivers AWS infrastructure and services to
virtually any on-premises or edge location for a truly consistent hybrid experience. AWS
Outposts allows you to extend and run native AWS services on premises, and is available
in a variety of form factors, from 1U and 2U Outposts servers to 42U Outposts racks, and
multiple rack deployments. With AWS Outposts, you can run some AWS services locally
and connect to a broad range of services available in the local AWS Region. Run
applications and workloads on premises using familiar AWS services, tools, and APIs2.
AWS Outposts is the only AWS service that supports a hybrid architecture that gives users
the ability to extend AWS infrastructure, AWS services, APIs, and tools to data centers, colocation
environments, or on-premises facilities. References: On-Premises Infrastructure -
AWS Outposts Family
Question # 105
Which cloud concept is demonstrated by using AWS Compute Optimizer?
A. Security validation B. Rightsizing C. Elasticity D. Global reach
Answer: B
Explanation: Rightsizing is the cloud concept that is demonstrated by using AWS
Compute Optimizer. Rightsizing is the process of adjusting the type and size of your cloud
resources to match the optimal performance and cost for your workloads. AWS Compute Optimizer is a service that analyzes the configuration and utilization metrics of your AWS
resources, such as Amazon EC2 instances, Amazon EBS volumes, AWS Lambda
functions, and Amazon ECS services on AWS Fargate. It reports whether your resources
are optimal, and generates optimization recommendations to reduce the cost and improve
the performance of your workloads. AWS Compute Optimizer uses machine learning to
analyze your historical utilization data and compare it with the most cost-effective AWS
alternatives. You can use the recommendations to evaluate the trade-offs between cost
and performance, and decide when to move or resize your resources to achieve the best
results. References: Workload Rightsizing - AWS Compute Optimizer - AWS, What is AWS
Compute Optimizer? - AWS Compute Optimizer
Question # 106
Which AWS service or resource provides answers to the most frequently asked securityrelatedquestions that AWS receives from its users'?
A. AWS Artifact B. Amazon Connect C. AWS Chatbot D. AWS Knowledge Center
Answer: A
Explanation: AWS Artifact is your go-to, central resource for compliance-related
information that matters to you. It provides on-demand access to AWS’s security and
compliance reports and select online agreements. Reports available in AWS Artifact
include our Service Organization Control (SOC) reports, Payment Card Industry (PCI)
attestation of compliance, and certifications from accreditation bodies across geographies
and compliance verticals that validate the implementation and operating effectiveness of
AWS security controls. Agreements available in AWS Artifact include the Business
Associate Addendum (BAA) and the Nondisclosure Agreement (NDA). AWS Artifact helps
you answer the most frequently asked security and compliance questions that AWS
receives from its users. References: Compliance FAQ, Compliance Solutions Guide
Question # 107
A company wants to receive a notification when a specific AWS cost threshold is reached.Which AWS services or tools can the company use to meet this requirement? (SelectTWO.)
A. Amazon Simple Queue Service (Amazon SQS) B. AWS Budgets C. Cost Explorer D. Amazon CloudWatch E. AWS Cost and Usage Report
Answer: B,D
Explanation:
AWS Budgets and Amazon CloudWatch are two AWS services or tools that the company
can use to receive a notification when a specific AWS cost threshold is reached. AWS
Budgets allows users to set custom budgets to track their costs and usage, and respond
quickly to alerts received from email or Amazon Simple Notification Service (Amazon SNS)
notifications if they exceed their threshold. Users can create cost budgets with fixed or
variable target amounts, and configure their notifications for actual or forecasted spend.
Users can also set up custom actions to run automatically or through an approval process
when a budget target is exceeded. For example, users could automatically apply a custom
IAM policy that denies them the ability to provision additional resources within an account.
Amazon CloudWatch is a service that monitors applications, responds to performance
changes, optimizes resource use, and provides insights into operational health. Users can
use CloudWatch to collect and track metrics, which are variables they can measure for
their resources and applications. Users can create alarms that watch metrics and send
notifications or automatically make changes to the resources they are monitoring when a
threshold is breached. Users can use CloudWatch to monitor their AWS costs and usage
by creating billing alarms that send notifications when their estimated charges exceed a
specified threshold amount. Users can also use CloudWatch to monitor their Reserved
Instance (RI) or Savings Plans utilization and coverage, and receive notifications when they
fall below a certain level.
References: Cloud Cost And Usage Budgets - AWS Budgets, What is Amazon
CloudWatch?, Creating a billing alarm - Amazon CloudWatch
Question # 108
Which AWS service is a cloud security posture management (CSPM) service thataggregates alerts from various AWS services and partner products in a standardizedformat?
A. AWS Security Hub B. AWS Trusted Advisor C. Amazon EventBndge D. Amazon GuardDuty
Answer: A
Explanation: AWS Security Hub is a cloud security posture management (CSPM) service
that performs security best practice checks, aggregates alerts, and enables automated
remediation. Security Hub collects findings from the security services enabled across your
AWS accounts, such as intrusion detection findings from Amazon GuardDuty, vulnerability
scans from Amazon Inspector, and sensitive data identification findings from Amazon
Macie. Security Hub also collects findings from partner security products using a
standardized AWS Security Finding Format, eliminating the need for time-consuming data
parsing and normalization efforts. Customers can designate an administrator account that
can access all findings across their accounts. References: AWS Security Hub
Overview, AWS Security Hub FAQs
Question # 109
A company is migrating its workloads to the AWS Cloud. The company must retain fullcontrol of patch management for the guest operating systems that host its applications.Which AWS service should the company use to meet these requirements?
A. Amazon DynamoDB B. Amazon EC2 C. AWS Lambda D. Amazon RDS
Answer: B
Explanation: Amazon EC2 is the AWS service that the company should use to meet its
requirements of retaining full control of patch management for the guest operating systems
that host its applications. Amazon EC2 is a service that provides secure, resizable compute
capacity in the cloud. Users can launch virtual servers, called instances, that run various
operating systems, such as Linux, Windows, macOS, and more. Users have full
administrative access to their instances and can install and configure any software,
including patches and updates, on their instances. Users are responsible for managing the
security and maintenance of their instances, including patching the guest operating system
and applications. Users can also use AWS Systems Manager to automate and simplify the
patching process for their EC2 instances. AWS Systems Manager is a service that helps
users manage their AWS and on-premises resources at scale. Users can use AWS
Systems Manager Patch Manager to scan their instances for missing patches, define patch
baselines and maintenance windows, and apply patches automatically or manually across
their instances. Users can also use AWS Systems Manager to monitor the patch
compliance status and patching history of their instances. References: What is Amazon
EC2?, AWS Systems Manager Patch Manager
Question # 110
A customer runs an On-Demand Amazon Linux EC2 instance for 3 hours, 5 minutes, and 6seconds.For how much time will the customer be billed?
A. 3 hours, 5 minutes B. 3 hours, 5 minutes, and 6 seconds C. 3 hours, 6 minutes D. 4 hours
Answer: C
Explanation: Amazon EC2 usage is calculated by either the hour or the second based on
the size of the instance, operating system, and the AWS Region where the instances are
launched. Pricing is per instance-hour consumed for each instance, from the time an
instance is launched until it’s terminated or stopped. Each partial instance-hour consumed
is billed per-second for Linux instances and as a full hour for all other instance types1.
Therefore, the customer will be billed for 3 hours and 6 minutes for running an On-Demand
Amazon Linux EC2 instance for 3 hours, 5 minutes, and 6 seconds. References: Understand Amazon EC2 instance-hours billing
Question # 111
Which Amazon EC2 instance pricing model can provide discounts of up to 90%?
A. AWS Trusted Advisor B. AWS Consulting Partners C. AWS Artifacts D. AWS Managed Services
Answer: D
Explanation: AWS Managed Services is a service that provides operational management
for AWS infrastructure and applications. It helps users migrate their workloads to AWS and
provides ongoing support, security, compliance, and automation. AWS Trusted Advisor is a
service that provides best practices and recommendations for cost optimization,
performance, security, and fault tolerance. AWS Consulting Partners are professional
services firms that help customers design, architect, build, migrate, and manage their
workloads and applications on AWS. AWS Artifacts is a service that provides on-demand access to AWS compliance reports and select online agreements.
Question # 112
Which Amazon EC2 instance pricing model can provide discounts of up to 90%?
A. Reserved Instances B. On-Demand C. Dedicated Hosts D. Spot Instances
Answer: D
Explanation: Spot Instances are Amazon EC2 instances that are available at a discounted
price compared to On-Demand pricing. Spot Instances use spare EC2 capacity that is not
being used by other customers, and the price fluctuates based on supply and demand.
Customers can request Spot Instances for their applications and specify the maximum
price they are willing to pay per hour. If the Spot price is lower than the customer’s bid, the
Spot Instance is launched and the customer pays the current Spot price. However, if the
Spot price rises above the customer’s bid, the Spot Instance is terminated by AWS and the
customer is charged for the partial hour of usage. Therefore, Spot Instances can provide
discounts of up to 90% or more, but they are not suitable for applications that require
continuous or predictable availability. Spot Instances are recommended for applications
that are flexible, fault-tolerant, or have low priority, such as batch processing, data analysis,
or testing and development.
Question # 113
A company has deployed an Amazon EC2 instance.Which option is an AWS responsibility under the AWS shared responsibility model?
A. Managing and encrypting application data B. Installing updates and security patches of guest operating system C. Configuration of infrastructure devices D. Configuration of security groups on each instance
Answer: C
Explanation: According to the AWS shared responsibility model, AWS is responsible for
protecting the infrastructure that runs all of the services offered in the AWS Cloud, such as
data centers, hardware, software, networking, and facilities1. This includes the
configuration of infrastructure devices, such as routers, switches, firewalls, and load
balancers2. Customers are responsible for managing their data, applications, operating
systems, security groups, and other aspects of their AWS environment1. Therefore, options
A, B, and D are customer responsibilities, not AWS responsibilities. References: 1: AWS
Well-Architected Framework - Elasticity; 2: Reactive Systems on AWS - Elastic
Question # 114
An ecommerce company has migrated its IT infrastructure from an on-premises data centerto the AWS Cloud. Which cost is the company's direct responsibility?
A. Cost of application software licenses B. Cost of the hardware infrastructure on AWS C. Cost of power for the AWS servers D. Cost of physical security for the AWS data center
Answer: A
Explanation: The cost of application software licenses is the company’s direct
responsibility when it migrates its IT infrastructure from an on-premises data center to the
AWS Cloud. Application software licenses are the agreements that grant users the right to
use specific software products, such as operating systems, databases, or applications.
Depending on the type and terms of the license, users may need to pay a fee to the
Question # 115
A company needs a fully managed file server that natively supports Microsoft workloadsand file systems The file server must also support the SMB protocol.Which AWS service should the company use to meet these requirements?
A. Amazon Elastic File System (Amazon EFS) B. Amazon FSx for Lustre C. Amazon FSx for Windows File Server D. Amazon Elastic Block Store (Amazon EBS)
Answer: C
Explanation: Amazon FSx for Windows File Server is a fully managed file server that
supports Microsoft workloads and file systems, including the SMB protocol. It provides
features such as user quotas, end-user file restore, and Microsoft Active Directory
integration. Amazon EFS is a fully managed file system that supports the NFS protocol, not
SMB. Amazon FSx for Lustre is a fully managed file system that supports highperformance
computing workloads, not Microsoft workloads. Amazon EBS is a block
storage service that does not provide a file system or SMB support. References: Amazon
FSx for Windows File Server, Amazon FSx for Lustre, Amazon EFS, Amazon EBS
Question # 116
A company plans to migrate to the AWS Cloud. The company is gathering informationabout its on-premises infrastructure and requires information such as the hostname, IPaddress, and MAC address.Which AWS service will meet these requirements?
A. AWS DataSync B. AWS Application Migration Service C. AWS Application Discovery Service D. AWS Database Migration Service (AWS DMS)
Answer: C
Explanation: AWS Application Discovery Service is a service that helps you plan your
migration to the AWS Cloud by collecting usage and configuration data about your onpremises
servers and databases. This data includes information such as the hostname, IP
address, and MAC address of each server, as well as the performance metrics, network
connections, and processes running on them. You can use AWS Application Discovery
Service to discover your on-premises inventory, map the dependencies between servers
and applications, and estimate the cost and effort of migrating to AWS. You can also export
the data to other AWS services, such as AWS Migration Hub and AWS Database Migration
Service, to support your migration tasks. AWS Application Discovery Service offers two
ways of performing discovery: agentless discovery and agent-based discovery. Agentless
discovery uses a virtual appliance that you deploy on your VMware vCenter to collect data
from your virtual machines and hosts. Agent-based discovery uses an agent that you install
on each of your physical or virtual servers to collect data. You can choose the method that
best suits your environment and needs. AWS DataSync is a service that helps you transfer
data between your on-premises storage and AWS storage services, such as Amazon S3,
Amazon EFS, and Amazon FSx for Windows File Server. AWS DataSync does not collect
information about your on-premises infrastructure, but rather focuses on optimizing the
data transfer speed, security, and reliability. AWS Application Migration Service is a service that helps you migrate your applications from your on-premises or cloud environment to
AWS without making any changes to the applications, their architecture, or the migrated
servers. AWS Application Migration Service does not collect information about your onpremises
infrastructure, but rather uses a lightweight agent to replicate your servers as
Amazon Machine Images (AMIs) and launch them as EC2 instances on AWS. AWS
Database Migration Service is a service that helps you migrate your databases from your
on-premises or cloud environment to AWS, either as a one-time migration or as a
continuous replication. AWS Database Migration Service does not collect information about
your on-premises infrastructure, but rather uses a source and a target endpoint to connect
to your databases and transfer the data. References: AWS Application Discovery
A company wants to grant users in one AWS account access to resources in another AWS account. The users do not currently have permission to access the resources.Which AWS service will meet this requirement?
A. IAM group B. IAM role C. IAM tag D. IAM Access Analyzer
Answer: B
Explanation: IAM roles are a way to delegate access to resources in different AWS
accounts. IAM roles allow users to assume a set of permissions for a limited time without
having to create or share long-term credentials. IAM roles can be used to grant crossaccount
access by creating a trust relationship between the accounts and specifying the
permissions that the role can perform. Users can then switch to the role and access the
resources in the other account using temporary security credentials provided by the
role. References: Cross account resource access in IAM, IAM tutorial: Delegate access
across AWS accounts using IAM roles, How to Enable Cross-Account Access to the AWS
Management Console
Question # 118
A company is storing sensitive customer data in an Amazon S3 bucket. The companywants to protect the data from accidental deletion or overwriting.Which S3 feature should the company use to meet these requirements?
A. S3 Lifecycle rules B. S3 Versioning C. S3 bucket policies D. S3 server-side encryption
Answer: B
Explanation: S3 Versioning is a feature that allows you to keep multiple versions of an
object in the same bucket. You can use S3 Versioning to protect your data from accidental
deletion or overwriting by enabling it on a bucket or a specific object. S3 Versioning also
allows you to restore previous versions of an object if needed. S3 Lifecycle rules are used
to automate the transition of objects between storage classes or to expire objects after a
certain period of time. S3 bucket policies are used to control access to the objects in a
bucket. S3 server-side encryption is used to encrypt the data at rest in S3. References: S3
Which cloud computing advantage is a company applying when it uses AWS Regions toincrease application availability to users in different countries?
A. Pay-as-you-go pricing B. Capacity forecasting C. Economies of scale D. Global reach
Answer: D
Explanation: Global reach is a cloud computing advantage that a company can apply
when it uses AWS Regions to increase application availability to users in different
countries. Global reach refers to the ability to deploy applications and services in multiple
geographic locations around the world, and to serve customers with low latency and high
performance. AWS has the largest and most reliable global infrastructure of any cloud
provider, with 25 Regions and 81 Availability Zones across the Americas, Europe, Asia
Pacific, Africa, and the Middle East123. By using AWS Regions, a company can choose
the best location for its application based on customer proximity, compliance requirements,
and disaster recovery strategies23. References: 1: AWS Global Infrastructure - Amazon
Web Services (AWS), 2: Regions and Availability Zones - Amazon Elastic Compute
Cloud, 3: AWS Infrastructure: Regions and Availability Zones Explained
Question # 120
A user needs a relational database but does not have the resources to manage thehardware, resiliency, and replication.Which AWS service option meets the user's requirements'?
A. Run MySQL on Amazon Elastic Container Service (Amazon ECS) B. Run MySQL on Amazon EC2 C. Choose Amazon RDS for MySQL D. Choose Amazon ElastiCache for Redis
Answer: C
Explanation: Amazon RDS for MySQL is a fully managed, open-source cloud database
service that allows you to easily operate and scale your relational database of choice,
including MySQL. With Amazon RDS for MySQL, you don’t have to worry about the
hardware, resiliency, and replication of your database, as Amazon RDS handles these
tasks for you. Amazon RDS for MySQL also provides features such as automated backups,
multi-AZ deployments, read replicas, encryption, monitoring, and more. Amazon RDS for
MySQL is compatible with the MySQL Community Edition versions 5.7 and 8.0, which
means that you can use the same code, applications, and tools that you already use with
MySQL4567. References: 4: Hosted MySQL - Amazon RDS for MySQL - AWS, 5: Amazon
RDS for MySQL - Amazon Relational Database Service, 6: Amazon RDS for MySQL —
Elasticity in the AWS Cloud refers to which of the following? (Select TWO.)
A. How quickly an Amazon EC2 instance can be restarted B. The ability to rightsized resources as demand shifts C. The maximum amount of RAM an Amazon EC2 instance can use D. The pay-as-you-go billing model E. How easily resources can be procured when they are needed
Answer: B,E
Explanation:
Elasticity in the AWS Cloud refers to the ability to acquire resources as you need them and
release resources when you no longer need them. In the cloud, you want to do this
automatically1. This means that you can rightsized resources as demand shifts, and you
can easily procure resources when they are needed. Elasticity is not related to how quickly
an Amazon EC2 instance can be restarted, the maximum amount of RAM an Amazon EC2
instance can use, or the pay-as-you-go billing model. These are aspects of scalability,
performance, and cost, respectively2.
For more information on elasticity, you can refer to the following sources:
Elasticity - AWS Well-Architected Framework
Elastic - Reactive Systems on AWS
What is the difference between scalability and elasticity?
Question # 123
A company wants to automatically add and remove Amazon EC2 instances. The companywants the EC2 instances to adjust to varying workloads dynamically.Which service or feature will meet these requirements?
A. Amazon DynamoDB B. Amazon EC2 Spot Instances C. AWS Snow Family D. Amazon EC2 Auto Scaling
Answer: D
Explanation: Amazon EC2 Auto Scaling is a service that helps you maintain application
availability and allows you to automatically add or remove EC2 instances according to
definable conditions. You can create collections of EC2 instances, called Auto Scaling
groups, and specify the minimum and maximum number of instances in each group. You
can also define scaling policies that adjust the number of instances based on the demand
on your application. Amazon EC2 Auto Scaling helps you improve the performance,
reliability, and cost-efficiency of your EC2 workloads123. References: 1: VDI Desktops -
Amazon WorkSpaces Family - AWS, 2: What is Amazon EC2 Auto Scaling? - Amazon EC2
Auto Scaling, 3: Discover Amazon EC2 Auto Scaling Unit | Salesforce Trailhead
Question # 124
A company wants to create a globally accessible ecommerce platform for its customers.The company wants to use a highly available and scalable DNS web service to connectusers to the platform.Which AWS service will meet these requirements?
A. Amazon EC2 B. Amazon VPC C. Amazon Route 53 D. Amazon RDS
Answer: C
Explanation: Amazon Route 53 is a highly available and scalable Domain Name System
(DNS) web service that can route internet traffic to the company’s ecommerce
platform1. Route 53 can also register domain names, check the health of resources, and
provide global DNS features2. Route 53 can connect users to the platform by translating
human-readable names like www.example.com into the numeric IP addresses that
computers use to communicate with each other2. References: 1: Amazon Route 53 | DNS
Service | AWS; 2: What is Amazon Route 53? - Amazon Route 53
Question # 125
A company needs a bridge between technology and business to help evolve to a culture ofcontinuous growth and learning.Which perspective in the AWS Cloud Adoption Framework (AWS CAF) serves as thisbridge?
A. People B. Governance C. Operations D. Security
Answer: A
Explanation: The People perspective in the AWS Cloud Adoption Framework (AWS CAF)
serves as a bridge between technology and business, accelerating the cloud journey to
help organizations more rapidly evolve to a culture of continuous growth, learning, and
where change becomes business-as-normal, with focus on culture, organizational
structure, leadership, and workforce1. References: People Perspective - AWS Cloud
Adoption Framework
Question # 126
Which AWS service or tool helps users visualize, understand, and manage spending andusage over time?
A. AWS Organizations B. AWS Pricing Calculator C. AWS Cost Explorer D. AWS Service Catalog
Answer: C Explanation: AWS Cost Explorer is the AWS service or tool that helps users visualize, understand, and manage spending and usage over time. AWS Cost Explorer is a webbased interface that allows users to access interactive graphs and tables that display their AWS costs and usage data. Users can create custom reports that analyze cost and usage data by various dimensions, such as service, region, account, tag, and more. Users can also view historical data for up to the last 12 months, forecast future costs for up to the next 12 months, and get recommendations for cost optimization. AWS Cost Explorer also provides preconfigured views that show common cost and usage scenarios, such as monthly spend by service, daily spend by linked account, and Reserved Instance utilization. Users can use AWS Cost Explorer to monitor their AWS spending and usage trends, identify cost drivers and anomalies, and optimize their resource allocation and budget planning. References: Cloud Cost Analysis - AWS Cost Explorer - AWS, Analyzing your costs with AWS Cost Explorer
Question # 127
Which of the following is a software development framework that a company can use todefine cloud resources as code and provision the resources through AWSCloudFormation?
A. AWS CLI B. AWS Developer Center C. AWS Cloud Development Kit (AWS CDK) D. AWS CodeStar
Answer: C
Explanation: AWS Cloud Development Kit (AWS CDK) is a software development
framework that allows you to define cloud resources as code using familiar programming
languages, such as TypeScript, Python, Java, .NET, and Go (in Developer Preview). You
can use AWS CDK to model your application resources using high-level constructs that
provide sensible defaults and best practices, or use low-level constructs that provide full
access to the underlying AWS CloudFormation resources. AWS CDK synthesizes your
code into AWS CloudFormation templates that you can deploy using the AWS CDK CLI or
the AWS Management Console. AWS CDK also integrates with other AWS services, such
A company wants to migrate its database to a managed AWS service that is compatiblewith PostgreSQL.Which AWS services will meet these requirements? (Select TWO)
A. Amazon Athena B. Amazon RDS C. Amazon EC2 D. Amazon DynamoDB E. Amazon Aurora
Answer: B,E
Explanation: Amazon RDS and Amazon Aurora are both managed AWS services that
support the PostgreSQL database engine. Amazon RDS makes it easier to set up, operate,
and scale PostgreSQL deployments on the cloud, while Amazon Aurora is a cloud-native
database engine that is compatible with PostgreSQL and offers higher performance and
availability. Amazon Athena is a serverless query service that does not support
PostgreSQL, but can analyze data in Amazon S3 using standard SQL. Amazon EC2 is a
compute service that allows users to launch virtual machines, but does not provide any
database management features. Amazon DynamoDB is a NoSQL database service that is
not compatible with PostgreSQL, but offers fast and consistent performance at any
or Self-Managed? - NetApp, AWS Announces Amazon Aurora Supports PostgreSQL 12 InfoQ, Amazon Aurora vs PostgreSQL | What are the differences? - StackShare
Question # 129
A company wants to establish a private network connection between AWS and itscorporate network.Which AWS service or feature will meet this requirement?
A. Amazon Connect B. Amazon Route 53 C. AWS Direct Connect D. VPC peering
Answer: C
Explanation: AWS Direct Connect is a cloud service solution that makes it easy to
establish a dedicated network connection from your premises to AWS. Using AWS Direct
Connect, you can establish private connectivity between AWS and your datacenter, office,
or colocation environment, which in many cases can reduce your network costs, increase
bandwidth throughput, and provide a more consistent network experience than internetbased
connections12. References: 1: Dedicated Network Connection - AWS Direct
Connect - AWS, 2: What is AWS Direct Connect? - AWS Direct Connect
Question # 130
What is a benefit of using AWS serverless computing?
A. Application deployment and management are not required B. Application security will be fully managed by AWS C. Monitoring and logging are not needed D. Management of infrastructure is offloaded to AWS
Answer: D
Explanation: AWS serverless computing is a way of building and running applications
without thinking about servers. AWS manages the infrastructure for you, so you don’t have
to provision, scale, patch, or monitor servers. You only pay for the compute time you
consume, and you can focus on your application logic instead of managing
servers12. References: Serverless Computing – Amazon Web Services, AWS Serverless
Computing, Benefits, Architecture and Use-cases - XenonStack
Question # 131
A team of researchers is going to collect data at remote locations around the world Manylocations do not have internet connectivity. The team needs to capture the data in the field,and transfer it to the AWS Cloud laterWhich AWS service will support these requirements?
A. AWS Outposts B. AWS Transfer Family C. AWS Snow Family D. AWS Migration Hub
Answer: C
Explanation: AWS Snow Family is a group of devices that transport data in and out of
AWS. AWS Snow Family devices are physical devices that can transfer up to exabytes of
data. One exabyte is 1 000 000 000 000 megabytes. AWS Snow Family devices are
designed for use in remote locations where internet connectivity is limited or unavailable.
You can use these devices to collect and process data at the edge, and then ship them
back to AWS for data upload. AWS Snow Family consists of three types of devices: AWS
Snowcone, AWS Snowball, and AWS Snowmobile1234. References: 1: Edge Computing
Devices, Secure Data Transfer - AWS Snow Family - AWS, 2: AWS Snow Family
Documentation, 3: AWS Snow Family - W3Schools, 4: AWS Snow Family: Data Storage,
Migration, and Computation
Question # 132
Which AWS service or feature gives users the ability to capture information about networktraffic in a VPC?
A. VPC Flow Logs B. Amazon Inspector C. VPC route tables D. AWS CloudTrail
Answer: A
Explanation: VPC Flow Logs is a feature that enables you to capture information about the
IP traffic going to and from network interfaces in your VPC. Flow log data can be published
to Amazon CloudWatch Logs, Amazon S3, or Amazon Kinesis Data Firehose. You can use
A company is running a monolithic on-premises application that does not scale and isdifficult to maintain. The company has a plan to migrate the application to AWS and dividethe application into microservices.Which best practice of the AWS Well-Architected Framework is the company following withthis plan?
A. Integrate functional testing as part of AWS deployment. B. Use automation to deploy changes. C. Deploy the application to multiple locations. D. Implement loosely coupled dependencies.
Answer: D
Explanation: The company is following the best practice of implementing loosely coupled
dependencies by migrating the application to AWS and dividing the application into
microservices. Loosely coupled dependencies are a design principle of the AWS Well-
Architected Framework that helps to reduce the interdependencies between components
and improve the scalability, reliability, and performance of the system. By breaking down
the monolithic application into smaller, independent, and modular services, the company
can reduce the complexity and maintenance costs, increase the agility and flexibility, and
enable faster and more frequent deployments. AWS CloudFormation is an AWS service
that provides the ability to manage infrastructure as code. Infrastructure as code is a
process of defining and provisioning AWS resources using code or templates, rather than
manual actions or scripts. AWS CloudFormation allows users to create and update stacks
of AWS resources based on predefined templates that describe the desired state and
configuration of the resources. AWS CloudFormation automates and simplifies the
deployment and management of AWS resources, and ensures consistency and
repeatability across different environments and regions. AWS CloudFormation also
supports rollback, change sets, drift detection, and nested stacks features that help users
to monitor and control the changes to their infrastructure. References: Implementing
Loosely Coupled Dependencies, What is AWS CloudFormation?
Question # 134
A company wants to query its server logs to gain insights about its customers' experiences.Which AWS service will store this data MOST cost-effectively?
A. Amazon Aurora B. Amazon Elastic File System (Amazon EFS) C. Amazon Elastic Block Store (Amazon EBS) D. Amazon S3
Answer: D
Explanation: Amazon S3 is an AWS service that provides scalable, durable, and costeffective
object storage in the cloud. Amazon S3 can store any amount and type of data,
such as server logs, and offers various storage classes with different performance and
pricing characteristics. Amazon S3 is the most cost-effective option for storing server logs,
as it offers low-cost storage classes, such as S3 Standard-Infrequent Access (S3
Standard-IA) and S3 Intelligent-Tiering, that are suitable for infrequently accessed or
changing access patterns data. Amazon S3 also integrates with other AWS services, such
as Amazon Athena and Amazon OpenSearch Service, that can query the server logs
directly from S3 without requiring any additional data loading or
transformation. References: Amazon S3, Amazon S3 Storage Classes, Querying Data in
Amazon S3
Question # 135
A cloud practitioner needs to obtain AWS compliance reports before migrating anenvironment to the AWS Cloud How can these reports be generated?
A. Contact the AWS Compliance team B. Download the reports from AWS Artifact C. Open a case with AWS Support D. Generate the reports with Amazon Made
Answer: B
Explanation: AWS Artifact is a service that provides on-demand access to security and
compliance reports from AWS and Independent Software Vendors (ISVs) who sell their
products on AWS Marketplace. You can use AWS Artifact to download auditor-issued
reports, certifications, accreditations, and other third-party attestations of AWS compliance
with various standards and regulations, such as PCI-DSS, HIPAA, FedRAMP, GDPR, and
more1234. You can also use AWS Artifact to review, accept, and manage your agreements
with AWS and apply them to current and future accounts within your
Question # 136
A company is using Amazon DynamoDB.Which task is the company's responsibility, according to the AWS shared responsibilitymodel?
A. Patch the operating system B. Provision hosts C. Manage database access permissions. D. Secure the operating system
Answer: C
Explanation: According to the AWS shared responsibility model, AWS is responsible for
the security of the cloud, while customers are responsible for the security in the cloud. This
means that AWS is responsible for the physical servers, networking, and operating system
that run DynamoDB, while customers are responsible for the security of their data and
access to the database. Customers need to manage database access permissions, such
as creating and managing AWS Identity and Access Management (IAM) policies and roles,
and using encryption and key management options to protect their
data123. References: 1: Shared Responsibility Model - Amazon Web Services
Which type of AWS storage is ephemeral and is deleted when an Amazon EC2 instance isstopped or terminated?
A. Amazon Elastic Block Store (Amazon EBS) B. Amazon EC2 instance store C. Amazon Elastic File System (Amazon EFS) D. Amazon S3
Answer: B
Explanation: Amazon EC2 instance store provides temporary block-level storage for your
EC2 instance. This storage is located on disks that are physically attached to the host
computer. Instance store is ideal for temporary storage of information that changes
frequently, such as buffers, caches, scratch data, and other temporary content. It can also
be used to store temporary data that you replicate across a fleet of instances, such as a
load-balanced pool of web servers. An instance store consists of one or more instance
store volumes exposed as block devices. The size of an instance store as well as the
number of devices available varies by instance type and instance size. The virtual devices
for instance store volumes are ephemeral[0-23]. Instance types that support one instance
store volume have ephemeral0. Instance types that support two or more instance store
volumes have ephemeral0, ephemeral1, and so on. Instance store pricing Instance store
volumes are included as part of the instance’s usage cost. The data on an instance store
volume persists even if the instance is rebooted. However, the data does not persist if the
instance is stopped, hibernated, or terminated. When the instance is stopped, hibernated,
or terminated, every block of the instance store volume is cryptographically erased.
Therefore, do not rely on instance store volumes for valuable, long-term data. If you need
to retain the data stored on an instance store volume beyond the lifetime of the instance,
you need to manually copy that data to more persistent storage, such as an Amazon EBS
volume, an Amazon S3 bucket, or an Amazon EFS file system. There are some events that
can result in your data not persisting throughout the lifetime of the instance. The following
table indicates whether data on instance store volumes is persisted during specific events,
for both virtualized and bare metal instances1. References: Amazon EC2 instance store -
Amazon Elastic Compute Cloud
Question # 138
What is the purpose of having an internet gateway within a VPC?
A. To create a VPN connection to the VPC B. To allow communication between the VPC and the internet C. To impose bandwidth constraints on internet traffic D. To load balance traffic from the internet across Amazon EC2 instances
Answer: B
Explanation:
An internet gateway is a service that allows for internet traffic to enter into a VPC.
Otherwise, a VPC is completely segmented off and then the only way to get to it is
potentially through a VPN connection rather than through internet connection. An internet
gateway is a logical connection between an AWS VPC and the internet. It supports IPv4
and IPv6 traffic. It does not cause availability risks or bandwidth constraints on your
network traffic1. An internet gateway enables resources in your public subnets (such as
EC2 instances) to connect to the internet if the resource has a public IPv4 address or an
IPv6 address. Similarly, resources on the internet can initiate a connection to resources in
your subnet using the public IPv4 address or IPv6 address2. An internet gateway also
provides a target in your VPC route tables for internet-routable traffic. For communication
using IPv4, the internet gateway also performs network address translation (NAT). For
communication using IPv6, NAT is not needed because IPv6 addresses are public2. To
enable access to or from the internet for instances in a subnet in a VPC using an internet
gateway, you must create an internet gateway and attach it to your VPC, add a route to
your subnet’s route table that directs internet-bound traffic to the internet gateway, ensure
that instances in your subnet have a public IPv4 address or an IPv6 address, and ensure
that your network access control lists and security group rules allow the desired internet
traffic to flow to and from your instance2. References: Connect to the internet using an
internet gateway, AWS Internet Gateway and VPC Routingc
Question # 139
A company has teams that have different job roles and responsibilities. The company'semployees often change teams. The company needs to manage permissions for theemployees so that the permissions are appropriate for the job responsibilities.Which IAM resource should the company use to meet this requirement with the LEASToperational overhead?
A. IAM user groups B. IAM roles C. IAM instance profiles D. IAM policies for individual users
Answer: B
Explanation: IAM roles are a way of granting temporary permissions to entities that need
to access AWS resources, such as users, applications, or services. IAM roles allow
customers to assign permissions to entities without having to create or manage IAM users
or credentials for them. IAM roles can be assumed by different entities depending on the
trust policy attached to the role. For example, IAM roles can be assumed by IAM users in
the same or different AWS accounts, AWS services such as EC2 or Lambda, or external
identities such as federated users or web identities. IAM roles can also be switched by IAM
users to temporarily change their permissions. IAM roles are recommended for managing
Question # 140
A company is running an Amazon EC2 instance in a VPC.An ecommerce company is using Amazon EC2 Auto Scaling groups to manage a fleet ofweb servers running on Amazon EC2.This architecture follows which AWS Well-Architected Framework best practice?
A. Secure the workload B. Decouple infrastructure components C. Design for failure D. Think parallel
Answer: C
Explanation: Design for failure is one of the best practices of the AWS Well-Architected
Framework. It means that the architecture should be resilient and fault-tolerant, and able to
handle failures without impacting the availability and performance of the applications. By
using Amazon EC2 Auto Scaling groups, the ecommerce company can design for failure
by automatically scaling the number of EC2 instances up or down based on demand or
health status. Amazon EC2 Auto Scaling groups can also distribute the EC2 instances
across multiple Availability Zones, which are isolated locations within an AWS Region that
have independent power, cooling, and network connectivity. This way, the company can
ensure that their web servers can handle traffic spikes, recover from failures, and provide a
consistent user experience
Question # 141
Which AWS service can a company use to find security and compliance reports, includingInternational Organization for Standardization (ISO) reports?
A. AWS Artifact B. Amazon CloudWatch C. AWS Config D. AWS Audit Manager
Answer: A
Explanation: AWS Artifact is a self-service portal that provides on-demand access to AWS
security and compliance reports and select online agreements. You can use AWS Artifact
to download AWS service audit reports, such as ISO, PCI, and SOC, and to accept and
manage agreements with AWS, such as the Business Associate Addendum (BAA).
Question # 142
Which perspective in the AWS Cloud Adoption Framework (AWS CAF) includes acapability for well-designed data and analytics architecture?
A. Security B. Governance C. Operations D. Platform
Answer: D
Explanation:
The correct answer is D. Platform.
The Platform perspective in the AWS Cloud Adoption Framework (AWS CAF) includes a
capability for well-designed data and analytics architecture. This capability helps you
design, implement, and optimize your data and analytics solutions on AWS, using services
such as Amazon S3, Amazon Redshift, Amazon EMR, Amazon Kinesis, Amazon Athena,
and Amazon QuickSight. A well-designed data and analytics architecture enables you to
collect, store, process, analyze, and visualize data from various sources, and derive
insights that can drive your business decisions12.
The Security perspective does not include a capability for data and analytics architecture,
but it does include a capability for data protection, which helps you secure your data at rest
and in transit using encryption, key management, access control, and auditing13.
The Governance perspective does not include a capability for data and analytics
architecture, but it does include a capability for data governance, which helps you manage the quality, availability, usability, integrity, and security of your data assets14.
The Operations perspective does not include a capability for data and analytics
architecture, but it does include a capability for data operations, which helps you monitor,
troubleshoot, and optimize the performance and availability of your data pipelines and
workloads1 .
References:
1: Foundational capabilities - An Overview of the AWS Cloud Adoption Framework 2: [AWS
A company has set up a VPC on AWS. The company needs a dedicated connectionbetween the VPC and the company’s on-premises network.Which action should the company take to meet this requirement?
A. Establish a VPN connection between the VPC and the company's on-premises network. B. Establish an AWS Direct Connect connection between the VPC and the company's onpremisesnetwork. C. Attach an internet gateway to the VPC. Use the AWS public endpoints for connectivity. D. Configure Amazon Connect to provide connectivity between the VPC and thecompany's on-premisesnetwork.
Answer: B
Explanation: Establishing an AWS Direct Connect connection between the VPC and the
company’s on-premises network is the action that the company should take to meet the
requirement of having a dedicated connection between the VPC and the company’s onpremises
network. AWS Direct Connect is a service that lets you establish a dedicated
network connection between your network and one of the AWS Direct Connect locations.
Using AWS Direct Connect, you can create a private connection between AWS and your
datacenter, office, or colocation environment, which can reduce your network costs,
increase bandwidth throughput, and provide a more consistent network experience than
internet-based connections. Establishing a VPN connection between the VPC and the company’s on-premises network is an action that the company can take to create a secure
and encrypted connection between the VPC and the company’s on-premises network, but
it is not a dedicated connection, as it uses the public internet as the transport mechanism.
Attaching an internet gateway to the VPC and using the AWS public endpoints for
connectivity is an action that the company can take to enable communication between the
VPC and the internet, but it is not a dedicated connection, as it also uses the public internet
as the transport mechanism. Configuring Amazon Connect to provide connectivity between
the VPC and the company’s on-premises network is not an action that the company can
take, because Amazon Connect is a service that lets you set up and manage a contact
center in the cloud, but it does not provide network connectivity between the VPC and the
company’s on-premises network.
Question # 144
Which AWS service is an in-memory data store service?
A. Amazon Aurora B. Amazon RDS C. Amazon DynamoDB D. Amazon ElastiCache
Answer: D
Explanation: Amazon ElastiCache is a fully managed in-memory data store and cache
service that delivers sub-millisecond response times to applications. You can use
ElastiCache as a primary data store for your applications, or as a cache to improve the
performance of your existing databases. ElastiCache supports two popular open-source inmemory
engines: Redis and Memcached5.
Question # 145
Which option is the default pricing model for Amazon EC2 instances?
A. On-Demand Instances B. Savings Plans C. Spot Instances D. Reserved Instances
Answer: A
Explanation: On-Demand Instances are the default pricing model for Amazon EC2
instances. They allow users to pay for compute capacity by the second, with no long-term
commitments or upfront payments. They are suitable for applications with short-term,
irregular, or unpredictable workloads that cannot be interrupted3. Savings Plans are a
pricing model that offer significant savings on Amazon EC2 and AWS Fargate usage, in
exchange for a commitment to a consistent amount of usage (measured in $/hour) for a 1-
year or 3-year term. Spot Instances are a pricing model that offer spare Amazon EC2
compute capacity at up to 90% discount compared to On-Demand prices, but they can be
interrupted by AWS with a two-minute notice when the demand exceeds the supply.
Reserved Instances are a pricing model that offer up to 75% discount compared to On-
Demand prices, in exchange for a commitment to use a specific instance type and size in a
specific region for a 1-year or 3-year term.
Question # 146
Which AWS service will allow a user to set custom cost and usage limits, and will alertwhen the thresholds are exceeded?
A. AWS Organizations B. AWS Budgets C. Cost Explorer D. AWS Trusted Advisor
Answer: B
Explanation: AWS Budgets allows you to set custom budgets that alert you when your
costs or usage exceed (or are forecasted to exceed) your budgeted amount. You can also
use AWS Budgets to set reservation utilization or coverage targets and receive alerts when
your utilization drops below the threshold you define. AWS Budgets provides you with a
comprehensive view of your cost and usage, as well as your reservation utilization and
coverage1.
Question # 147
A company's headquarters is located on a different continent from where the majority of thecompany's customers live. The company wants an AWS Cloud environment setup that willprovide the lowest latency to the customers.A company wants to automate the creation of new AWS accounts and automaticallyprevent all users from creating Amazon EC2instances.Which AWS service provides this functionality?
A. AWS Service Catalog B. AWS Organizations C. EC2 Image Builder D. AWS Systems Manager
Answer: B
Explanation: AWS Organizations is a service that enables you to create and manage
multiple AWS accounts centrally. You can use AWS Organizations to automate account
creation, apply policies to control access and permissions, and consolidate billing across
your accounts. You can also use AWS Organizations to prevent users from creating
Amazon EC2 instances in certain regions or with certain configurations2
Question # 148
A company is moving to the AWS Cloud to reduce operational overhead for its applicationinfrastructure.Which IT operation will the company still be responsible for after the migration to AWS?
A. Security patching of AWS Elastic Beanstalk B. Backups of data that is stored in Amazon Aurora C. Termination of Amazon EC2 instances that are managed by AWS Auto Scaling D. Configuration of 1AM access controls
Answer: D
Explanation: AWS Elastic Beanstalk, Amazon Aurora, and AWS Auto Scaling are
managed services that reduce the operational overhead for the customers. AWS is
responsible for security patching, backups, and termination of these services. However, the
customers are still responsible for configuring IAM access controls to manage the
permissions and policies for their AWS resources. This is part of the AWS shared
responsibility model, which defines the security and compliance responsibilities of AWS
and the customers. You can learn more about the AWS shared responsibility model
from this whitepaper or this digital course.
Question # 149
Which AWS Cloud benefit describes the ability to acquire resources as they are neededand release resources when they are no longer needed?
A. Economies of scale B. Elasticity C. Agility D. Security
Answer: B
Explanation: The AWS Cloud benefit that describes the ability to acquire resources as
they are needed and release resources when they are no longer needed is elasticity.
Elasticity means that users can quickly add and remove resources to match the demand of
their applications, and only pay for what they use. Elasticity enables users to handle
unpredictable workloads, reduce costs, and improve performance1. Economies of scale,
agility, and security are other benefits of the AWS Cloud, but they do not describe the
specific ability of acquiring and releasing resources on demand.
Question # 150
Which AWS service provides storage that can be mounted across multiple Amazon EC2instances?
A. Amazon Workspaces B. Amazon Elastic File System (Amazon EFS) C. AWS Database Migration Service (AWS DMS) D. AWS Snowball Edge
Answer: B
Explanation: Amazon EFS is a fully managed service that provides scalable and elastic
file storage for multiple Amazon EC2 instances. Amazon EFS supports the Network File
System (NFS) protocol, which allows multiple EC2 instances to access the same file
system concurrently. You can learn more about Amazon EFS from this webpage or this
digital course.
Question # 151
Which AWS service or storage class provides low-cost, long-term data storage?
A. Amazon S3 Glacier Deep Archive B. AWS Snowball C. Amazon MQ D. AWS Storage Gateway
Answer: A
Explanation: Amazon S3 Glacier Deep Archive is a storage class within Amazon S3 that
provides the lowest-cost, long-term data storage for data that is rarely accessed. AWS
Snowball is a service that provides a physical device for transferring large amounts of data
into and out of AWS. Amazon MQ is a service that provides managed message broker
service for Apache ActiveMQ. AWS Storage Gateway is a service that provides hybrid
cloud storage for on-premises applications.
Question # 152
A company is planning to migrate to the AWS Cloud. The company is conductingorganizational transformation and wants to become more responsive to customer inquiriesand feedback.Which tasks should the company perform to meet these requirements, according to theAWS Cloud AdoptionFramework (AWS CAF)? (Select TWO.)
A. Realign teams to focus on products and value streams. B. Create new value propositions with new products and services. C. Use agile methods to rapidly iterate and evolve. D. Use a new data and analytics platform to create actionable insights. E. Migrate and modernize legacy infrastructure.
Answer: A,C
Explanation: Realigning teams to focus on products and value streams, and using agile
methods to rapidly iterate and evolve are tasks that the company should perform to meet
the requirements of becoming more responsive to customer inquiries and feedback, according to the AWS Cloud Adoption Framework (AWS CAF). AWS CAF organizes
guidance into six areas of focus, called perspectives: business, people, governance,
platform, security, and operations. Each perspective is divided into capabilities, which
describe the skills and processes to execute the transition effectively. The people
perspective helps you prepare your organization for cloud adoption, and includes
capabilities such as organizational change management, staff skills and readiness, and
organizational alignment. The business perspective helps you align IT strategy with
business strategy, and includes capabilities such as business case development, value
proposition, and product ownership. Creating new value propositions with new products
and services is a task that belongs to the business perspective, but it is not directly related
to the requirement of becoming more responsive to customer inquiries and feedback. Using
a new data and analytics platform to create actionable insights is a task that belongs to the
platform perspective, which helps you design, implement, and optimize the architecture of
the AWS environment. However, it is also not directly related to the requirement of
becoming more responsive to customer inquiries and feedback. Migrating and modernizing
legacy infrastructure is a task that belongs to the operations perspective, which helps you
enable, run, use, operate, and recover IT workloads to the level agreed upon with your
business stakeholders. However, it is also not directly related to the requirement of
becoming more responsive to customer inquiries and feedback.
Question # 153
A company is assessing its AWS Business Support plan to determine if the plan still meetsthe company's needs. The company is considering switching to AWS Enterprise Support.Which additional benefit will the company receive with AWS Enterprise Support?
A. A full set of AWS Trusted Advisor checks B. Phone, email, and chat access to cloud support engineers 24 hours a day, 7 days aweek C. A designated technical account manager (TAM) to assist in monitoring and optimization D. A consultative review and architecture guidance for the company's applications
Answer: C
Explanation:
The additional benefit that the company will receive with AWS Enterprise Support is C. A
designated technical account manager (TAM) to assist in monitoring and optimization.
A TAM is a dedicated point of contact who works with the customer to understand their use
cases, applications, and goals, and provides proactive guidance and best practices to help
them optimize their AWS environment. A TAM also helps the customer with case
management, escalations, service updates, and feature requests12.
A full set of AWS Trusted Advisor checks is available for customers with Business,
Enterprise On-Ramp, or Enterprise Support plans1. Phone, email, and chat access to cloud
support engineers 24/7 is available for customers with Business, Enterprise On-Ramp, or
Enterprise Support plans1. A consultative review and architecture guidance for the
company’s applications is available for customers with Enterprise On-Ramp or Enterprise
Support plans1. Therefore, these benefits are not exclusive to AWS Enterprise Support.
Reference:
1: AWS Support Plan Comparison | Developer, Business, Enterprise …
Question # 154
A company needs to implement identity management for a fleet of mobile apps that arerunning in the AWS Cloud.Which AWS service will meet this requirement?
A. Amazon Cognito B. AWS Security Hub C. AWS Shield D. AWS WAF
Answer: A
Explanation: Amazon Cognito is a service that provides identity management for mobile
and web applications, allowing users to sign up, sign in, and access AWS resources with
different identity providers. AWS Security Hub is a service that provides a comprehensive
view of the security posture of AWS accounts and resources. AWS Shield is a service that
provides protection against distributed denial of service (DDoS) attacks. AWS WAF is a
web application firewall that helps protect web applications from common web exploits.
Question # 155
A company is running a workload in the AWS Cloud.Which AWS best practice ensures the MOST cost-effective architecture for the workload?
A. Loose coupling B. Rightsizing C. Caching D. Redundancy
Answer: B
Explanation: The AWS best practice that ensures the most cost-effective architecture for
the workload is rightsizing. Rightsizing means selecting the most appropriate instance
type or resource configuration that matches the needs of the workload. Rightsizing can
help optimize performance and reduce costs by avoiding over-provisioning or under- provisioning of resources1. Loose coupling, caching, and redundancy are other AWS best
practices that can improve the scalability, availability, and performance of the workload, but
they do not necessarily ensure the most cost-effective architecture.
Question # 156
A company is building an application on AWS. The application needs to comply with creditcard regulatory requirements. The company needs proof that the AWS services anddeployment are in compliance.Which actions should the company take to meet these requirements? (Select TWO.)
A. Use Amazon Inspector to submit the application for certification. B. Ensure that the application's underlying hardware components comply withrequirements. C. Use AWS Artifact to access AWS documents about the compliance of the services. D. Get the compliance of the application certified by a company assessor. E. Use AWS Security Hub to certify the compliance of the application.
Answer: C,D
Explanation: Using AWS Artifact to access AWS documents about the compliance of the
services, and getting the compliance of the application certified by a company assessor are
actions that the company should take to meet the requirements of complying with credit
card regulatory requirements. AWS Artifact is a service that provides on-demand access to
AWS security and compliance reports and select online agreements. Reports available in
AWS Artifact include our Service Organization Control (SOC) reports, Payment Card Industry (PCI) reports, and certifications from accreditation bodies across geographies and
compliance verticals that validate the implementation and operating effectiveness of AWS
security controls. AWS Artifact can help you demonstrate compliance with credit card
regulatory requirements by providing you with proof that the AWS services and deployment
are in compliance. Getting the compliance of the application certified by a company
assessor is an action that the company should take to ensure that the application meets
the specific requirements of the credit card industry. A company assessor is an
independent third-party entity that is qualified to assess the compliance of the application
with the relevant standards and regulations. Using Amazon Inspector to submit the
application for certification is not an action that the company should take, because Amazon
Inspector is a service that helps you improve the security and compliance of your
applications deployed on AWS by automatically assessing them for vulnerabilities and
deviations from best practices, but it does not provide certification for the applications.
Ensuring that the application’s underlying hardware components comply with requirements
is not an action that the company should take, because the application is deployed on
AWS, and AWS is responsible for the security and compliance of the underlying hardware
components. This is part of the shared responsibility model, where AWS is responsible for
security of the cloud, and customers are responsible for security in the cloud. Using AWS
Security Hub to certify the compliance of the application is not an action that the company
should take, because AWS Security Hub is a service that gives you a comprehensive view
of your security posture across your AWS accounts and helps you check your environment
against security industry standards and best practices, but it does not provide certification
for the applications.
Question # 157
Which Amazon S3 storage class is the MOST cost-effective for long-term storage?
A. S3 Glacier Deep Archive B. S3 Standard C. S3 Standard-Infrequent Access (S3 Standard-IA) D. S3 One Zone-Infrequent Access (S3 One Zone-IA)
Answer: A
Explanation: Amazon S3 Glacier Deep Archive is the lowest-cost storage class in the
cloud. It is designed for long-term data archiving that is rarely accessed. It offers a retrieval
time of 12 hours and a durability of 99.999999999% (11 9’s). It is ideal for data that must
be retained for 7 years or longer to meet regulatory compliance requirements.
Question # 158
A company deployed an application on an Amazon EC2 instance. The application ran asexpected for 6 months. In the past week, usershave reported latency issues. A system administrator found that the CPU utilization was at100% during business hours. The companywants a scalable solution to meet demand.Which AWS service or feature should the company use to handle the load for itsapplication during periods of high demand?
A. Auto Scaling groups B. AWS Global Accelerator C. Amazon Route 53 D. An Elastic IP address
Answer: A
Explanation: Auto Scaling groups are a feature that allows users to automatically scale the
number of Amazon EC2 instances up or down based on demand or a predefined
schedule. Auto Scaling groups can help improve the performance and availability of
applications by adjusting the capacity in response to traffic fluctuations1. AWS Global
Accelerator is a service that improves the availability and performance of applications by
routing traffic through AWS edge locations2. Amazon Route 53 is a service that provides scalable and reliable domain name system (DNS) service3. An Elastic IP address is a
static IPv4 address that can be associated with an Amazon EC2 instance4.
Question # 159
A company wants a list of all users in its AWS account, the status of all of the users' accesskeys, and if multi-factor authentication (MFA) has been configured.Which AWS service or feature will meet these requirements?
A. AWS Key Management Service (AWS KMS) B. IAM Access Analyzer C. IAM credential report D. Amazon CloudWatch
Answer: C
Explanation: IAM credential report is a feature that allows you to generate and download a
report that lists all IAM users in your AWS account and the status of their various
credentials, including access keys and MFA devices. You can use this report to audit the
security status of your IAM users and ensure that they follow the best practices for using
AWS1.
AWS Key Management Service (AWS KMS) is a service that allows you to create and manage encryption keys to protect your data. It does not provide information about IAM
users or their credentials2.
IAM Access Analyzer is a feature that helps you identify the resources in your AWS
account, such as S3 buckets or IAM roles, that are shared with an external entity. It does
not provide information about IAM users or their credentials3.
Amazon CloudWatch is a service that monitors and collects metrics, logs, and events from
your AWS resources and applications. It does not provide information about IAM users or
their credentials4.
References:
Getting credential reports for your AWS account - AWS Identity and Access
Management
AWS Key Management Service - Amazon Web Services
IAM Access Analyzer - AWS Identity and Access Management
Amazon CloudWatch - Amazon Web Services
Question # 160
Which of the following actions are controlled with AWS Identity and Access Management(1AM)? (Select TWO.)
A. Control access to AWS service APIs and to other specific resources. B. Provide intelligent threat detection and continuous monitoring. C. Protect the AWS environment using multi-factor authentication (MFA). D. Grant users access to AWS data centers. E. Provide firewall protection for applications from common web attacks.
Answer: A,C
Explanation: AWS Identity and Access Management (IAM) is a service that enables you
to manage access to AWS services and resources securely. You can use IAM to perform
the following actions:
Control access to AWS service APIs and to other specific resources: You can
create users, groups, roles, and policies that define who can access which AWS
resources and how. You can also use IAM to grant temporary access to users or
applications that need to perform certain tasks on your behalf3
Protect the AWS environment using multi-factor authentication (MFA): You can
enable MFA for your IAM users and root user to add an extra layer of security to
your AWS account. MFA requires users to provide a unique authentication code
from an approved device or SMS text message, in addition to their user name and
password, when they sign in to AWS4
Question # 161
A company needs an automated vulnerability management service that continually scansAWS workloads for software vulnerabilities.Which AWS service will meet these requirements?
A. Amazon GuardDuty B. Amazon Inspector C. AWS Security Hub D. AWS Shield
Answer: B
Explanation:
The correct answer is B. Amazon Inspector.
Amazon Inspector is an automated vulnerability management service that continually scans
AWS workloads for software vulnerabilities and unintended network exposure. Amazon
Inspector automatically discovers workloads, such as Amazon EC2 instances, containers,
and Lambda functions, and scans them for software vulnerabilities and unintended network
exposure12.
Amazon GuardDuty is a threat detection service that monitors your AWS accounts and
workloads for malicious or unauthorized activity. Amazon GuardDuty does not scan for
software vulnerabilities, but rather analyzes AWS CloudTrail, Amazon VPC Flow Logs, and
DNS logs to detect threats such as compromised credentials, backdoors, or crypto
mining3.
AWS Security Hub is a security and compliance service that aggregates and prioritizes
security findings from multiple AWS services and partner solutions. AWS Security Hub
does not scan for software vulnerabilities, but rather provides a comprehensive view of
your security posture across your AWS accounts4.
AWS Shield is a managed service that protects your web applications and network
resources from distributed denial-of-service (DDoS) attacks. AWS Shield does not scan for
software vulnerabilities, but rather provides detection and mitigation of DDoS attacks at the
For which AWS service is the customer responsible for maintaining the underlyingoperating system?
A. Amazon DynamoDB B. Amazon S3 C. Amazon EC2 D. AWS Lambda
Answer: C
Explanation: Amazon EC2 is a service that provides resizable compute capacity in the
cloud. Users can launch and manage virtual servers, known as instances, that run on the
AWS infrastructure. Users are responsible for maintaining the underlying operating system
of the instances, as well as any applications or software that run on them. Amazon
DynamoDB is a service that provides a fully managed NoSQL database that delivers fast
and consistent performance at any scale. Users do not need to manage the underlying
operating system or the database software. Amazon S3 is a service that provides scalable
and durable object storage in the cloud. Users do not need to manage the underlying
operating system or the storage infrastructure. AWS Lambda is a service that allows users
to run code without provisioning or managing servers. Users only need to upload their code
and configure the triggers and parameters. AWS Lambda takes care of the underlying
operating system and the execution environment.
Question # 163
A company wants to use the latest technologies and wants to minimize its capitalinvestment. Instead of upgrading on-premises infrastructure, the company wants to moveto the AWS Cloud.Which AWS Cloud benefit does this scenario describe?
A. Increased speed to market B. The trade of infrastructure expenses for operating expenses C. Massive economies of scale D. The ability to go global in minutes
Answer: B
Explanation: The trade of infrastructure expenses for operating expenses is one of the
benefits of the AWS Cloud. By moving to the AWS Cloud, the company can avoid the
upfront costs of purchasing and maintaining on-premises infrastructure, such as servers,
storage, network, and software. Instead, the company can pay only for the AWS resources
and services that they use, as they use them. This reduces the risk and complexity of
planning and managing IT infrastructure, and allows the company to focus on innovation
and growth. Increased speed to market, massive economies of scale, and the ability to go
global in minutes are also benefits of the AWS Cloud, but they are not the best ones to
describe this scenario. Increased speed to market means that the company can launch new products and services faster by using AWS services and tools. Massive economies of
scale means that the company can benefit from the lower costs and higher performance
that AWS achieves by operating at a large scale. The ability to go global in minutes means
that the company can deploy their applications and data in multiple regions and availability
zones around the world to reach their customers faster and improve performance and
reliability5
Question # 164
A company has deployed an application in the AWS Cloud. The company wants to ensurethat the application is highly resilient.Which component of AWS infrastructure can the company use to meet this requireme
A. Content delivery network (CDN) B. Edge locations C. Wavelength Zones D. Availability Zones
Answer: D
Explanation: Availability Zones are components of AWS infrastructure that can help the
company ensure that the application is highly resilient. Availability Zones are multiple,
isolated locations within each AWS Region. Each Availability Zone has independent power,
cooling, and physical security, and is connected to the other Availability Zones in the same
Region via low-latency, high-throughput, and highly redundant networking. Availability
Zones allow you to operate production applications and databases that are more highly
available, fault tolerant, and scalable than would be possible from a single data center.
Question # 165
A company wants an AWS service to provide product recommendations based on itscustomer data.Which AWS service will meet this requirement?
A. Amazon Polly B. Amazon Personalize C. Amazon Comprehend D. Amazon Rekognition
Answer: B
Explanation:
Amazon Personalize is an AWS service that helps developers quickly build and deploy a
custom recommendation engine with real-time personalization and user segmentation1. It
uses machine learning (ML) to analyze customer data and provide relevant
recommendations based on their preferences, behavior, and context. Amazon Personalize
can be used for various use cases such as optimizing recommendations, targeting
customers more accurately, maximizing the value of unstructured text, and promoting items
using business rules1.
The other options are not suitable for providing product recommendations based on
customer data. Amazon Polly is a service that converts text into lifelike speech. Amazon
Comprehend is a service that uses natural language processing (NLP) to extract insights
from text and documents. Amazon Rekognition is a service that uses computer vision (CV)
to analyze images and videos for faces, objects, scenes, and activities.
References:
1: Cloud Products - Amazon Web Services (AWS)
2: Recommender System – Amazon Personalize – Amazon Web Services
3: Top 25 AWS Services List 2023 - GeeksforGeeks
4: AWS to Azure services comparison - Azure Architecture Center
5: The 25+ Best AWS Cost Optimization Tools (Updated 2023) - CloudZero
6: Amazon Polly – Text-to-Speech Service - AWS
7: Natural Language Processing - Amazon Comprehend - AWS
8: Image and Video Analysis - Amazon Rekognition - AWS
Question # 166
A company needs to set a maximum spending limit on AWS services each month. Thecompany also needs to set up alerts for when the company reaches its spending limit.Which AWS service or tool should the company use to meet these requirements?
A. Cost Explorer B. AWS Trusted Advisor C. Service Quotas D. AWS Budgets
Answer: D
Explanation: AWS Budgets is a service that helps you plan your service usage, service
costs, and instance reservations, and track how close your plan is to your budgeted
amount. You can set custom budgets that alert you when you exceed (or are forecasted to
exceed) your budgeted thresholds. You can also use AWS Budgets to set a maximum
spending limit on AWS services each month and set up alerts for when you reach your
spending limit. Cost Explorer is a service that enables you to visualize, understand, and
manage your AWS costs and usage over time. You can use Cost Explorer to view charts
and graphs that show how your costs are trending, identify areas that need further inquiry,
and see the impact of your cost management actions. However, Cost Explorer does not
allow you to set a maximum spending limit or alerts for your AWS services. AWS Trusted
Advisor is a service that provides you real time guidance to help you provision your
resources following AWS best practices, including security and performance. It can help
you monitor for cost optimization opportunities, such as unused or underutilized resources,
but it does not allow you to set a maximum spending limit or alerts for your AWS services.
Service Quotas is a service that enables you to view and manage your quotas, also
referred to as limits, from a central location. Quotas, also referred to as limits, are the
maximum number of resources that you can create in your AWS account. However,
Service Quotas does not allow you to set a maximum spending limit or alerts for your AWS
services.
Question # 167
A company is migrating to the AWS Cloud to meet storage needs. The company wants tooptimize costs based on the amount of storage that the company uses.Which AWS offering or benefit will meet these requirements MOST cost-effectively?
A. Pay-as-you-go pricing B. Savings Plans C. AWS Free Tier D. Volume-based discounts
Answer: D
Explanation: Volume-based discounts are an AWS offering or benefit that can help the
company optimize costs based on the amount of storage that the company uses. Volume- based discounts are discounts that AWS provides for some storage services, such as
Amazon S3 and Amazon EBS, when the company stores a large amount of data. The more
data the company stores, the lower the price per GB. For example, Amazon S3 offers six
storage classes, each with a different price per GB. The price per GB decreases as the
amount of data stored in each storage class increases
Question # 168
A company has a MySQL database running on a single Amazon EC2 instance. Thecompany now requires higher availability in the event of an outage.Which set of tasks would meet this requirement?
A. Add an Application Load Balancer in front of the EC2 instance. B. Configure EC2 Auto Recovery to move the instance to another Availability Zone. C. Migrate to Amazon RDS and enable Multi-AZ. D. Enable termination protection for the EC2 instance to avoid outages.
Answer: C
Explanation: The set of tasks that would meet the requirement of having higher availability
for a MySQL database running on a single Amazon EC2 instance is to migrate to Amazon
RDS and enable Multi-AZ. Amazon RDS is a fully managed relational database service that
supports MySQL and other popular database engines. By enabling Multi-AZ, users can
have a primary database in one Availability Zone and a synchronous standby replica in
another Availability Zone. In case of a planned or unplanned outage of the primary
database, Amazon RDS automatically fails over to the standby replica with minimal
disruption3. Adding an Application Load Balancer in front of the EC2 instance, configuring
EC2 Auto Recovery to move the instance to another Availability Zone, or enabling
termination protection for the EC2 instance would not provide higher availability for the
database, as they do not address the single point of failure or data replication issues.
Question # 169
A company is building an application in the AWS Cloud. The company wants to usetemporary credentials for the application to access other AWS resources.Which AWS service will meet these requirements?
A. AWS Key Management Service (Aws KMS) B. AWS CloudHSM C. Amazon Cognito D. AWS Security Token Service (Aws STS)
Answer: D
Explanation: AWS Security Token Service (AWS STS) is a service that provides
temporary security credentials to users or applications that need to access AWS resources.
The temporary credentials have a limited lifetime and can be configured to last from a few
minutes to several hours. The credentials are not stored with the user or application, but
are generated dynamically and provided on request. The credentials work almost
identically to long-term access key credentials, but have the advantage of not requiring
distribution, rotation, or revocation1.
AWS Key Management Service (AWS KMS) is a service that provides encryption and
decryption services for data and keys. It does not provide temporary security credentials2.
AWS CloudHSM is a service that provides hardware security modules (HSMs) for
cryptographic operations and key management. It does not provide temporary security
credentials3.
Amazon Cognito is a service that provides user authentication and authorization for web
and mobile applications. It can also provide temporary security credentials for
authenticated users, but not for applications4.
Question # 170
Which AWS service uses AWS Compute Optimizer to provide sizing recommendationsbased on workload metrics?
A. Amazon EC2 B. Amazon RDS C. Amazon Lightsail D. AWS Step Functions
Answer: A
Explanation:
Amazon EC2 is a web service that provides secure, resizable compute capacity in the
cloud. It allows you to launch virtual servers, called instances, with different configurations
of CPU, memory, storage, and networking resources. AWS Compute Optimizer analyzes
the specifications and utilization metrics of your Amazon EC2 instances and generates
recommendations for optimal instance types that can reduce costs and improve
performance. You can view the recommendations on the AWS Compute Optimizer console
or the Amazon EC2 console12.
Amazon RDS, Amazon Lightsail, and AWS Step Functions are not supported by AWS
Compute Optimizer. Amazon RDS is a managed relational database service that lets you
set up, operate, and scale a relational database in the cloud. Amazon Lightsail is an easyto-
use cloud platform that offers everything you need to build an application or website,
plus a cost-effective, monthly plan. AWS Step Functions lets you coordinate multiple AWS
services into serverless workflows so you can build and update apps quickly3 .
Question # 171
Which of the following is a benefit of operating in the AWS Cloud?
A. The ability to migrate on-premises network devices to the AWS Cloud B. The ability to expand compute, storage, and memory when needed C. The ability to host custom hardware in the AWS Cloud D. The ability to customize the underlying hypervisor layer for Amazon EC2
Answer: B
Explanation: One of the benefits of operating in the AWS Cloud is the ability to expand
compute, storage, and memory when needed, which enables users to scale their
applications and resources up or down based on demand. This also helps users optimize
their costs and performance. The ability to migrate on-premises network devices to the
AWS Cloud, the ability to host custom hardware in the AWS Cloud, and the ability to
customize the underlying hypervisor layer for Amazon EC2 are not benefits of operating in
the AWS Cloud, as they are either not possible or not recommended by AWS
Question # 172
Which AWS service or feature enables users to encrypt data at rest in Amazon S3?
A. 1AM policies B. Server-side encryption C. Amazon GuardDuty D. Client-side encryption
Answer: B
Explanation: Server-side encryption is an encryption option that Amazon S3 provides to
encrypt data at rest in Amazon S3. With server-side encryption, Amazon S3 encrypts an
object before saving it to disk in its data centers and decrypts it when you download the
objects. You have three server-side encryption options to choose from: SSE-S3, SSE-C,
and SSE-KMS. SSE-S3 uses keys that are managed by Amazon S3. SSE-C allows you to
manage your own encryption keys. SSE-KMS uses keys that are managed by AWS Key
Management Service (AWS KMS)5.
Question # 173
A company runs a MySQL database in its on-premises data center. The company wants torun a copy of this database in the AWSCloud.Which AWS service would support this workload?
A. Amazon RDS B. Amazon Neptune C. Amazon ElastiCache for Redis D. Amazon Quantum Ledger Database (Amazon QLDB)
Answer: A
Explanation: Amazon Relational Database Service (Amazon RDS) is a web service that
makes it easier to set up, operate, and scale a relational database in the cloud. It provides
cost-efficient and resizable capacity, while automating time-consuming administration tasks
such as hardware provisioning, database setup, patching, and backups. Amazon RDS
supports six popular database engines: Amazon Aurora, PostgreSQL, MySQL, MariaDB,
Oracle Database, and SQL Server. Amazon RDS can support running a copy of a MySQL
database in the AWS Cloud, as it offers compatibility, scalability, and availability features.
Question # 174
A company wants to set up a high-speed connection between its data center and itsapplications that run on AWS. The company must not transfer data over the internet.Which action should the company take to meet these requirements?
A. Transfer data to AWS by using AWS Snowball. B. Transfer data to AWS by using AWS Storage Gateway. C. Set up a VPN connection between the data center and an AWS Region. D. Set up an AWS Direct Connect connection between the company network and AWS.
Answer: D
Explanation: AWS Direct Connect is a cloud service solution that makes it easy to
establish a dedicated network connection from a customer’s premises to AWS. AWS Direct
Connect does not involve the public internet, and therefore can reduce network costs,
increase bandwidth throughput, and provide a more consistent network experience than
internet-based connections. AWS Snowball is a petabyte-scale data transport service that
uses secure devices to transfer large amounts of data into and out of the AWS Cloud. AWS
Storage Gateway is a hybrid cloud storage service that gives customers on-premises
access to virtually unlimited cloud storage. A VPN connection enables customers to
establish a secure and private connection between their network and AWS.
Question # 175
A company has an application that runs periodically in an on-premises environment. Theapplication runs for a few hours most days, but runs for 8 hours a day for a week at the endof each month.Which AWS service or feature should be used to host the application in the AWS Cloud?
A. Amazon EC2 Standard Reserved Instances B. Amazon EC2 On-Demand Instances C. AWS Wavelength D. Application Load Balancer
Answer: B
Explanation: Amazon EC2 On-Demand Instances are instances that let you pay for
compute capacity by the hour or second (minimum of 60 seconds) with no long-term
commitments. This frees you from the costs and complexities of planning, purchasing, and
maintaining hardware and transforms what are commonly large fixed costs into much
smaller variable costs. On-Demand Instances are suitable for applications with short-term,
irregular, or unpredictable workloads that cannot be interrupted, such as periodic
applications that run for a few hours most days, but run for 8 hours a day for a week at the
end of each month2. Amazon EC2 Standard Reserved Instances are instances that
provide you with a significant discount (up to 75%) compared to On-Demand Instance
pricing. In exchange, you select a term and make an upfront payment to reserve a certain
amount of compute capacity for that term. Reserved Instances are suitable for applications
with steady state or predictable usage that require reserved capacity3. AWS Wavelength is
a service that enables developers to build applications that deliver ultra-low latency to
mobile devices and users by deploying AWS compute and storage at the edge of the 5G
network. Wavelength is suitable for applications that require single-digit millisecond latencies, such as game and live video streaming, machine learning inference at the edge,
and augmented and virtual reality (AR/VR). Application Load Balancer is a service that
operates at the request level (layer 7) and distributes incoming application traffic across
multiple targets, such as EC2 instances, containers, Lambda functions, and IP addresses.
Application Load Balancer is suitable for applications that need advanced routing
capabilities, such as microservices or container-based architectures.
Question # 176
A company wants to launch its web application in a second AWS Region. The companyneeds to determine which services must be regionally configured for this launch.Which AWS services can be configured at the Region level? (Select TWO.)
A. Amazon EC2 B. Amazon Route 53 C. Amazon CloudFront D. AWS WAF E. Amazon DynamoDB
Answer: B,D
Explanation: Amazon Route 53 and AWS WAF are AWS services that can be configured
at the Region level. Amazon Route 53 is a highly available and scalable cloud Domain
Name System (DNS) web service that lets you register domain names, route traffic to
resources, and check the health of your resources. AWS WAF is a web application firewall
that helps protect your web applications or APIs against common web exploits that may
affect availability, compromise security, or consume excessive resources. Amazon EC2,
Amazon CloudFront, and Amazon DynamoDB are AWS services that can be configured at
the global level or the Availability Zone level .
Question # 177
A company has created an AWS Cost and Usage Report and wants to visualize the report.Which AWS service should the company use to ingest and display this information?
A. Amazon QuickSight B. Amazon Pinpoint C. Amazon Neptune D. Amazon Kinesis
Answer: A
Explanation: Amazon QuickSight is an AWS service that provides business intelligence
and data visualization capabilities. Amazon QuickSight enables you to ingest, analyze, and
display data from various sources, such as AWS Cost and Usage Reports, Amazon S3,
Amazon Athena, Amazon Redshift, and Amazon RDS. You can use Amazon QuickSight to
create interactive dashboards and charts that show insights and trends from your data. You
can also share your dashboards and charts with other users or embed them into your
applications.
Question # 178
A company is looking for a managed machine learning (ML) service that can recommendproducts based on a customer's previous behaviors.Which AWS service meets this requirement?
A. Amazon Personalize B. Amazon SageMaker C. Amazon Pinpoint D. Amazon Comprehend
Answer: A
Explanation: The AWS service that meets the requirement of providing a managed
machine learning (ML) service that can recommend products based on a customer’s
previous behaviors is Amazon Personalize. Amazon Personalize is a fully managed
service that enables developers to create personalized recommendations for customers
using their own data. Amazon Personalize can automatically process and examine the
data, identify what is meaningful, select the right algorithms, and train and optimize a
personalized recommendation model2. Amazon SageMaker, Amazon Pinpoint, and
Amazon Comprehend are other AWS services related to machine learning, but they do not
provide the specific functionality of product recommendation.
Question # 179
Which benefits can customers gain by using AWS Marketplace? (Select TWO.)
A. Speed of business B. Fewer legal objections C. Ability to pay with credit cards D. No requirement for product licenses for any products E. Free use of all services for the first hour
Answer: A,B
Explanation: AWS Marketplace is a digital catalog that offers thousands of software
products and solutions from independent software vendors (ISVs) and AWS partners.
Customers can use AWS Marketplace to find, buy, and deploy software on AWS. Some of
the benefits of using AWS Marketplace are:
Speed of business: You can quickly and easily discover and deploy software that
meets your business needs, without having to go through lengthy procurement
processes. You can also use AWS Marketplace to test and compare different
solutions before making a purchase decision. Fewer legal objections: You can benefit from standardized contract terms and
conditions that are pre-negotiated between AWS and the ISVs. This reduces the
time and effort required to review and approve legal agreements.
Question # 180
A company wants to use guidelines from the AWS Well-Architected Framework to limithuman error and facilitate consistent responses to events.Which of the following is a Well-Architected design principle that will meet theserequirements?
A. Use AWS CodeDeploy. B. Perform operations as code. C. Migrate workloads to a Dedicated Host. D. Use AWS Compute Optimizer.
Answer: B
Explanation: This is a design principle of the operational excellence pillar of the AWS
Well-Architected Framework. Performing operations as code means using scripts,
templates, or automation tools to perform routine tasks, such as provisioning, configuration,
deployment, and monitoring. This reduces human error, increases consistency, and
enables faster recovery from failures. You can learn more about the operational excellence
pillar from this whitepaper or this digital course.
Question # 181
A company needs to set up user authentication for a new application. Users must be ableto sign in directly with a user name and password, or through a third-party provider.Which AWS service should the company use to meet these requirements?
A. AWS 1AM Identity Center (AWS Single Sign-On) B. AWS Signer C. Amazon Cognito D. AWS Directory Service
Answer: C
Explanation: Amazon Cognito is a service that provides user authentication and
authorization for web and mobile applications. You can use Amazon Cognito to enable
users to sign in directly with a user name and password, or through a third-party provider,
such as Facebook, Google, or Amazon. You can also use Amazon Cognito to manage user
profiles, preferences, and security settings3
Question # 182
AWS has the ability to achieve lower pay-as-you-go pricing by aggregating usage acrosshundreds of thousands of users.This describes which advantage of the AWS Cloud?
A. Launch globally in minutes B. Increase speed and agility C. High economies of scale D. No guessing about compute capacity
Answer: C
Explanation: AWS has the ability to achieve lower pay-as-you-go pricing by aggregating
usage across hundreds of thousands of users. This means that AWS can leverage its
massive scale and purchasing power to reduce the costs of infrastructure, hardware,
software, and operations. These savings are then passed on to the customers, who only
pay for the resources they use. You can learn more about the AWS pricing model from [this
webpage] or [this digital course].
Question # 183
Which AWS service or feature offers security for a VPC by acting as a firewall to controltraffic in and out of subnets?
A. AWS Security Hub B. Security groups C. Network ACL D. AWSWAF
Answer: C
Explanation: A network access control list (network ACL) is a feature that acts as a firewall
for controlling traffic in and out of one or more subnets in a virtual private cloud
(VPC). Network ACLs can be configured with rules that allow or deny traffic based on the
source and destination IP addresses, ports, and protocols1. AWS Security Hub is a service
that provides a comprehensive view of the security posture of AWS accounts and
resources2. Security groups are features that act as firewalls for controlling traffic at the
instance level3. AWS WAF is a web application firewall that helps protect web applications
from common web exploits4.
Question # 184
A company is using a central data platform to manage multiple types of data for itscustomers. The company wants to use AWS services to discover, transform, and visualizethe data.Which combination of AWS services should the company use to meet these requirements?(Select TWO.)
A. AWS Glue B. Amazon Elastic File System (Amazon EFS) C. Amazon Redshift D. Amazon QuickSight E. Amazon Quantum Ledger Database (Amazon QLDB)
Answer: A,C
Explanation: AWS Glue is a fully managed extract, transform, and load (ETL) service that
makes it easy to prepare and load data for analytics. AWS Glue can discover data sources,
transform data, and make it available for analysis by using data catalogs and workflows.
Amazon Redshift is a fully managed, petabyte-scale data warehouse service in the cloud
that enables customers to analyze data using standard SQL and existing business
intelligence tools. Amazon Redshift can also integrate with other AWS services to visualize
and transform data. Amazon Elastic File System (Amazon EFS) provides a simple,
scalable, fully managed elastic NFS file system for use with AWS Cloud services and onpremises
resources. Amazon QuickSight is a fast, cloud-powered business intelligence
service that makes it easy to deliver insights to everyone in an organization. Amazon
Quantum Ledger Database (Amazon QLDB) is a fully managed ledger database that
provides a transparent, immutable, and cryptographically verifiable transaction log owned
by a central trusted authority.
Guiding You Through Your AWS Certified Cloud Practitioner Journey
AWS Certified Cloud Practitioner (CLF-C02) is the entry point to the world of AWS. For entering and coming out unscathed, foolproof training is necessary.
Salesforcexamdumps got solutions, i.e., the CLF-C02 practice test. These real-like CLF-C02 question answers simulation ensures a successful attempt every time. But before that, let us find out what the exam has for us.
What is the CLF-C02 Exam?
The CLF-C02 exam is the go-through passage to become AWS Certified. It is a 90-minute exam comprising approximately 65 CLF-C02 real exam questions.
AWS Certified Cloud Practitioner question answers take various formats, including multiple-choice and multiple-response. There is a hurdle of a minimum of 700 out of 1000 score.
What Does the AWS CCP Exam Covers?
The exam has four domains, each addressing distinct aspects of AWS:
1.Cloud Concepts: 26%
2.Security and Compliance: 25%
3.Technology: 33%
4.Billing and Pricing: 16%
The AWS CLF-C02 Exam Study Guide provides a comprehensive breakdown of what to expect in the exam. You can get quality CLF-C02 dumps at a feasible price from Salesforcexamdumps.
What is in CLF-C02 for my Career?
The CLF-C02 exam is a gateway for AWS Cloud professionals. It is a starting point leading to other AWS certifications. It helps you become cloud-literate, enabling you to work confidently with AWS services and tools.
CLF-C02 Dumps - Your Trusted Companion For Successful Exam Prep
You can trust CLF-C02 braindumps at Salesforcexamdumps to relay a complete review of each exam topic along with detailed explanations. Plus, our reliable staff regularly updates CLF-C02 question answers to keep pace with what is latest in the exam. Here are some FAQs to help you understand how the CLF-C02 dumps can enhance your AWS CCP exam preparation:
Q1: Why use the CLF-C02 Practice Test?
Think of it as a rehearsal before the actual big event. One can not ignore the prowess of CLF-C02 real exam questions simulation. It allows you to get comfortable with the actual exam.
Q2: How do CLF-C02 Braindumps help?
At the end of every practice, you receive feedback detailing your mistakes as well as your strong points. This insight is invaluable in understanding where to focus. Detailed explanations help you understand underlying concepts.
Q3: Are CLF-C02 Practice Tests Affordable?
Yes, we have made sure everybody can access the CLF-C02 braindumps. For a reasonable amount, we offer absolutely free access to the first three months of updates and demos.
Q4: Is Real-World Experience Important?
Absolutely! There is no denying that the CLF-C02 dumps will get you through all CLF-C02 real exam questions. Yet combining them with hands-on experience is your best bet in achieving AWS certification.
Q5: How To Access CLF-Co2 Question Answers?
Ready to try out our practice test? Click the "Start" button and begin your journey in the AWS Certified Cloud Practitioner direction.
If you have more questions or need further assistance, feel free to contact us at [email protected].
Good luck with your CLF-C02 exam preparation!
Amazon CLF-C02 Frequently Asked Questions
Customers Feedback
What our clients say about CLF-C02 Quiz Sheets
Leave a comment
Your email address will not be published. Required fields are marked *
Leave a comment
Your email address will not be published. Required fields are marked *