AWS Certified Cloud Practitioner Dumps December 2024
Are you tired of looking for a source that'll keep you updated on the AWS Certified Cloud Practitioner Exam? Plus, has a collection of affordable, high-quality, and incredibly easy Amazon CLF-C02 Practice Questions? Well then, you are in luck because Salesforcexamdumps.com just updated them! Get Ready to become a AWS Certified Foundational Certified.
Amazon CLF-C02 is a necessary certification exam to get certified. The certification is a reward to the deserving candidate with perfect results. The AWS Certified Foundational Certification validates a candidate's expertise to work with Amazon. In this fast-paced world, a certification is the quickest way to gain your employer's approval. Try your luck in passing the AWS Certified Cloud Practitioner Exam and becoming a certified professional today. Salesforcexamdumps.com is always eager to extend a helping hand by providing approved and accepted Amazon CLF-C02 Practice Questions. Passing AWS Certified Cloud Practitioner will be your ticket to a better future!
Pass with Amazon CLF-C02 Braindumps!
Contrary to the belief that certification exams are generally hard to get through, passing AWS Certified Cloud Practitioner is incredibly easy. Provided you have access to a reliable resource such as Salesforcexamdumps.com Amazon CLF-C02 PDF. We have been in this business long enough to understand where most of the resources went wrong. Passing Amazon AWS Certified Foundational certification is all about having the right information. Hence, we filled our Amazon CLF-C02 Dumps with all the necessary data you need to pass. These carefully curated sets of AWS Certified Cloud Practitioner Practice Questions target the most repeated exam questions. So, you know they are essential and can ensure passing results. Stop wasting your time waiting around and order your set of Amazon CLF-C02 Braindumps now!
We aim to provide all AWS Certified Foundational certification exam candidates with the best resources at minimum rates. You can check out our free demo before pressing down the download to ensure Amazon CLF-C02 Practice Questions are what you wanted. And do not forget about the discount. We always provide our customers with a little extra.
Why Choose Amazon CLF-C02 PDF?
Unlike other websites, Salesforcexamdumps.com prioritize the benefits of the AWS Certified Cloud Practitioner candidates. Not every Amazon exam candidate has full-time access to the internet. Plus, it's hard to sit in front of computer screens for too many hours. Are you also one of them? We understand that's why we are here with the AWS Certified Foundational solutions. Amazon CLF-C02 Question Answers offers two different formats PDF and Online Test Engine. One is for customers who like online platforms for real-like Exam stimulation. The other is for ones who prefer keeping their material close at hand. Moreover, you can download or print Amazon CLF-C02 Dumps with ease.
If you still have some queries, our team of experts is 24/7 in service to answer your questions. Just leave us a quick message in the chat-box below or email at [email protected].
Amazon CLF-C02 Sample Questions
Question # 1
A company has a centralized group of users with large file storage requirements that have exceeded the space available on premises. The company wants to extend its file storage capabilities for this group while retaining the performance benefit of sharing content locally. What is the MOST operationally efficient AWS solution for this scenario?
A. Create an Amazon S3 bucket for each user. Mount each bucket by using an S3 filesystem mounting utility. B. Configure and deploy an AWS Storage Gateway file gateway. Connect each user'sworkstation to the file gateway. C. Move each user's working environment to Amazon Workspaces. Set up an AmazonWorkDocs account for each user. D. Deploy an Amazon EC2 instance and attach an Amazon Elastic Block Store (AmazonEBS) Provisioned IOPS volume. Share the EBS volume directly with the users.
Answer: B Explanation: AWS Storage Gateway is a hybrid cloud storage service that allows you toextend your on-premises file storage capabilities to the AWS Cloud. AWS StorageGateway file gateway enables you to store and access your files in Amazon S3 usingindustry-standard file protocols such as NFS and SMB. File gateway caches frequentlyaccessed files locally, providing low-latency access to your data. File gateway alsooptimizes the transfer of data between your on-premises environment and AWS,minimizing the amount of bandwidth consumed. By using file gateway, you can retain theperformance benefit of sharing content locally while leveraging the scalability, durability,and cost-effectiveness of Amazon S3. References: AWS Storage Gateway, File Gateway
Question # 2
Which complimentary AWS service or tool creates data-driven business cases for cloud planning?
A. Migration Evaluator B. AWS Billing Conductor C. AWS Billing Console D. Amazon Forecast
Answer: A Explanation: Migration Evaluator is a cloud-based service that provides organizations witha comprehensive assessment of their current IT environment and estimates the costsavings and performance improvements that can be achieved by migrating toAWS. Migration Evaluator helps users build a data-driven business case for AWS by discovering over-provisioned on-premises instances, providing recommendations for costeffectiveAWS alternatives, and analyzing existing licenses and cost comparisons of BringYour Own License (BYOL) and License Included (LI) options
Question # 3
Which AWS services or features provide disaster recovery solutions for Amazon EC2 instances? (Select TWO.)
A. EC2 Reserved Instances B. EC2 Amazon Machine Images (AMIs) C. Amazon Elastic Block Store (Amazon EBS) snapshots D. AWS Shield E. Amazon GuardDuty
Answer: B,C Explanation: The correct answer is B and C. EC2 Amazon Machine Images (AMIs) andAmazon Elastic Block Store (Amazon EBS) snapshots are two AWS services that providedisaster recovery solutions for Amazon EC2 instances.EC2 AMIs are preconfigured templates that contain the software configuration anddata required to launch an EC2 instance. You can create AMIs from your runningEC2 instances and use them to launch new instances in the same or differentAWS Regions. This way, you can quickly recover your EC2 instances in case of adisaster that affects your primary Region or Availability Zone1.Amazon EBS snapshots are incremental backups of your Amazon EBS volumes.You can create snapshots of your volumes and store them in Amazon S3, which isa highly durable and scalable storage service. You can use snapshots to restoreyour volumes to a previous point in time or to create new volumes fromsnapshots. Snapshots can also be copied across AWS Regions, enabling you torecover your data in another Region in case of a disaster2.The other options are not directly related to disaster recovery for EC2 instances:EC2 Reserved Instances are a pricing model that allows you to reserve EC2capacity for a specific period of time and receive a discount on the hourlycharge. Reserved Instances do not provide any disaster recovery benefits, as theyare only a billing option3.AWS Shield is a managed service that protects your AWS resources fromdistributed denial-of-service (DDoS) attacks. AWS Shield provides basic protectionfor all AWS customers at no additional charge, and advanced protection forcustomers who need higher levels of detection and mitigation. AWS Shield doesnot provide any disaster recovery benefits, as it is only a security service4.Amazon GuardDuty is a threat detection service that monitors your AWS accountand workloads for malicious or unauthorized activity. Amazon GuardDuty analyzesvarious data sources, such as AWS CloudTrail, Amazon VPC Flow Logs, and DNSlogs, to identify potential threats and alert you via Amazon CloudWatch Events orAWS Lambda. Amazon GuardDuty does not provide any disaster recoverybenefits, as it is only a monitoring service5.
Question # 4
Using AWS Identity and Access Management (IAM) to grant access only to the resources needed to perform a task is a concept known as:
A. restricted access. B. as-needed access. C. least privilege access. D. token access.
Answer: C Explanation: The concept of granting access only to the resources needed to perform atask is known as least privilege access. This is a security best practice in IAM that helps toreduce the risk of unauthorized or malicious actions. By applying least privilege access,you can limit the permissions of your IAM users, groups, and roles to the minimum requiredfor their specific tasks. You can also use conditions, permissions boundaries, and IAMAccess Analyzer to further restrict and verify access. References: Security best practices inIAM, Policies and permissions in IAM, Use IAM policies to grant the least privilegesrequired to access Amazon RDS resources, How to Design a Least Privilege Architecturein AWS, 12 Azure & AWS IAM Security Best Practices
Question # 5
Which AWS service or feature provides log information of the inbound and outbound traffic on network interfaces in a VPC?
A. Amazon CloudWatch Logs B. AWS CloudTrail C. VPC Flow Logs D. AWS Identity and Access Management (IAM)
Answer: C Explanation: VPC Flow Logs is a feature that enables you to capture information about theIP traffic going to and from network interfaces in your VPC. Flow log data can be publishedto the following locations: Amazon CloudWatch Logs, Amazon S3, or Amazon Kinesis DataFirehose. You can use VPC Flow Logs to monitor network traffic, diagnose security issues,troubleshoot connectivity problems, and perform network forensics1. References:Logging IP traffic using VPC Flow Logs - Amazon Virtual Private Cloud
Question # 6
What is the best resource for a user to find compliance-related information and reports about AWS?
A. AWS Artifact B. AWS Marketplace C. Amazon Inspector D. Increase operational costs across data centers.
Answer: A Explanation: AWS Artifact is a self-service portal that provides on-demand access to AWSsecurity and compliance reports and select online agreements. Users can downloadreports such as AWS ISO certifications, PCI reports, SOC reports, and GDPR DPA, andreview and accept agreements such as BAA and NDA. AWS Artifact helps users tounderstand and meet compliance requirements for various standards and regulations thatapply to AWS services and infrastructure. AWS Artifact is the best resource for a user tofind compliance-related information and reports about AWS, whereas the other options arenot
Question # 7
A company operates a petabyte-scale data warehouse to analyze its data. The company wants a solution that will not require manual hardware and software management. Which AWS service will meet these requirements?
A. Amazon DocumentDB (with MongoDB compatibility) B. Amazon Redshift C. Amazon Neptune D. Amazon ElastiCache
Answer: B Explanation: Amazon Redshift is a fast, fully managed, petabyte-scale data warehouseservice that makes it simple and cost-effective to analyze all your data using your existingbusiness intelligence tools. You can start small with no commitments, and scale topetabytes for less than a tenth of the cost of traditional solutions. Amazon Redshift doesnot require manual hardware and software management, as AWS handles all the taskssuch as provisioning, patching, backup, recovery, failure detection, and repair12. AmazonRedshift also offers serverless capabilities, which allow you to access and analyze datawithout any configurations or capacity planning. Amazon Redshift automatically scales thedata warehouse capacity to deliver fast performance for even the most demanding andunpredictable workloads3. Therefore, Amazon Redshift meets the requirements of thecompany, compared to the other options.The other options are not suitable for the company’s requirements, because:Amazon DocumentDB (with MongoDB compatibility) is a fast, scalable, highlyavailable, and fully managed document database service that supports MongoDBworkloads. It is not designed for petabyte-scale data warehousing or analytics4.Amazon Neptune is a fast, reliable, and fully managed graph database service thatmakes it easy to build and run applications that work with highly connecteddatasets. It is not designed for petabyte-scale data warehousing or analytics5.Amazon ElastiCache is a fully managed in-memory data store and cache service that supports Redis and Memcached. It is not designed for petabyte-scale datawarehousing or analytics.References:What is Amazon Redshift? - Amazon RedshiftAmazon Redshift Features - Amazon RedshiftAmazon Redshift Serverless - Amazon RedshiftWhat Is Amazon DocumentDB (with MongoDB compatibility)? - AmazonDocumentDB (with MongoDB compatibility)What Is Amazon Neptune? - Amazon Neptune[What Is Amazon ElastiCache for Redis? - Amazon ElastiCache for Redis]
Question # 8
A company wants to move its on-premises databases to managed cloud database services by using a simplified migration process. Which AWS service or tool can help the company meet this requirement?
A. AWS Storage Gateway B. AWS Application Migration Service C. AWS DataSync D. AWS Database Migration Service (AWS DMS)
Answer: D Explanation: AWS Database Migration Service (AWS DMS) is a cloud service that makesit possible to migrate relational databases, data warehouses, NoSQL databases, and othertypes of data stores. You can use AWS DMS to migrate your data into the AWS Cloud orbetween combinations of cloud and on-premises setups. With AWS DMS, you can discoveryour source data stores, convert your source schemas, and migrate your data. AWS DMSsupports migration between 20-plus database and analytics engines, such as Oracle toAmazon Aurora MySQL-Compatible Edition, MySQL to Amazon Relational Database(RDS) for MySQL, Microsoft SQL Server to Amazon Aurora PostgreSQL-CompatibleEdition, MongoDB to Amazon DocumentDB (with MongoDB compatibility), Oracle to Amazon Redshift, and Amazon Simple Storage Service (S3). You can perform one-timemigrations or replicate ongoing changes to keep sources and targets in sync. AWS DMSautomatically manages the deployment, management, and monitoring of all hardware andsoftware needed for your migration. AWS DMS is a highly resilient, secure cloud servicethat provides database discovery, schema conversion, data migration, and ongoingreplication to and from a wide range of databases and analytics systems12. References:Database Migration - AWS Database Migration Service - AWSWhat is AWS Database Migration Service? - AWS Database Migration Service
Question # 9
A company wants to allow users to authenticate and authorize multiple AWS accounts by using a single set of credentials. Which AWS service or resource will meet this requirement?
A. AWS Organizations B. IAM user C. AWS IAM Identity Center (AWS Single Sign-On) D. AWS Control Tower
Answer: C Explanation: AWS IAM Identity Center (AWS Single Sign-On) is a cloud-based servicethat makes it easy to centrally manage single sign-on (SSO) access to multiple AWSaccounts and business applications. You can use AWS SSO to enable your users to sign into the AWS Management Console or the AWS Command Line Interface (AWS CLI) withtheir existing corporate credentials2. You can also manage SSO access and userpermissions across all your AWS accounts in AWS Organizations3. References: AWSSingle Sign-On - AWS Documentation, AWS Organizations - AWS Documentation
Question # 10
An ecommerce company wants to use Amazon EC2 Auto Scaling to add and remove EC2 instances based on CPU utilization. Which AWS service or feature can initiate an Amazon EC2 Auto Scaling action to achieve this goal?
A. Amazon Simple Queue Service (Amazon SQS) B. Amazon Simple Notification Service (Amazon SNS) C. AWS Systems Manager D. Amazon CloudWatch alarm
Answer: D Explanation: Amazon CloudWatch alarm is an AWS service or feature that can initiate anAmazon EC2 Auto Scaling action based on CPU utilization. Amazon CloudWatch is amonitoring and observability service that collects and tracks metrics, logs, events, andalarms for your AWS resources and applications. Amazon CloudWatch alarms are actionsthat you can configure to send notifications or automatically make changes to theresources you are monitoring based on rules that you define67.Amazon EC2 Auto Scaling is a service that helps you maintain application availability andallows you to automatically add or remove EC2 instances according to definableconditions. You can create dynamic scaling policies that track a specific CloudWatchmetric, such as CPU utilization, and define what action to take when the associatedCloudWatch alarm is in ALARM. When the policy is in effect, Amazon EC2 Auto Scalingadjusts the group’s desired capacity up or down when the threshold of an alarm isbreached89. References: 6: Cloud Monitoring - Amazon CloudWatch - AWS, 7: AmazonCloudWatch Documentation, 8: Dynamic scaling for Amazon EC2 Auto Scaling, 9: AmazonEC2 Auto Scaling Documentation
Question # 11
A company needs to track the activity in its AWS accounts, and needs to know when an API call is made against its AWS resources. Which AWS tool or service can be used to meet these requirements?
A. Amazon CloudWatch B. Amazon Inspector C. AWS CloudTrail D. AWS IAM
Answer: C Explanation: AWS CloudTrail is the service that can be used to meet these requirements.AWS CloudTrail is a service that records AWS API calls for your account and delivers logfiles to you. The recorded information includes the identity of the API caller, the time of theAPI call, the source IP address of the API caller, the request parameters, and the responseelements returned by the AWS service1. You can use CloudTrail to track the activity in yourAWS accounts, such as who made an API call, when it was made, and what resourceswere affected. You can also use CloudTrail to monitor the compliance, security, andgovernance of your AWS environment2. The other services are not designed to track theactivity and API calls in your AWS accounts. Amazon CloudWatch is a service thatmonitors and collects metrics, logs, and events from your AWS resources and applications. You can use CloudWatch to set alarms, visualize data, and automate actionsbased on predefined thresholds or rules3. Amazon Inspector is a service that helps youimprove the security and compliance of your applications running on AWS. Inspectorautomatically assesses applications for exposure, vulnerabilities, and deviations from bestpractices4. AWS IAM is a service that enables you to manage access to AWS services andresources securely. IAM allows you to create and manage AWS users and groups, and usepermissions to allow and deny their access to AWS resources. References: AWSCloudTrail, AWS CloudTrail – Capture AWS API Activity, Amazon CloudWatch, AmazonInspector, [AWS IAM]
Question # 12
Which AWS service enables companies to deploy an application dose to end users?
A. Amazon CloudFront B. AWS Auto Scaling C. AWS AppSync D. Amazon Route S3
Answer: A Explanation:Amazon CloudFront is a fast content delivery network (CDN) service that securely deliversdata, videos, applications, and APIs to customers globally with low latency, high transferspeeds, all within a developer-friendly environment. CloudFront enables companies todeploy an application close to end users by caching the application’s content at edgelocations that are geographically closer to the users. This reduces the network latency andimproves the user experience. CloudFront also integrates with other AWS services, suchas Amazon S3, Amazon EC2, AWS Lambda, AWS Shield, and AWS WAF, to provide asecure and scalable solution for delivering applications12. References:What Is Amazon CloudFront? - Amazon CloudFront Amazon CloudFront Features - Amazon CloudFront
Question # 13
A company needs to perform data processing once a week that typically takes about 5 hours to complete. Which AWS service should the company use for this workload?
A. AWS Lambda B. Amazon EC2 C. AWS CodeDeploy D. AWS Wavelength
Answer: B Explanation: Amazon EC2 is the most suitable AWS service for this workload. AmazonEC2 provides secure, resizable compute capacity in the cloud. You can launch virtualservers, called instances, and configure them according to your needs. You can choosefrom different instance types, sizes, and families, and pay only for the resources youuse. Amazon EC2 also offers features such as auto scaling, load balancing, securitygroups, and placement groups to optimize your performance, availability, andsecurity1. Amazon EC2 is ideal for workloads that require consistent and reliable computepower, such as data processing, web hosting, gaming, and high-performance computing2.The other services are not suitable for this workload. AWS Lambda is a serverless computeservice that lets you run code without provisioning or managing servers. You pay only forthe compute time you consume. Lambda is best for short-lived, stateless, and event-drivenworkloads that can be completed in under 15 minutes3. AWS CodeDeploy is a deploymentservice that automates application deployments to Amazon EC2 instances, on-premises instances, serverless Lambda functions, or Amazon ECS services. CodeDeploy is not acompute service, but a tool to help you update your applications with minimal downtime4.AWS Wavelength is a service that delivers ultra-low latency applications for 5G devices.Wavelength embeds AWS compute and storage services at the edge oftelecommunications providers’ 5G networks. Wavelength is designed for mobile edgecomputing, such as interactive gaming, video streaming, and augmentedreality. References: Amazon EC2, Amazon EC2 Use Cases, AWS Lambda, AWSCodeDeploy, [AWS Wavelength]
Question # 14
Which AWS service or tool gives users the ability to connect with AWS and deploy resources programmatically?
A. Amazon quickSight B. AWS PrivateLink C. AWS Direct Connect D. AWS SDKs
Answer: D Explanation: AWS SDKs are a set of tools that allow users to connect with AWS anddeploy resources programmatically. AWS SDKs provide libraries, code samples,documentation, and other resources to help users write code that interacts with AWS APIs.AWS SDKs support various programming languages, such as Java, Python, Ruby, .NET,Node.js, Go, and more. AWS SDKs make it easier for users to access AWS services, suchas Amazon S3, Amazon EC2, Amazon DynamoDB, AWS Lambda, and more, from theirapplications. AWS SDKs also handle tasks such as authentication, error handling, retries,and data serialization, so users can focus on their application logic .The other options are not AWS services or tools that give users the ability to connect withAWS and deploy resources programmatically. Amazon QuickSight is a businessintelligence service that lets users create and share interactive dashboards andvisualizations1. AWS PrivateLink is a service that enables users to securely accessservices hosted on AWS in a scalable and cost-effective manner2. AWS Direct Connect isa service that establishes a dedicated network connection between a user’s premises andAWS3.
Question # 15
Which AWS Cloud service can send alerts to customers if custom spending thresholds are exceeded?
A. AWS Budgets B. AWS Cost Explorer C. AWS Cost Allocation Tags D. AWS Organizations
Answer: A Explanation: AWS Budgets is a service that allows you to set custom budgets for yourAWS costs and usage, and receive alerts via email or Amazon SNS notifications if youexceed or are forecasted to exceed your budgeted amount1. You can create budgetsbased on different dimensions, such as service, linked account, tag, or purchase option,and define various types of alerts, such as actual, forecasted, or RI utilization alerts2. Youcan also configure custom actions to automatically execute remediation tasks or workflowswhen a budget threshold is breached3. AWS Budgets is the only service among theoptions that can send alerts to customers if custom spending thresholds are exceeded. Theother options are not AWS services that provide this functionality.
Question # 16
Which AWS feature provides a no-cost platform for AWS users to join community groups, ask questions, find answers, and read community-generated articles about best practices?
A. AWS Knowledge Center B. AWS re:Post C. AWS 10 D. AWS Enterprise Support
Answer: B Explanation: AWS re:Post is a no-cost platform for AWS users to join community groups,ask questions, find answers, and read community-generated articles about best practices.AWS re:Post is a social media platform that connects AWS users with each other and withAWS experts. Users can create posts, comment on posts, follow topics, and join groupsrelated to AWS services, solutions, and use cases. AWS re:Post also features live eventfeeds, community stories, and AWS Hero profiles. AWS re:Post is a great way to learn fromthe AWS community, share your knowledge, and get inspired. References:AWS re:PostJoin the Conversation
Question # 17
Which AWS service provides command line access to AWS tools and resources directly (torn a web browser?
A. AWS CIoudHSM B. AWS CloudShell C. Amazon Workspaces D. AWS Cloud Map
Answer: B Explanation: AWS CloudShell is the service that provides command line access to AWStools and resources directly from a web browser. AWS CloudShell is a browser-based shellthat makes it easy to securely manage, explore, and interact with your AWS resources. Itcomes pre-authenticated with your console credentials and common development andadministration tools are pre-installed, so no local installation or configuration is required.You can open AWS CloudShell from the AWS Management Console with a single click andstart running commands and scripts using the AWS Command Line Interface (AWS CLI),Git, or SDKs. AWS CloudShell also provides persistent home directories with 1 GB ofstorage per AWS Region12. The other services do not provide command line access toAWS tools and resources directly from a web browser. AWS CloudHSM is a service thathelps you meet corporate, contractual and regulatory compliance requirements for datasecurity by using dedicated Hardware Security Module (HSM) appliances within the AWSCloud3. Amazon WorkSpaces is a service that provides a fully managed, secure Desktopas-a-Service (DaaS) solution that runs on AWS4. AWS Cloud Map is a service that makesit easy for your applications to discover and connect to each other using logical names andattributes5. References: AWS CloudShell, AWS CloudShell – Command-Line Access toAWS Resources, AWS CloudHSM, Amazon WorkSpaces, AWS Cloud Map
Question # 18
Which AWS service can run a managed PostgreSQL database that provides online transaction processing (OLTP)?
A. Amazon DynamoDB B. Amazon Athena C. Amazon RDS D. Amazon EMR
Answer: C Explanation: Amazon RDS is a fully managed relational database service that supports several database engines, including PostgreSQL. Amazon RDS can run a managedPostgreSQL database that provides online transaction processing (OLTP), which is a typeof database workload that handles frequent read and write operations on small amounts ofdata. Amazon RDS for PostgreSQL offers high performance, availability, scalability,security, and compatibility with the PostgreSQL community edition. Amazon RDS alsoprovides automated backups, point-in-time recovery, encryption, monitoring, andmaintenance for PostgreSQL databases. References:Hosted PostgreSQL - Amazon RDS for PostgreSQLOLTP Database, MySQL And PostgreSQL Managed Database - Amazon AuroraPostgreSQL options on AWS: Self- managed, managed, and serverless
Question # 19
Which responsibility belongs to AWS when a company hosts its databases on Amazon EC2 instances?
A. Database backups B. Database software patches C. Operating system patches D. Operating system installations
Answer: C Explanation: When a company hosts its databases on Amazon EC2 instances, AWS andthe customer share the responsibility for the security and management of the databaseenvironment. According to the AWS shared responsibility model, AWS is responsible forthe security of the cloud, while the customer is responsible for the security in the cloud.This means that AWS is responsible for protecting the infrastructure that runs the EC2instances, such as the hardware, software, networking, and facilities. The customer isresponsible for properly configuring the security of the provided service, such as the guestoperating system, the database software, the data, and the network traffic12.One of the tasks that belongs to AWS when a company hosts its databases on AmazonEC2 instances is operating system patches. AWS provides regular updates and patches tothe operating system of the EC2 instances, which are applied automatically by default. Thecustomer can also choose to manually apply the patches or schedule them for a specifictime window3. Operating system patches are important for maintaining the security andperformance of the EC2 instances and the databases running on them.The other tasks that belong to AWS when a company hosts its databases on Amazon EC2instances are:Operating system installations: AWS provides a variety of operating systemoptions for the EC2 instances, such as Linux, Windows, and Amazon Linux. Thecustomer can choose the operating system that best suits their database needsand AWS will install it on the EC2 instances4.Server maintenance: AWS performs regular maintenance and repairs on thephysical servers that host the EC2 instances, ensuring that they are in optimal condition and have adequate power, cooling, and network connectivity5.Hardware lifecycle: AWS manages the lifecycle of the hardware that supports theEC2 instances, such as replacing faulty components, upgrading equipment, anddecommissioning old servers.The tasks that do not belong to AWS when a company hosts its databases on AmazonEC2 instances are:Database backups: The customer is responsible for backing up their data anddatabases on the EC2 instances, using tools such as Amazon S3, Amazon EBSsnapshots, or AWS Backup. Database backups are essential for data protectionand recovery in case of failures or disasters.Database software patches: The customer is responsible for applying patches andupdates to the database software on the EC2 instances, such as MySQL,PostgreSQL, Oracle, or SQL Server. Database software patches are important forfixing bugs, improving features, and addressing security vulnerabilities.Database software install: The customer is responsible for installing the databasesoftware on the EC2 instances, choosing the version and configuration that meetstheir requirements. AWS provides some preconfigured AMIs (Amazon MachineImages) that include common database software, or the customer can use theirown custom AMIs.References:Shared Responsibility Model - Amazon Web Services (AWS)Shared responsibility model - Amazon Web Services: Risk and CompliancePatching Amazon EC2 instances - AWS Systems ManagerAmazon EC2 FAQs - Amazon Web ServicesMaintenance and Retirements - Amazon Elastic Compute Cloud[Hardware Lifecycle - Amazon Web Services (AWS)][Backing Up Your Data - Amazon Web Services (AWS)][Database Patching - Amazon Web Services (AWS)][Installing Database Software on Amazon EC2 Instances - Amazon Web Services(AWS)]
Question # 20
A developer needs to maintain a development environment infrastructure and a production environment infrastructure in a repeatable fashion Which AWS service should the developer use to meet these requirements?
A. AWS Ground Station B. AWS Shield C. AWS loT Device Defender D. AWS CloudFormation
Answer: D Explanation: AWS CloudFormation is a service that allows developers to model andprovision their AWS infrastructure in a repeatable and declarative way, using code andtemplates. AWS CloudFormation enables developers to define the resources they need fortheir development and production environments, such as compute, storage, network, andapplication services, and automate their creation and configuration. AWS CloudFormationalso provides features such as change sets, nested stacks, and rollback triggers to helpdevelopers manage and update their infrastructure safely and efficiently12. References: AWS CloudFormationWhat is AWS CloudFormation?
Question # 21
Which Amazon EC2 pricing model is the MOST cost efficient for an uninterruptible workload that runs once a year for 24 hours?
A. On-Demand Instances B. Reserved Instances C. Spot Instances D. Dedicated Instances
Answer: A Explanation: On-Demand Instances are the most cost-efficient pricing model for an uninterruptibleworkload that runs once a year for 24 hours. On-Demand Instances let you pay forcompute capacity by the hour or second, depending on which instances you run. No longtermcommitments or up-front payments are required. You can increase or decrease yourcompute capacity to meet the demands of your application and only pay the specifiedhourly rates for the instance you use1. This model is suitable for developing/testingapplications with short-term or unpredictable workloads2. The other pricing models are notcost-efficient for this use case. Reserved Instances and Savings Plans require acommitment to a consistent amount of usage, in USD per hour, for a term of 1 or 3years. They provide significant discounts compared to On-Demand Instances, but they arenot flexible or scalable for workloads that run only once a year12. Spot Instances are thecheapest option, but they are not suitable for uninterruptible workloads, as they can bereclaimed by AWS at any time. They are recommended for applications that have flexiblestart and end times, or that are only feasible at very low compute prices12. DedicatedInstances are designed for compliance and licensing requirements, not for costoptimization. They are more expensive than the other options, as they run on single-tenanthardware12. References: Amazon EC2 – Secure and resizable compute capacity –AWS, Amazon EC2 - How AWS Pricing Works
Question # 22
A company is migrating to the AWS Cloud and plans to run experimental workloads for 3 to 6 months on AWS. Which pricing model will meet these requirements?
A. Use Savings Plans for a 3-year term. B. Use Dedicated Hosts. C. Buy Reserved Instances. D. Use On-Demand Instances.
Answer: D Explanation:On-Demand Instances are the most flexible and cost-effective pricing model for short-term,experimental, or unpredictable workloads on AWS. On-Demand Instances let you pay onlyfor the resources you use, without any long-term commitments or upfront fees. You caneasily start and stop instances as needed, and scale up or down depending on yourdemand.Savings Plans, Reserved Instances, and Dedicated Hosts are all pricing models thatrequire a commitment for a certain amount of usage or capacity for a one- or three-yearterm. These pricing models offer lower prices than On-Demand Instances, but they are notsuitable for workloads that only run for 3 to 6 months or have variable usage patterns.Savings Plans and Reserved Instances also offer flexibility to change instance types, sizes,or regions within the same family or pool, while Dedicated Hosts are physical servers thatcan only run specific instance types.
Question # 23
A user wants to allow applications running on an Amazon EC2 instance to make calls to other AWS services. The access granted must be secure. Which AWS service or feature should be used?
A. Security groups B. AWS Firewall Manager C. IAM roles D. IAM user SSH keys
Answer: C Explanation: IAM roles are a secure way to grant permissions to applications running on an Amazon EC2 instance to make calls to other AWS services. IAM roles are entities thathave specific permissions policies attached to them. You can create an IAM role andassociate it with an EC2 instance when you launch it or later. The applications on theinstance can then use the temporary credentials provided by the role to access AWSresources that the role allows. This way, you do not have to store any long-term credentialsor access keys on the instance, which reduces the risk of compromise or misuse12.The other options are not correct, because:Security groups are virtual firewalls that control the inbound and outbound trafficfor your EC2 instances. Security groups do not grant permissions to access otherAWS services, but rather filter the network traffic based on rules that you define3.AWS Firewall Manager is a service that helps you centrally configure and managefirewall rules across your accounts and resources. AWS Firewall Manager workswith AWS WAF, AWS Shield Advanced, and Amazon VPC security groups. AWSFirewall Manager does not grant permissions to access other AWS services, butrather helps you enforce consistent security policies across your AWSinfrastructure4.IAM user SSH keys are credentials that allow you to connect to your EC2 instanceusing SSH. SSH keys do not grant permissions to access other AWS services, butrather authenticate your identity when you log in to your instance5.References:Using an IAM role to grant permissions to applications running on Amazon EC2instances - AWS Identity and Access ManagementIAM roles for Amazon EC2 - Amazon Elastic Compute CloudSecurity groups for your VPC - Amazon Virtual Private CloudWhat is AWS Firewall Manager? - AWS Firewall ManagerConnecting to your Linux instance using SSH - Amazon Elastic Compute Cloud
Question # 24
Which AWS service or feature will search for and identify AWS resources that are shared externally?
A. Amazon OpenSearch Service B. AWS Control Tower C. AWS IAM Access Analyzer D. AWS Fargate
Answer: C Explanation: AWS IAM Access Analyzer is an AWS service that helps customers identifyand review the resources in their AWS account that are shared with an external entity, suchas another AWS account, a root user, an organization, or a public entity. AWS IAM AccessAnalyzer uses automated reasoning, a form of mathematical logic and inference, toanalyze the resource-based policies in the account and generate comprehensive findingsthat show the access level, the source of the access, the affected resource, and thecondition under which the access applies. Customers can use AWS IAM Access Analyzerto audit their shared resources, validate their access policies, and monitor any changes tothe resource sharing status. References: AWS IAM Access Analyzer, Identify and reviewresources shared with external entities, How AWS IAM Access Analyzer works
Question # 25
Which AWS service or feature improves network performance by sending traffic through the AWS worldwide network infrastructure?
A. Route table B. AWS Transit Gateway C. AWS Global Accelerator D. Amazon VPC
Answer: C Explanation: AWS Global Accelerator is a service that improves network performance by sending trafficthrough the AWS worldwide network infrastructure. It uses the AWS global network todirect TCP or UDP traffic to a healthy application endpoint in the closest AWS Region tothe client. This provides improvements in terms of latency, throughput, and jitter. GlobalAccelerator also introduces features such as TCP termination at the edge, jumbo framesupport, and large receive side window and TCP buffers to optimize data transfer12. Routetable, AWS Transit Gateway, and Amazon VPC are not services or features that improvenetwork performance by sending traffic through the AWS worldwide networkinfrastructure. Route table is a resource that defines how traffic is routed within aVPC3. AWS Transit Gateway is a service that enables you to connect your VPCs and onpremisesnetworks to a single gateway4. Amazon VPC is a service that lets you provision alogically isolated section of the AWS Cloud where you can launch AWS resources in avirtual network that you define5. References: Achieve up to 60% better performance forinternet traffic with AWS Global Accelerator, Improving Performance on AWS and HybridNetworks, Route tables, AWS Transit Gateway, Amazon Virtual Private Cloud (VPC)
Question # 26
A company wants to establish a schedule for rotating database user credentials. Which AWS service will support this requirement with the LEAST amount of operational overhead?
A. AWS Systems Manager B. AWS Secrets Manager C. AWS License Manager D. AWS Managed Services
Answer: B Explanation: AWS Secrets Manager is a service that helps you protect access to yourapplications, services, and IT resources. This service enables you to easily rotate, manage,and retrieve database credentials, API keys, and other secrets throughout their lifecycle.Users and applications retrieve secrets with a call to Secrets Manager APIs, eliminating theneed to hardcode sensitive information in plain text. Secrets Manager offers secret rotationwith built-in integration for Amazon RDS, Amazon Redshift, Amazon DocumentDB, andother AWS services1. You can also extend Secrets Manager to rotate other types ofsecrets, such as credentials for Oracle, SQL Server, or MongoDB databases, by usingcustom AWS Lambda functions2. Secrets Manager enables you to control access tosecrets using fine-grained permissions and audit secret rotation centrally for resources inthe AWS Cloud, third-party services, and on-premises3. Therefore, AWS Secrets Managersupports the requirement of rotating database user credentials with the least amount ofoperational overhead, compared to the other options. References:What Is AWS Secrets Manager? - AWS Secrets ManagerRotating Your AWS Secrets Manager Secrets - AWS Secrets ManagerAWS Secrets Manager Features - AWS Secrets Manager
Question # 27
A company wants to provide managed Windows virtual desktops and applications to its remote employees over secure network connections. Which AWS services can the company use to meet these requirements? (Select TWO.)
A. Amazon Connect B. Amazon AppStream 2.0 C. Amazon Workspaces D. AWS Site-to-Site VPN E. Amazon Elastic Container Service (Amazon ECS)
Answer: B,C Explanation: Amazon AppStream 2.0 and Amazon WorkSpaces are AWS services thatcan be used to provide managed Windows virtual desktops and applications to remoteemployees over secure network connections. Amazon AppStream 2.0 is a fully managedapplication streaming service that allows users to access Windows desktop applicationsfrom any device, without installing or managing any software. Amazon AppStream 2.0delivers applications over an encrypted connection and isolates them from the underlyinginfrastructure, ensuring security and compliance1. Amazon WorkSpaces is a fully manageddesktop virtualization service that allows users to access Windows or Linux desktops fromany device, with a consistent user experience. Amazon WorkSpaces provides persistent,cloud-based virtual desktops that can be customized and scaled according to the user’sneeds. Amazon WorkSpaces also offers encryption, backup, and monitoring features toensure security and reliability2. References:Amazon AppStream 2.0Amazon WorkSpaces
Question # 28
Which option is a customer responsibility when using Amazon DynamoDB under the AWS Shared Responsibility Model?
A. Physical security of DynamoDB B. Patching of DynamoDB C. Access to DynamoDB tables D. Encryption of data at rest in DynamoDB
Answer: C Explanation: According to the AWS Shared Responsibility Model, AWS is responsible for the security of the cloud, while the customer is responsible for the security in the cloud.This means that AWS is responsible for protecting the infrastructure that runs AWSservices, such as DynamoDB, while the customer is responsible for properly configuringthe security of the provided service. For abstracted services, such as DynamoDB, thecustomer is primarily responsible for managing their data, classifying their assets, andusing IAM tools to apply the appropriate permissions12. Therefore, the customer isresponsible for controlling the access to DynamoDB tables, such as by creating IAMpolicies, roles, and users, and using encryption and authenticationmechanisms3. References:Shared Responsibility Model - Amazon Web Services (AWS)Security and compliance in Amazon DynamoDB - Amazon DynamoDBWhat is Shared Responsibility Model? - Check Point Software
Question # 29
A social media company wants to protect its web application from common web exploits such as SQL injections and cross-site scripting. Which AWS service will meet these requirements?
A. Amazon Inspector B. AWS WAF C. Amazon GuardDuty D. Amazon CloudWatch
Answer: B Explanation: AWS WAF is a web application firewall service that helps protect webapplications from common web exploits that could affect availability, compromise security,or consume excessive resources. AWS WAF gives you control over which traffic to allow orblock to your web applications by defining customizable web security rules. You can useAWS WAF to create rules that block common attack patterns, such as SQL injection orcross-site scripting, and rules that filter out specific traffic patterns you define1. AWS WAFalso integrates with other AWS services, such as Amazon CloudFront, Amazon APIGateway, AWS AppSync, and AWS Load Balancer, to provide a comprehensive defenseagainst web attacks2. Therefore, AWS WAF meets the requirements of the social mediacompany, compared to the other options.The other options are not suitable for the social media company’s requirements, because:Amazon Inspector is an automated security assessment service that helpsimprove the security and compliance of applications deployed on AWS. AmazonInspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices. However, Amazon Inspector does not provide aweb application firewall service that can block malicious web requests3.Amazon GuardDuty is a threat detection service that continuously monitors formalicious activity and unauthorized behavior to protect your AWS accounts,workloads, and data stored in Amazon S3. Amazon GuardDuty analyzes andprocesses the following data sources: VPC Flow Logs, AWS CloudTrail event logs,and DNS logs. However, Amazon GuardDuty does not provide a web applicationfirewall service that can block malicious web requests4.Amazon CloudWatch is a monitoring and observability service that provides dataand actionable insights to monitor your applications, respond to system-wideperformance changes, optimize resource utilization, and get a unified view ofoperational health. Amazon CloudWatch collects monitoring and operational datain the form of logs, metrics, and events, and visualizes it using automateddashboards, alarms, and notifications. However, Amazon CloudWatch does notprovide a web application firewall service that can block malicious web requests.References:What Is AWS WAF? - AWS WAF, AWS Firewall Manager, and AWS ShieldAdvancedAWS WAF Features - AWS WAF, AWS Firewall Manager, and AWS ShieldAdvancedWhat Is Amazon Inspector? - Amazon InspectorWhat Is Amazon GuardDuty? - Amazon GuardDuty[What Is Amazon CloudWatch? - Amazon CloudWatch]
Question # 30
Which AWS service or feature allows users to create new AWS accounts, group multiple accounts to organize workflows, and apply policies to groups of accounts?
A. AWS Identity and Access Management (1AM) B. AWS Trusted Advisor C. AWS CloudFormation D. AWS Organizations
Answer: D Explanation: AWS Organizations is the AWS service or feature that allows users to createnew AWS accounts, group multiple accounts to organize workflows, and apply policies togroups of accounts. AWS Organizations enables users to centrally manage and governtheir AWS environment across multiple accounts. Users can create organizational units(OUs) to group accounts based on their business needs, such as by function, project, orregion. Users can also apply service control policies (SCPs) to OUs or individual accountsto define the permissions and restrictions for the AWS services and resources that they canaccess. AWS Organizations also offers features such as consolidated billing, accountcreation automation, and trusted access12. References:AWS OrganizationsWhat is AWS Organizations?
Question # 31
Which option is a benefit of the economies of scale based on the advantages of cloud computing?
A. The ability to trade variable expense for fixed expense B. Increased speed and agility C. Lower variable costs over fixed costs D. Increased operational costs across data centers
Answer: B Explanation: Economies of scale are the cost advantages that result from increasing thescale of production or operation. In cloud computing, economies of scale are achieved bypooling resources and sharing them among multiple users, which reduces the unit cost ofcomputing and storage. One of the benefits of economies of scale in cloud computing isincreased speed and agility, which means the ability to deploy applications faster andrespond to changing business needs more quickly. Cloud computing allows users toaccess computing resources on demand, without having to invest in expensiveinfrastructure or wait for lengthy provisioning processes. This enables users to scale up ordown as needed, experiment with new ideas, and deliver value to customersfaster123. References: Economics of Cloud Computing - GeeksforGeeksWhat is Cloud Economics? | VMware GlossaryECONOMIES OF SCALE WITH CLOUD COMPUTING & SERVICES PRACTICE -IDC-Online
Question # 32
A company wants to migrate its applications to the AWS Cloud. The company plans to identity and prioritize any business transformation opportunities and evaluate its AWS Cloud readiness. Which AWS service or tool should the company use to meet these requirements?
A. AWS Cloud Adoption Framework (AWS CAF) B. AWS Managed Services (AMS) C. AWS Well-Architected Framework D. AWS Migration Hub
Answer: A Explanation: AWS Cloud Adoption Framework (AWS CAF) is a set of best practices, tools, and guidance that helps organizations get started with cloud technologies. AWS CAF helpsorganizations identify and prioritize transformation opportunities, evaluate and improve theircloud readiness, and iteratively evolve their transformation roadmap. AWS CAF groups itscapabilities in six perspectives: Business, People, Governance, Platform, Security, andOperations. Each perspective comprises a set of capabilities that functionally relatedstakeholders own or manage in the cloud transformation journey1AWS Managed Services (AMS) is a service that operates AWS infrastructure on behalf ofcustomers, providing a secure AWS Landing Zone, features that help meet variouscompliance program requirements, a proven enterprise operating model, on-going costoptimization, and day-to-day infrastructure management. AMS does not help customersidentify and prioritize business transformation opportunities or evaluate their cloudreadiness2AWS Well-Architected Framework is a set of six pillars and lenses that help cloudarchitects design and run workloads in the cloud. It provides a consistent approach forcustomers and AWS Partners to evaluate and implement designs that scale with theirneeds. AWS Well-Architected Framework helps customers understand the pros and consof decisions they make while building systems on AWS, but it does not help them identifyand prioritize business transformation opportunities3AWS Migration Hub is a tool that lets customers discover, plan, and track their existingservers and applications for migration to AWS. It offers journey templates, cross-teamcollaboration, application and server discovery, strategy recommendations, orchestrationand simple dashboard. AWS Migration Hub simplifies the migration and modernizationprocess, but it does not help customers identify and prioritize business transformationopportunities or evaluate their cloud readiness4References: 1: AWS Cloud Adoption Framework 2: Cloud Management Services - AWS Managed Services - AWS 3: AWS Well-Architected - Build secure, efficient cloudapplications 4: Cloud Inventory Management - AWS Migration Hub - AWS
Question # 33
A company has deployed applications on Amazon EC2 instances. The company needs to assess application vulnerabilities and must identify infrastructure deployments that do not meet best practices. Which AWS service can the company use to meet these requirements?
A. AWS Trusted Advisor B. Amazon Inspector C. AWSConfig D. Amazon GuardDuty
Answer: B Explanation: Amazon Inspector is a service that provides automated security assessmentand management for AWS resources, such as Amazon EC2 instances. Amazon Inspectorcan scan applications for common vulnerabilities, such as SQL injection, cross-sitescripting, and remote code execution. Amazon Inspector can also check the configurationof AWS resources against security best practices, such as the CIS Benchmarks and theAWS Security Best Practices. Amazon Inspector can help customers identify andremediate security issues, comply with security standards, and improve the securityposture of their AWS environment12. References:Amazon InspectorImproved, Automated Vulnerability Management for Cloud Workloads with a NewAmazon Inspector | AWS News Blog
Question # 34
Which AWS service or feature can be used to create a private connection between an onpremises workload and an AWS Cloud workload?
A. Amazon Route 53 B. Amazon Macie C. AWS Direct Connect D. AWS PrivaleLink
Answer: C Explanation: AWS Direct Connect is a service that establishes a dedicated networkconnection between your on-premises network and one or more AWS Regions. AWSDirect Connect can be used to create a private connection between an on-premisesworkload and an AWS Cloud workload, bypassing the public internet and reducing networkcosts, latency, and bandwidth issues. AWS Direct Connect can also provide increasedsecurity and reliability for your hybrid cloud applications and data transfers. References:AWS Direct ConnectWhat is AWS Direct Connect?AWS Direct Connect User Guide
Question # 35
Which AWS service is used to provide encryption for Amazon EBS?
A. AWS Certificate Manager B. AWS Systems Manager C. AWS KMS D. AWS Config
Answer: C Explanation: AWS KMS is the service that is used to provide encryption for Amazon EBS.AWS KMS is a managed service that enables you to easily create and control theencryption keys used to encrypt your data. Amazon EBS uses AWS KMS to encrypt anddecrypt your EBS volumes and snapshots. You can choose to use either the default AWSmanaged CMK or your own customer managed CMK for encryption. AWS KMS alsoprovides features such as key rotation, audit logging, and access control policies to helpyou manage your encryption keys and protect your data12. The other services are not usedto provide encryption for Amazon EBS. AWS Certificate Manager is a service that lets youprovision, manage, and deploy public and private SSL/TLS certificates for use with AWSservices and your internal connected resources3. AWS Systems Manager is a service thatprovides a unified user interface to view and manage your AWS resources, automatecommon operational tasks, and apply compliance policies4. AWS Config is a service thatenables you to assess, audit, and evaluate the configurations of your AWSresources. References: Amazon EBS encryption, AWS Key Management Service, AWS Certificate Manager, AWS Systems Manager, [AWS Config]
Question # 36
A company has a compute workload that is steady, predictable, and uninterruptible. Which Amazon EC2 instance purchasing options meet these requirements MOST costeffectively? (Select TWO.)
A. On-Demand Instances B. Reserved Instances C. Spot Instances D. Saving Plans E. Dedicated Hosts
Answer: B,D Explanation:Reserved Instances and Savings Plans are the most cost-effective purchasing options for acompute workload that is steady, predictable, and uninterruptible. Reserved Instancesprovide a significant discount compared to On-Demand Instances, and Savings Plans offerflexible and consistent savings on EC2 usage. Both options require a commitment to aconsistent amount of usage, in USD per hour, for a term of 1 or 3 years. On-DemandInstances are suitable for short-term, irregular, or unpredictable workloads, but they aremore expensive than Reserved Instances or Savings Plans. Spot Instances are thecheapest option, but they are not suitable for uninterruptible workloads, as they can bereclaimed by AWS at any time. Dedicated Hosts and Dedicated Instances are designed forcompliance and licensing requirements, not for cost optimization. They are more expensivethan the other options, as they run on single-tenant hardware. References: Instancepurchasing options, Amazon EC2 Pricing, 4 Ways to Purchase Amazon EC2 Instances
Question # 37
Which tool should a developer use lo integrate AWS service features directly into an application?
A. AWS Software Development Kit B. AWS CodeDeploy C. AWS Lambda D. AWS Batch
Answer: A Explanation:AWS Software Development Kit (SDK) is a set of platform-specific tools for developers thatlet them integrate AWS service features directly into their applications. AWS SDKs providelibraries, code samples, documentation, and other resources to help developers write codethat interacts with AWS APIs. AWS SDKs support various programming languages, suchas Java, Python, Ruby, .NET, Node.js, Go, and more. AWS SDKs make it easier fordevelopers to access AWS services, such as Amazon S3, Amazon EC2, AmazonDynamoDB, AWS Lambda, and more, from their applications. AWS SDKs also handletasks such as authentication, error handling, retries, and data serialization, so developerscan focus on their application logic.
Question # 38
Which AWS service or tool can be used to set up a firewall to control traffic going into and coming out of an Amazon VPC subnet?
A. Security group B. AWS WAF C. AWS Firewall Manager D. Network ACL
Answer: D Explanation: A network ACL (NACL) is an optional layer of security for your VPC that actsas a firewall for controlling traffic in and out of one or more subnets. You can create anetwork ACL and associate it with a subnet to apply rules that allow or deny traffic to orfrom the subnet. Network ACLs are stateless, meaning that they evaluate the source anddestination IP addresses for both inbound and outbound traffic. You can also use network ACLs to block IP address ranges that are known to be malicious12.The other options are not AWS services or tools that can be used to set up a firewall tocontrol traffic going into and coming out of an Amazon VPC subnet. Security groups areanother layer of security for your VPC that act as a firewall for your EC2 instances. Securitygroups are stateful, meaning that they automatically allow return traffic for allowed inboundtraffic. Security groups can only filter traffic based on protocols, ports, and source ordestination IP addresses, not on IP ranges3. AWS WAF is a web application firewall thathelps protect your web applications from common web exploits. AWS WAF can filter webrequests based on rules that you define, such as IP addresses, HTTP headers, HTTPbody, or URI strings. AWS WAF does not apply to non-web traffic or to traffic within aVPC4. AWS Firewall Manager is a service that helps you centrally configure and managefirewall rules across your accounts and resources in AWS Organizations. You can useFirewall Manager to apply AWS WAF rules, AWS Network Firewall policies, and AmazonVPC security groups across your AWS accounts. AWS Firewall Manager does not providea firewall service itself, but rather helps you manage other firewall services
Question # 39
Which of the following is a managed AWS service that is used specifically for extract, transform, and load (ETL) data?
A. Amazon Athena B. AWS Glue C. Amazon S3 D. AWS Snowball Edge
Answer: B Explanation: AWS Glue is a serverless data integration service that makes it easy todiscover, prepare, move, and integrate data from multiple sources for analytics, machinelearning, and application development. You can use various data integration engines, suchas ETL, ELT, batch, and streaming, and manage your data in a centralized datacatalog. AWS Glue is designed specifically for extract, transform, and load (ETL) data, whereas the other options are not.
Question # 40
A company has a set of ecommerce applications. The applications need to be able to send messages to each other. Which AWS service meets this requirement?
A. AWS Auto Scaling B. Elastic Load Balancing C. Amazon Simple Queue Service (Amazon SOS) D. Amazon Kinesis Data Streams
Answer: C Explanation: Amazon Simple Queue Service (Amazon SQS) is a fully managed messagequeuing service that lets you send, store, and receive messages between softwarecomponents at any volume, without losing messages or requiring other services to beavailable1. Amazon SQS is designed to provide a simple and reliable way for customers todecouple and connect components (microservices) together using queues2. Queues arean important mechanism for providing fault tolerance and scalability in distributed systems,and help decouple different parts of your application3. The other options are not AWSservices that are used specifically for sending messages between applications
Question # 41
Which pricing model will interrupt a running Amazon EC2 instance if capacity becomes temporarily unavailable?
A. On-Demand Instances B. Standard Reserved Instances C. Spot Instances D. Convertible Reserved Instances
Answer: C Explanation: Spot Instances are a type of EC2 instance that let you bid on unused compute capacity, which AWS offers at a discount of up to 90% compared to On-Demandprices1. Spot Instances are suitable for fault-tolerant, stateless, or flexible applications thatcan handle interruptions2. Spot Instances can be interrupted with a two-minute warningwhen EC2 needs the capacity back3. The other options are not pricing models that willinterrupt a running EC2 instance if capacity becomes temporarily unavailable
Question # 42
Which tasks are the customer's responsibility, according to the AWS shared responsibility model? (Select TWO.)
A. Establish the global infrastructure. B. Perform client-side data encryption. C. Configure 1AM credentials. D. Secure edge locations. E. Patch Amazon RDS DB instances.
Answer: B,C Explanation: According to the AWS shared responsibility model, AWS is responsible forthe security of the cloud, while the customer is responsible for the security in the cloud.This means that AWS is responsible for protecting the infrastructure that runs all of theservices offered in the AWS Cloud, such as the global network, the hardware, the software,and the facilities. The customer is responsible for properly configuring the security of theprovided service, such as the guest operating system, the application software, the data,and the network traffic. For abstracted services, such as Amazon RDS, AWS operates theinfrastructure layer, the operating system, and the database software, while the customer isresponsible for managing their data, classifying their assets, and using IAM tools to applythe appropriate permissions12.Therefore, the tasks that are the customer’s responsibility are:Perform client-side data encryption: The customer is responsible for encryptingtheir data before sending it to AWS, and decrypting it after receiving it from AWS. This ensures that the data is protected in transit and at rest. AWS provides variousencryption options, such as AWS Key Management Service (AWS KMS), AWSCloudHSM, and AWS Certificate Manager (ACM)3.Configure IAM credentials: The customer is responsible for creating and managingIAM users, groups, roles, and policies that control the access to AWS resourcesand services. IAM credentials include user names, passwords, access keys, andpermissions4.The tasks that are not the customer’s responsibility are:Establish the global infrastructure: AWS is responsible for building and maintainingthe global network of regions, availability zones, and edge locations that providelow latency, high availability, and fault tolerance for the AWS Cloud5.Secure edge locations: AWS is responsible for protecting the physical security ofthe edge locations, which are sites that deliver cached content to end users withimproved performance6.Patch Amazon RDS DB instances: AWS is responsible for applying patches andupdates to the operating system and the database software of the Amazon RDSDB instances, which are managed relational database service for MySQL,PostgreSQL, Oracle, SQL Server, and Amazon Aurora. References:Shared Responsibility Model - Amazon Web Services (AWS)Shared responsibility model - Amazon Web Services: Risk and ComplianceEncryption - Amazon Web Services (AWS)What Is IAM? - AWS Identity and Access ManagementGlobal Infrastructure - Amazon Web Services (AWS)Amazon CloudFront Features - Content Delivery Network (CDN)[What Is Amazon Relational Database Service (Amazon RDS)? - AmazonRelational Database Service]
Question # 43
Which AWS Cloud benefit gives a company the ability to quickly deploy cloud resources to access compute, storage, and database infrastructures in a matter of minutes?
A. Elasticity B. Cost savings C. Agility D. Reliability
Answer: C Explanation: Agility is the AWS Cloud benefit that gives a company the ability to quicklydeploy cloud resources to access compute, storage, and database infrastructures in amatter of minutes. Agility means that you can reduce the time to make IT resourcesavailable to your developers from weeks to just minutes, resulting in a dramatic increase ininnovation and responsiveness1. AWS provides a range of services and tools that enableyou to launch, scale, and manage your cloud applications with ease and speed, such asAWS CloudFormation, AWS Elastic Beanstalk, AWS CodeDeploy, and AWS QuickStarts2345. References:Six advantages of cloud computing - Overview of Amazon Web Services[AWS CloudFormation][AWS Elastic Beanstalk][AWS CodeDeploy]AWS Quick Starts
Question # 44
A network engineer needs to build a hybrid cloud architecture connecting on-premises networks to the AWS Cloud using AWS Direct Connect. The company has a few VPCs in a single AWS Region and expects to increase the number of VPCs to hundreds over time. Which AWS service or feature should the engineer use to simplify and scale this connectivity as the VPCs increase in number?
A. VPC endpoints B. AWS Transit Gateway C. Amazon Route 53 D. AWS Secrets Manager
Answer: B Explanation: AWS Transit Gateway is a network transit hub that you can use tointerconnect your VPCs and on-premises networks through a central gateway. AWSTransit Gateway simplifies and scales the connectivity between your on-premises networksand AWS, as you only need to create and manage a single connection from the centralgateway to each on-premises network, rather than individual connections to eachVPC. You can also use AWS Transit Gateway to connect to other AWS services, such asAmazon S3, Amazon DynamoDB, and AWS PrivateLink12. AWS Transit Gateway supportsthousands of VPCs per gateway, and enables you to peer Transit Gateways across AWSRegions3.The other options are not AWS services or features that can simplify and scale theconnectivity between on-premises networks and hundreds of VPCs using AWS Direct Connect. VPC endpoints enable private connectivity between your VPCs and supportedAWS services, but do not support on-premises networks4. Amazon Route 53 is a DNSservice that helps you route internet traffic to your resources, but does not provide networkconnectivity5. AWS Secrets Manager is a service that helps you securely store andmanage secrets, such as database credentials and API keys, but does not relate tonetwork connectivity
Question # 45
A company needs to evaluate its AWS environment and provide best practice recommendations in five categories: cost, performance, service limits, fault tolerance, and security. Which AWS service can the company use to meet these requirements
A. AWS Shield B. AWS WAF C. AWS Trusted Advisor D. AWS Service Catalog
Answer: C Explanation: AWS Trusted Advisor is the service that can meet these requirements. AWSTrusted Advisor is a service that helps you optimize your AWS environment by providingrecommendations based on AWS best practices. Trusted Advisor continuously evaluatesyour AWS resources and services across five categories: cost optimization, performance,service limits, fault tolerance, and security. You can view the recommendations on the Trusted Advisor console or access them programmatically using the Trusted Advisor API.You can also set up notifications and alerts for any changes in the status of yourchecks. Trusted Advisor can help you improve your AWS environment by reducing costs,enhancing performance, increasing security, and ensuring reliability12. The other servicesare not designed to provide best practice recommendations in five categories. AWS Shieldis a service that protects your AWS resources from distributed denial-of-service (DDoS)attacks. AWS WAF is a service that helps you protect your web applications from commonweb exploits. AWS Service Catalog is a service that enables you to create and managecatalogs of IT services that are approved for use on AWS34 . References: AWS TrustedAdvisor, Achieve operational excellence with AWS Trusted Advisor, AWS Shield, AWSWAF, [AWS Service Catalog]
Question # 46
A company wants a customized assessment of its current on-premises environment. The company wants to understand its projected running costs in the AWS Cloud. Which AWS service or tool will meet these requirements?
A. AWS Trusted Advisor B. Amazon Inspector C. AWS Control Tower D. Migration Evaluator
Answer: D Explanation: Migration Evaluator is an AWS service that provides a customizedassessment of your current on-premises environment and helps you build a data-drivenbusiness case for migration to AWS. Migration Evaluator collects and analyzes data fromyour on-premises servers, such as CPU, memory, disk, network, and utilization metrics,and compares them with the most cost-effective AWS alternatives. Migration Evaluator alsohelps you understand your existing software licenses and running costs, and providesrecommendations for Bring Your Own License (BYOL) and License Included (LI) options inAWS. Migration Evaluator generates a detailed report that shows your projected runningcosts in the AWS Cloud, along with potential savings and benefits. You can use this reportto support your decision-making and planning for cloud migration. References: CloudBusiness Case & Migration Plan - Amazon Migration Evaluator - AWS, Getting started withMigration Evaluator
Question # 47
Which AWS service provides the ability to manage infrastructure as code?
A. AWS CodePipeline B. AWS CodeDeploy C. AWS Direct Connect D. AWS CloudFormation
Answer: D Explanation: The AWS service that provides the ability to manage infrastructure as code isAWS CloudFormation. Infrastructure as code is a process of defining and provisioningAWS resources using code or templates, rather than manual actions or scripts. AWSCloudFormation allows you to create and update stacks of AWS resources based onpredefined templates that describe the desired state and configuration of the resources.AWS CloudFormation automates and simplifies the deployment and management of AWSresources, and ensures consistency and repeatability across different environments andregions. AWS CloudFormation also supports rollback, change sets, drift detection, andnested stacks features that help you to monitor and control the changes to your infrastructure1.
Question # 48
A company wants to manage its AWS Cloud resources through a web interface. Which AWS service will meet this requirement?
A. AWS Management Console B. AWS CLI C. AWS SDK D. AWS Cloud
Answer: A Explanation: AWS Management Console is a web application that allows you to manageand monitor your AWS Cloud resources through a user-friendly interface. You can use theAWS Management Console to access and experiment with over 150 AWS services, viewand modify your account and billing information, get in-console help from AWS Support,and customize your dashboard with widgets that display key metrics and information foryour applications567. You can also use the AWS Management Console to launch andconfigure AWS resources using wizards and templates, without writing anycode5. References: 5: Manage AWS Resources - AWS Management Console -AWS, 6: Getting Started with the AWS Management Console, 7: Manage AWS Resources- AWS Management Console Features - AWS
Question # 49
Which AWS services make use of global edge locations'? (Select TWO.)
A. AWS Fargate B. Amazon CloudFront C. AWS Global Accelerator D. AWS Wavelength E. Amazon VPC
Answer: B,C Explanation: Amazon CloudFront and AWS Global Accelerator are two AWS services that make use of global edge locations. Edge locations are AWS sites that are deployedworldwide in major cities and places with a high population. Edge locations are used tocache data and reduce latency for end-user access1.Amazon CloudFront is a content delivery network (CDN) service that securely deliversdata, videos, applications, and APIs to customers globally with low latency and hightransfer speeds. Amazon CloudFront uses a global network of over 200 edge locations and13 regional edge caches to cache your content closer to your viewers, improvingperformance and reducing costs23.AWS Global Accelerator is a networking service that improves the availability andperformance of your applications with local or global users. AWS Global Accelerator usesthe AWS global network to route user traffic to the optimal endpoint based on health,performance, and policies. AWS Global Accelerator uses over 100 edge locations to bringyour application endpoints closer to your users, reducing network hops and improving userexperience45. References: 1: AWS for the Edge - Amazon Web Services(AWS), 2: Content Delivery Network (CDN) - Amazon CloudFront - AWS, 3: AmazonCloudFront Documentation, 4: AWS Global Accelerator - Amazon Web Services, 5: AWSGlobal Accelerator Documentation
Question # 50
A company is running and managing its own Docker environment on Amazon EC2 instances. The company wants an alternative to help manage cluster size, scheduling, and environment maintenance. Which AWS service meets these requirements?
A. AWS Lambda B. Amazon RDS C. AWS Fargate D. Amazon Athena
Answer: C Explanation: AWS Fargate is a serverless compute engine for containers that works withboth Amazon Elastic Container Service (Amazon ECS) and Amazon Elastic KubernetesService (Amazon EKS). AWS Fargate allows you to run containers without having to manage servers or clusters of Amazon EC2 instances. With AWS Fargate, you only pay forthe compute resources you use to run your containers, and you don’t need to worry aboutscaling, patching, securing, or maintaining the underlying infrastructure. AWS Fargatesimplifies the deployment and management of containerized applications, and enables youto focus on building and running your applications instead of managing theinfrastructure. References: AWS Fargate, What is AWS Fargate?
Question # 51
Which AWS services or features give users the ability to create a network connection between two VPCs? (Select TWO.)
A. VPC endpoints B. Amazon Route 53 C. VPC peering D. AWS Direct Connect E. AWS Transit Gateway
Answer: C,E Explanation: VPC peering and AWS Transit Gateway are two AWS services or featuresthat give users the ability to create a network connection between two VPCs. VPC peeringis a networking connection between two VPCs that enables you to route traffic betweenthem privately. You can create a VPC peering connection between your own VPCs, with aVPC in another AWS account, or with a VPC in a different AWS Region. Traffic betweenpeered VPCs never traverses the public internet. VPC peering does not support transitivepeering relationships, which means that if VPC A is peered with VPC B, and VPC B ispeered with VPC C, then VPC A and VPC C are not automatically peered789. AWS TransitGateway is a networking service that acts as a regional router for your VPCs and onpremisesnetworks. You can attach up to 5,000 VPCs and VPN connections to a singletransit gateway and route traffic between them. AWS Transit Gateway simplifies themanagement and scalability of your network architecture, as you only need to create andmanage a single connection from the central transit gateway to each connectednetwork. AWS Transit Gateway supports transitive routing, which means that any networkthat is attached to the transit gateway can communicate with any other network that isattached to the same transit gateway . References: 7: VPC peering - Amazon VirtualPrivate Cloud, 8: Connect VPCs using VPC peering - Amazon Virtual PrivateCloud, 9: Amazon VPC-to-Amazon VPC connectivity options - Amazon Virtual PrivateCloud, : [AWS Transit Gateway - Amazon Web Services], : [Connect VPCs using AWSTransit Gateway - Amazon Virtual Private Cloud], : [AWS Transit Gateway: Simplify YourNetwork Architecture]
Question # 52
According to security best practices, how should an Amazon EC2 instance be given access to an Amazon S3 bucket?
A. Hard code an IAM user's secret key and access key directly in the application, andupload the file. B. Store the IAM user's secret key and access key in a text file on the EC2 instance, readthe keys, then upload the file. C. Have the EC2 instance assume a role to obtain the privileges to upload the file. D. Modify the S3 bucket policy so that any service can upload to it at any time.
Answer: C Explanation: According to security best practices, the best way to give an Amazon EC2 instance access to an Amazon S3 bucket is to have the EC2 instance assume a role toobtain the privileges to upload the file. A role is an AWS Identity and Access Management(IAM) entity that defines a set of permissions for making AWS service requests. You canuse roles to delegate access to users, applications, or services that don’t normally haveaccess to your AWS resources. For example, you can create a role that allows EC2instances to access S3 buckets, and then attach the role to the EC2 instance. This way,the EC2 instance can assume the role and obtain temporary security credentials to accessthe S3 bucket. This method is more secure and scalable than storing or hardcoding IAMuser credentials on the EC2 instance, as it avoids the risk of exposing or compromising thecredentials. It also allows you to manage the permissions centrally and dynamically, and toaudit the access using AWS CloudTrail. For more information on how to create and useroles for EC2 instances, see Using an IAM role to grant permissions to applications runningon Amazon EC2 instances1The other options are not recommended for security reasons. Hardcoding or storing IAMuser credentials on the EC2 instance is a bad practice, as it exposes the credentials topotential attackers or unauthorized users who can access the instance or the applicationcode. It also makes it difficult to rotate or revoke the credentials, and to track the usage ofthe credentials. Modifying the S3 bucket policy to allow any service to upload to it at anytime is also a bad practice, as it opens the bucket to potential data breaches, data loss, ordata corruption. It also violates the principle of least privilege, which states that you shouldgrant only the minimum permissions necessary for a task.References: Using an IAM role to grant permissions to applications running on AmazonEC2 instances
Question # 53
Which of the following is an AWS Well-Architected Framework design principle for operational excellence in the AWS Cloud?
A. Go global in minutes B. Make frequent, small, reversible changes C. Implement a strong foundation of identity and access management D. Stop spending money on hardware infrastructure for data center operations
Answer: B Explanation: Making frequent, small, reversible changes is one of the design principles foroperational excellence in the AWS Cloud, as defined by the AWS Well-ArchitectedFramework. This principle means that you should design your workloads to allow for rapidand safe changes, such as deploying updates, rolling back failures, and experimenting withnew features. By making small and reversible changes, you can reduce the risk of errors,minimize the impact of failures, and increase the speed of recovery2. References: 2: AWSDocumentation - AWS Well-Architected Framework - Operational Excellence Pillar
Question # 54
A user has a stateful workload that will run on Amazon EC2 for the next 3 years. What is the MOST cost-effective pricing model for this workload?
A. On-Demand Instances B. Reserved Instances C. Dedicated Instances D. Spot Instances
Answer: B Explanation: Reserved Instances are a pricing model that offers significant discounts onAmazon EC2 usage compared to On-Demand Instances. Reserved Instances are suitablefor stateful workloads that have predictable and consistent usage patterns for a long-termperiod. By committing to a one-year or three-year term, customers can reduce their totalcost of ownership and optimize their cloud spend. Reserved Instances also providecapacity reservation, ensuring that customers have access to the EC2 instances they needwhen they need them. References: AWS Pricing Calculator, Amazon EC2 Pricing, [AWSCloud Practitioner Essentials: Module 3 - Compute in the Cloud]
Question # 55
A company wants to integrate its online shopping website with social media login credentials. Which AWS service can the company use to make this integration?
A. AWS Directory Service B. AWS Identity and Access Management (IAM) C. Amazon Cognito D. AWS IAM Identity Center (AWS Single Sign-On)
Answer: C Explanation: Amazon Cognito is a service that enables you to add user sign-up and signinfeatures to your web and mobile applications. Amazon Cognito also supports social and enterprise identity federation, which means you can allow your users to sign in with theirexisting credentials from identity providers such as Google, Facebook, Apple, and Amazon.Amazon Cognito integrates with OpenID Connect (OIDC) and Security Assertion MarkupLanguage (SAML) 2.0 protocols to facilitate the authentication and authorization process.Amazon Cognito also provides advanced security features, such as adaptiveauthentication, user verification, and multi-factor authentication(MFA). References: Amazon Cognito, What is Amazon Cognito?
Question # 56
Which maintenance task is the customer's responsibility, according to the AWS shared responsibility model?
A. Physical connectivity among Availability Zones B. Network switch maintenance C. Hardware updates and firmware patches D. Amazon EC2 updates and security patches
Answer: D Explanation: According to the AWS shared responsibility model, customers areresponsible for managing their data, applications, operating systems, security groups, andother aspects of their AWS environment. This includes installing updates and securitypatches of the guest operating system and any application software or utilities installed bythe customer on the instances. AWS is responsible for protecting the infrastructure thatruns all of the services offered in the AWS Cloud, such as data centers, hardware,software, networking, and facilities. This includes the physical connectivity amongAvailability Zones, the network switch maintenance, and the hardware updates and
Question # 57
A company is using Amazon DynamoDB for its application database. Which tasks are the responsibility of AWS, according to the AWS shared responsibility model? (Select TWO.)
A. Classify data. B. Configure access permissions. C. Manage encryption options. D. Provide public endpoints to store and retrieve data. E. Manage the infrastructure layer and the operating system.
Answer: D,E Explanation: According to the AWS shared responsibility model, AWS is responsible forsecurity of the cloud, while customers are responsible for security in the cloud. This meansthat AWS is responsible for protecting the infrastructure that runs AWS services, such ashardware, software, networking, and facilities. Customers are responsible for managingtheir data, classifying their assets, and using IAM tools to apply the appropriatepermissions. For abstracted services, such as Amazon DynamoDB, AWS operates theinfrastructure layer, the operating system, and platforms, and provides customers withpublic endpoints to store and retrieve data. Customers are responsible for classifying theirdata, managing their encryption options, and configuring their accesspermissions. References: Shared Responsibility Model, Security and compliance inAmazon DynamoDB, [AWS Cloud Practitioner Essentials: Module 2 - Security in the Cloud]
Question # 58
A development team wants to deploy multiple test environments for an application in a fast repeatable manner. Which AWS service should the team use?
A. Amazon EC2 B. AWS CloudFormation C. Amazon QuickSight D. Amazon Elastic Container Service (Amazon ECS)
Answer: B Explanation: AWS CloudFormation is a service that allows you to model and provisionyour AWS resources using templates. You can define your infrastructure as code andautomate the creation and update of your resources. AWS CloudFormation also supportsnested stacks, change sets, and rollback features to help you manage complex anddynamic environments34. References:AWS CloudFormationAWS Certified Cloud Practitioner Exam Guide
Question # 59
Which of the following services can be used to block network traffic to an instance? (Select TWO.)
A. Amazon OpenSearch Service B. AWS Control Tower C. AWS IAM Access Analyzer D. AWS Fargate
Answer: C Explanation: AWS IAM Access Analyzer is an AWS service that helps customers identifyand review the resources in their AWS account that are shared with an external entity, suchas another AWS account, a root user, an organization, or a public entity. AWS IAM AccessAnalyzer uses automated reasoning, a form of mathematical logic and inference, toanalyze the resource-based policies in the account and generate comprehensive findingsthat show the access level, the source of the access, the affected resource, and thecondition under which the access applies. Customers can use AWS IAM Access Analyzer to audit their shared resources, validate their access policies, and monitor any changes tothe resource sharing status. References: AWS IAM Access Analyzer, Identify and reviewresources shared with external entities, How AWS IAM Access Analyzer works
Question # 60
Which of the following services can be used to block network traffic to an instance? (Select TWO.)
A. Security groups B. Amazon Virtual Private Cloud (Amazon VPC) flow logs C. Network ACLs D. Amazon CloudWatch E. AWS CloudTrail
Answer: A,C Explanation: Security groups and network ACLs are two AWS services that can be used to block network traffic to an instance. Security groups are virtual firewalls that control theinbound and outbound traffic for your instances at the instance level. You can specify whichprotocols, ports, and source or destination IP addresses are allowed or denied for eachinstance. Security groups are stateful, which means that they automatically allow returntraffic for any allowed inbound or outbound traffic123. Network ACLs are virtual firewallsthat control the inbound and outbound traffic for your subnets at the subnet level. You cancreate rules to allow or deny traffic based on protocols, ports, and source or destination IPaddresses. Network ACLs are stateless, which means that you have to explicitly allowreturn traffic for any allowed inbound or outbound traffic456. References: 1: Securitygroups for your VPC - Amazon Virtual Private Cloud, 2: Security Groups for Your VPC -Amazon Elastic Compute Cloud, 3: AWS Security Groups: Everything You Need toKnow, 4: Network ACLs - Amazon Virtual Private Cloud, 5: Control traffic to subnets usingnetwork ACLs - Amazon Virtual Private Cloud, 6: AWS Network ACLs: Everything YouNeed to Know
Question # 61
Which of the following is a fully managed MySQL-compatible database?
A. Amazon S3 B. Amazon DynamoDB C. Amazon Redshift D. Amazon Aurora
Answer: D Explanation: Amazon Aurora is a fully managed MySQL-compatible database thatcombines the performance and availability of traditional enterprise databases with thesimplicity and cost-effectiveness of open-source databases. Amazon Aurora is part of theAmazon Relational Database Service (Amazon RDS) family, which means it inherits thebenefits of a fully managed service, such as automated backups, patches, scaling,monitoring, and security. Amazon Aurora also offers up to five times the throughput ofstandard MySQL, as well as high availability, durability, and fault tolerance with up to 15read replicas, cross-Region replication, and self-healing storage. Amazon Aurora iscompatible with the latest versions of MySQL, as well as PostgreSQL, and supportsvarious features and integrations that enhance its functionality and usability123References: Amazon Aurora, Amazon RDS, AWS — Amazon Aurora Overview
Question # 62
A company wants to migrate its PostgreSQL database to AWS. The company does not use the database frequently. Which AWS service or resource will meet these requirements with the LEAST management overhead?
A. PostgreSQL on Amazon EC2 B. Amazon RDS for PostgreSQL C. Amazon Aurora PostgreSQL-Compatible Edition D. Amazon Aurora Serverless
Answer: D Explanation: Amazon Aurora Serverless is an on-demand, auto-scaling configuration for Amazon Aurora PostgreSQL-Compatible Edition. It is a fully managed service thatautomatically scales up and down based on the application’s actual needs. Amazon AuroraServerless is suitable for applications that have infrequent, intermittent, or unpredictabledatabase workloads, and that do not require the full power and range of options providedby provisioned Aurora clusters. Amazon Aurora Serverless eliminates the need to provisionand manage database instances, and reduces the management overhead associated withdatabase administration tasks such as scaling, patching, backup, andrecovery. References: Amazon Aurora Serverless, Choosing between Aurora Serverlessand provisioned Aurora DB clusters, [AWS Cloud Practitioner Essentials: Module 4 -Databases in the Cloud]
Question # 63
Which of the following actions are controlled with AWS Identity and Access Management (IAM)? (Select TWO.)
A. Control access to AWS service APIs and to other specific resources. B. Provide intelligent threat detection and continuous monitoring. C. Protect the AWS environment using multi-factor authentication (MFA). D. Grant users access to AWS data centers. E. Provide firewall protection for applications from common web attacks.
Answer: A,C Explanation: AWS Identity and Access Management (IAM) is a service that enables youto manage access to AWS services and resources securely. You can use IAM to performthe following actions:Control access to AWS service APIs and to other specific resources: You cancreate users, groups, roles, and policies that define who can access which AWSresources and how. You can also use IAM to grant temporary access to users orapplications that need to perform certain tasks on your behalf3Protect the AWS environment using multi-factor authentication (MFA): You canenable MFA for your IAM users and root user to add an extra layer of security toyour AWS account. MFA requires users to provide a unique authentication codefrom an approved device or SMS text message, in addition to their user name andpassword, when they sign in to AWS4
Question # 64
Which mechanism allows developers to access AWS services from application code?
A. AWS Software Development Kit B. AWS Management Console C. AWS CodePipeline D. AWS Config
Answer: A Explanation: AWS Software Development Kit (SDK) is a set of platform-specific buildingtools for developers. It allows developers to access AWS services from application codeusing familiar programming languages. It provides pre-built components and libraries thatcan be incorporated into applications, as well as tools to debug, monitor, and optimizeperformance2. References: What is SDK? - SDK Explained - AWS
Question # 65
A company has a physical tape library to store data backups. The tape library is running out of space. The company needs to extend the tape library's capacity to the AWS Cloud. Which AWS service should the company use to meet this requirement?
A. Amazon Elastic File System (Amazon EFS) B. Amazon Elastic Block Store (Amazon EBS) C. Amazon S3 D. AWS Storage Gateway
Answer: D Explanation: AWS Storage Gateway is a hybrid cloud storage service that provides onpremisesaccess to virtually unlimited cloud storage. You can use AWS Storage Gatewayto simplify storage management and reduce costs for key hybrid cloud storage use cases.One of these use cases is tape-based backup, which allows you to store data backups onvirtual tapes in the AWS Cloud. You can use the Tape Gateway feature of AWS StorageGateway to extend your existing physical tape library to the AWS Cloud. Tape Gatewayprovides a virtual tape infrastructure that scales seamlessly with your backup needs andeliminates the operational burden of provisioning, scaling, and maintaining a physical tapeinfrastructure123. References: 1: Cloud Storage Appliances, Hybrid Device - AWS StorageGateway - AWS, 2: AWS Storage Gateway Documentation, 3: AWS Storage GatewayFeatures | Amazon Web Services
Question # 66
Which characteristic of the AWS Cloud helps users eliminate underutilized CPU capacity'?
A. Agility B. Elasticity C. Reliability D. Durability
Answer: B Explanation: Elasticity is a characteristic of the AWS Cloud that helps users eliminateunderutilized CPU capacity. Elasticity refers to the ability to dynamically provision and deprovisioncomputing resources as per demand, ensuring that the application or servicealways has the required resources to operate efficiently. Elasticity helps users optimizeperformance and costs, as they only pay for the resources they use and avoid wastingresources when the demand is low345. References: 3: Which characteristic of the awscloud helps users eliminate …, 4: AWS Elastic Load Balancing and Application LoadBalancer, 5: Which characteristic of the AWS Cloud helps users eliminate …
Question # 67
What is a customer responsibility when using AWS Lambda according to the AWS shared responsibility model?
A. Managing the code within the Lambda function B. Confirming that the hardware is working in the data center C. Patching the operating system D. Shutting down Lambda functions when they are no longer in use
Answer: A Explanation: According to the AWS shared responsibility model, AWS is responsible for the security of the cloud, while customers are responsible for the security in the cloud. Thismeans that AWS is responsible for the physical servers, networking, and operating systemthat run Lambda functions, while customers are responsible for the security of their codeand AWS IAM to the Lambda service and within their function1. Customers need tomanage the code within the Lambda function, such as writing, testing, debugging,deploying, and updating the code, as well as ensuring that the code does not contain anyvulnerabilities or malicious code that could compromise the security or performance of thefunction23. References: 2: AWS Lambda - Amazon Web Services (AWS), 3: AWS LambdaDocumentation, 1: Amazon CLF-C02: What is customer responsibility under AWS … -PUPUWEB
Question # 68
Which AWS services can a company use to achieve a loosely coupled architecture? (Select TWO.)
A. Amazon Workspaces B. Amazon Simple Queue Service (Amazon SQS) C. Amazon Connect D. AWS Trusted Advisor E. AWS Step Functions
Answer: B,E Explanation: Amazon Simple Queue Service (Amazon SQS) and AWS Step Functions areAWS services that can be used to achieve a loosely coupled architecture. Amazon SQS isa fully managed message queuing service that enables you to decouple and scalemicroservices, distributed systems, and serverless applications. AWS Step Functions letsyou coordinate multiple AWS services into serverless workflows so you can build andupdate apps quickly. Using Step Functions, you can design and run workflows that stitchtogether services such as AWS Lambda and Amazon SNS into feature-richapplications. References: Amazon SQS, AWS Step Functions
Question # 69
A company that has multiple business units wants to centrally manage and govern its AWS Cloud environments. The company wants to automate the creation of AWS accounts, apply service control policies (SCPs), and simplify billing processes. Which AWS service or tool should the company use to meet these requirements?
A. AWS Organizations B. Cost Explorer C. AWS Budgets D. AWS Trusted Advisor
Answer: A Explanation: AWS Organizations is an AWS service that enables you to centrally manageand govern your AWS Cloud environments across multiple business units. AWSOrganizations allows you to create an organization that consists of AWS accounts that youcreate or invite to join. You can group your accounts into organizational units (OUs) andapply service control policies (SCPs) to them. SCPs are a type of policy that specify themaximum permissions for the accounts in your organization, and can help you enforcecompliance and security requirements. AWS Organizations also simplifies billing processesby enabling you to consolidate and pay for all member accounts with a single paymentmethod. You can also use AWS Organizations to automate the creation of AWS accountsby using APIs or AWS CloudFormation templates. References: What is AWSOrganizations?, Policy-Based Management - AWS Organizations
Question # 70
A company is building an application that needs to deliver images and videos globally with minimal latency. Which approach can the company use to accomplish this in a cost effective manner?
A. Deliver the content through Amazon CloudFront. B. Store the content on Amazon S3 and enable S3 cross-region replication. C. Implement a VPN across multiple AWS Regions. D. Deliver the content through AWS PrivateLink.
Answer: A Explanation:Amazon CloudFront is a fast content delivery network (CDN) service that securely deliversdata, videos, applications, and APIs to customers globally with low latency, high transferspeeds, all within a developer-friendly environment. It works seamlessly with servicesincluding AWS Shield for DDoS mitigation, Amazon S3, Elastic Load Balancing or AmazonEC2 as origins for your applications, and Lambda@Edge to run custom code closer tocustomers’ users and to customize the user experience. By using CloudFront, you cancache your content at the edge locations that are closest to your end users, reducing thenetwork latency and improving the performance of your application. CloudFront also offersa pay-as-you-go pricing model, so you only pay for the data transfer and requests that youuse.
Question # 71
A company wants to allow users to authenticate and authorize multiple AWS accounts by using a single set of credentials. Which AWS service or resource will meet this requirem
A. AWS Organizations B. IAM user C. AWS IAM Identity Center (AWS Single Sign-On) D. AWS Control Tower
Answer: C Explanation: AWS IAM Identity Center (AWS Single Sign-On) is a cloud-based servicethat makes it easy to centrally manage single sign-on (SSO) access to multiple AWSaccounts and business applications. You can use AWS SSO to enable your users to sign into the AWS Management Console or the AWS Command Line Interface (AWS CLI) withtheir existing corporate credentials2. You can also manage SSO access and userpermissions across all your AWS accounts in AWS Organizations3. References: AWSSingle Sign-On - AWS Documentation, AWS Organizations - AWS Documentation
Question # 72
Which AWS service or feature allows a user to establish a dedicated network connection between a company's on-premises data center and the AWS Cloud?
A. AWS Direct Connect B. VPC peering C. AWS VPN D. Amazon Route 53
Answer: A Explanation: AWS Direct Connect is an AWS service that allows users to establish adedicated network connection between their on-premises data center and the AWS Cloud.This connection bypasses the public internet and provides more predictable networkperformance, reduced bandwidth costs, and increased security. Users can choose fromdifferent port speeds and connection types, and use AWS Direct Connect to access AWSservices in any AWS Region globally. Users can also use AWS Direct Connect inconjunction with AWS VPN to create a hybrid network architecture that combines thebenefits of both private and public connectivity. References: AWS Direct Connect, [AWSCloud Practitioner Essentials: Module 3 - Compute in the Cloud]
Question # 73
A company has deployed an application in the AWS Cloud. The company wants to ensure that the application is highly resilient. Which component of AWS infrastructure can the company use to meet this requirement?
A. Content delivery network (CDN) B. Edge locations C. Wavelength Zones D. Availability Zones
Answer: D Explanation: Availability Zones are components of AWS infrastructure that can help thecompany ensure that the application is highly resilient. Availability Zones are multiple,isolated locations within each AWS Region. Each Availability Zone has independent power,cooling, and physical security, and is connected to the other Availability Zones in the sameRegion via low-latency, high-throughput, and highly redundant networking. AvailabilityZones allow you to operate production applications and databases that are more highlyavailable, fault tolerant, and scalable than would be possible from a single data center.
Question # 74
Which AWS service or feature identifies whether an Amazon S3 bucket or an IAM role has been shared with an external entity?
A. AWS Service Catalog B. AWS Systems Manager C. AWS IAM Access Analyzer D. AWS Organizations
Answer: C Explanation: AWS IAM Access Analyzer is a service that helps you identify the resourcesin your organization and accounts, such as Amazon S3 buckets or IAM roles, that areshared with an external entity. This lets you identify unintended access to your resourcesand data, which is a security risk. IAM Access Analyzer uses logic-based reasoning toanalyze the resource-based policies in your AWS environment. For each instance of aresource shared outside of your account, IAM Access Analyzer generates afinding. Findings include information about the access and the external principal granted toit345. References: 3: Using AWS Identity and Access Management AccessAnalyzer, 4: IAM Access Analyzer - Amazon Web Services (AWS), 5: Welcome - IAMAccess Analyzer
Question # 75
What can a cloud practitioner use to retrieve AWS security and compliance documents and submit them as evidence to an auditor or regulator?
A. AWS Certificate Manager B. AWS Systems Manager C. AWS Artifact D. Amazon Inspector
Answer: C Explanation: AWS Artifact is a service that provides on-demand access to AWS securityand compliance documents, such as AWS ISO certifications, Payment Card Industry (PCI)reports, and Service Organization Control (SOC) reports. You can download thesedocuments and submit them as evidence to your auditors or regulators to demonstrate thesecurity and compliance of the AWS infrastructure and services that you use. AWS Artifactalso allows you to review, accept, and manage AWS agreements, such as the BusinessAssociate Addendum (BAA) for customers who are subject to the Health InsurancePortability and Accountability Act (HIPAA). References: AWS Artifact, What is AWSArtifact?
Question # 76
A company wants to run its workload on Amazon EC2 instances for more than 1 year. This workload will run continuously. Which option offers a discounted hourly rate compared to the hourly rate of On-Demand Instances?
A. AWS Graviton processor B. Dedicated Hosts C. EC2 Instance Savings Plans D. Amazon EC2 Auto Scaling instances
Answer: C Explanation: EC2 Instance Savings Plans are a flexible pricing model that offer discountedhourly rates on Amazon EC2 instance usage for a 1 or 3 year term. EC2 Instance SavingsPlans provide savings up to 72% off On-Demand rates, in exchange for a commitment to aspecific instance family in a chosen AWS Region (for example, M5 in Virginia). These plansautomatically apply to usage regardless of size (for example, m5.xlarge, m5.2xlarge, etc.),OS (for example, Windows, Linux, etc.), and tenancy (Host, Dedicated, Default) within thespecified family in a Region. With an EC2 Instance Savings Plan, you can change yourinstance size within the instance family (for example, from c5.xlarge to c5.2xlarge) or theoperating system (for example, from Windows to Linux), or move from Dedicated tenancyto Default and continue to receive the discounted rate provided by your EC2 InstanceSavings Plan4567. References: 4: Compute Savings Plans – Amazon WebServices, 5: What are Savings Plans? - Savings Plans, 6: How To Cut Your AWS Bill WithSavings Plans
Question # 77
A company needs to migrate a PostgreSQL database from on-premises to Amazon RDS. Which AWS service or tool should the company use to meet this requirement?
A. Cloud Adoption Readiness Tool B. AWS Migration Hub C. AWS Database Migration Service (AWS DMS) D. AWS Application Migration Service
Answer: C Explanation: AWS Database Migration Service (AWS DMS) is a managed and automatedservice that helps you migrate your databases from your on-premises or cloud environmentto AWS, either as a one-time migration or as a continuous replication. AWS DMS supportsmigration between 20-plus database and analytics engines, such as PostgreSQL, Oracle, MySQL, SQL Server, MongoDB, Amazon Aurora, Amazon RDS, Amazon Redshift, andAmazon S3. AWS DMS also provides schema conversion and validation tools, as well asmonitoring and security features. AWS DMS is a cost-effective and reliable solution fordatabase migration, as you only pay for the compute resources and additional log storageused during the migration process, and you can minimize the downtime and data loss withMulti-AZ and ongoing replication12To migrate a PostgreSQL database from on-premises to Amazon RDS using AWS DMS,you need to perform the following steps:Create an AWS DMS replication instance in the same AWS Region as your targetAmazon RDS PostgreSQL DB instance. The replication instance is a server thatruns the AWS DMS replication software and connects to your source and targetendpoints. You can choose the instance type, storage, and network settings basedon your migration requirements3Create a source endpoint that points to your on-premises PostgreSQL database.You need to provide the connection details, such as the server name, port,database name, user name, and password. You also need to specify the enginename as postgres and the SSL mode as required4Create a target endpoint that points to your Amazon RDS PostgreSQL DBinstance. You need to provide the connection details, such as the server name,port, database name, user name, and password. You also need to specify theengine name as postgres and the SSL mode as verify-full.Create a migration task that defines the migration settings and options, such asthe replication instance, the source and target endpoints, the migration type (fullload, full load and change data capture, or change data capture only), the tablemappings, the task settings, and the task monitoring role. You can also use theAWS Schema Conversion Tool (AWS SCT) to convert your source schema to thetarget schema and apply it to the target endpoint before or after creating themigration task.Start the migration task and monitor its progress and status using the AWS DMSconsole, the AWS CLI, or the AWS DMS API. You can also use AWSCloudFormation to automate the creation and execution of the migration task.The other options are not suitable for migrating a PostgreSQL database from on-premisesto Amazon RDS. Cloud Adoption Readiness Tool is a tool that helps you assess yourreadiness for cloud adoption based on six dimensions: business, people, process, platform,operations, and security. It does not perform any database migration tasks. AWS MigrationHub is a service that helps you track and manage the progress of your applicationmigrations across multiple AWS and partner services, such as AWS DMS, AWSApplication Migration Service, AWS Server Migration Service, and CloudEndure Migration.It does not perform any database migration tasks itself, but rather integrates with othermigration services. AWS Application Migration Service is a service that helps you migrateyour applications from your on-premises or cloud environment to AWS without making anychanges to the applications, their architecture, or the migrated servers. It does not supportdatabase migration, but rather replicates your servers as Amazon Machine Images (AMIs)and launches them as EC2 instances on AWS.References: AWS Database Migration Service, What is AWS Database MigrationService?, Working with an AWS DMS replication instance, Creating source and targetendpoints for PostgreSQL, [Creating a target endpoint for Amazon RDS for PostgreSQL], [Creating a migration task for AWS DMS], [AWS Schema Conversion Tool], [Starting amigration task for AWS DMS], [AWS CloudFormation], [Cloud Adoption Readiness Tool],[AWS Migration Hub], [AWS Application Migration Service]
Question # 78
At what support level do users receive access to a support concierge?
A. Basic Support B. Developer Support C. Business Support D. Enterprise Support
Answer: D Explanation: Users receive access to a support concierge at the Enterprise Support level.A support concierge is a team of AWS billing and account experts that specialize in workingwith enterprise accounts. They can help users with billing and account inquiries, costoptimization, FinOps support, cost analysis, and prioritized answers to billing questions.The support concierge is included as part of the Enterprise Support plan, which alsoprovides access to a Technical Account Manager (TAM), Infrastructure EventManagement, AWS Trusted Advisor, and 24/7 technical support. References: AWSSupport Plan Comparison, AWS Enterprise Support Plan, AWS Support Concierge
Question # 79
Which AWS service is always provided at no charge?
A. Amazon S3 B. AWS Identity and Access Management (IAM) C. Elastic Load Balancers D. AWS WAF
Answer: B Explanation: AWS Identity and Access Management (IAM) is a web service that helps yousecurely control access to AWS resources. You can use IAM to create and manage AWSusers and groups, and use permissions to allow and deny their access to AWSresources. IAM is always provided at no charge12. References: 1: AWS Identity andAccess Management (IAM) - Amazon Web Services (AWS), 2: Which aws service isalways provided at no charge? - Brainly.in
Question # 80
A company must be able to develop, test, and launch an application in the AWS Cloud quickly. Which advantage of cloud computing will meet these requirements?
A. Stop guessing capacity B. Trade fixed expense for variable expense C. Achieve economies of scale D. Increase speed and agility
Answer: D Explanation: One of the benefits of cloud computing is that it enables customers toincrease speed and agility in developing, testing, and launching applications. Cloudcomputing provides on-demand access to a variety of IT resources, such as compute,storage, networking, databases, and analytics, without requiring upfront investments orlong-term commitments. Customers can provision and release resources in minutes, scaleup and down as needed, and experiment with new technologies and features. This allowscustomers to accelerate their innovation cycles, deliver faster time-to-market, and respondto changing customer needs and demands
Question # 81
A company wants to run a NoSQL database on Amazon EC2 instances. Which task is the responsibility of AWS in this scenario"?
A. Update the guest operating system of the EC2 instances B. Maintain high availability at the database layer C. Patch the physical infrastructure that hosts the EC2 instances D. Configure the security group firewall
Answer: C Explanation: When you run a NoSQL database on Amazon EC2 instances, you areresponsible for managing the database layer and the guest operating system of theinstances. This means that you need to perform tasks such as updating the operatingsystem, maintaining high availability, and configuring the security group firewall. AWS isresponsible for managing the physical infrastructure that hosts the EC2 instances. Thismeans that AWS ensures that the hardware and firmware of the servers, routers, switches,and other devices are updated and secure. AWS also handles the power, cooling,networking, and security of the data centers12. References: CLF-C02: Which task isresponsibility of AWS to run NoSQL database on …, Best Practices for Hosting NoSQLDatabases on Amazon EC2
Question # 82
Which service enables customers to audit API calls in their AWS accounts'?
A. AWS CloudTrail B. AWS Trusted Advisor C. Amazon Inspector D. AWS X-Ray
Answer: A Explanation: AWS CloudTrail is a service that provides a record of actions taken by auser, role, or an AWS service in your AWS account. CloudTrail captures all API calls forAWS services as events, including calls from the AWS Management Console, AWS SDKs,command line tools, and higher-level AWS services. You can use CloudTrail to monitor,audit, and troubleshoot your AWS account activity34. AWS Trusted Advisor is a servicethat provides best practices recommendations for cost optimization, performance, security,and fault tolerance in your AWS account5. Amazon Inspector is a service that helps youimprove the security and compliance of your applications deployed on AWS byautomatically assessing them for vulnerabilities and deviations from best practices6. AWSX-Ray is a service that helps you analyze and debug your applications by collecting dataabout the requests that your application serves, and providing tools to view, filter, and gaininsights into that data7. References: Logging AWS Audit Manager API calls withCloudTrail, Logging AWS Account Management API calls using AWS CloudTrail, ReviewAPI calls in your AWS account using CloudTrail, Monitor the usage of AWS API calls usingAmazon CloudWatch, Which service enables customers to audit API calls in their AWS …
Question # 83
Which options are AWS Cloud Adoption Framework (AWS CAF) security perspective capabilities? (Select TWO.)
A. Observability B. Incident and problem management C. Incident response D. Infrastructure protection E. Availability and continuity
Answer: C,D Explanation:The AWS Cloud Adoption Framework (AWS CAF) security perspective helps users achievethe confidentiality, integrity, and availability of their data and cloud workloads. It comprisesnine capabilities that are grouped into three categories: preventive, detective, andresponsive. Incident response and infrastructure protection are two of the capabilities in theresponsive and preventive categories, respectively. Incident response helps users preparefor and respond to security incidents in a timely and effective manner, using tools andprocesses that leverage AWS features and services. Infrastructure protection helps usersimplement security controls and mechanisms to protect their cloud resources, such asnetwork, compute, storage, and database, from unauthorized access or maliciousattacks. References: Security perspective: compliance and assurance, AWS CloudAdoption Framework
Question # 84
A company is migrating its applications from on-premises to the AWS Cloud. The company wants to ensure that the applications are assigned only the minimum permissions that are needed to perform all operations. Which AWS service will meet these requirements'?
A. AWS Identity and Access Management (IAM) B. Amazon CloudWatch C. Amazon Macie D. Amazon GuardDuty
Answer: A Explanation: AWS Identity and Access Management (IAM) is a service that helps yousecurely control access to AWS resources for your users. You use IAM to control who canuse your AWS resources (authentication) and what resources they can use and in whatways (authorization). IAM also enables you to follow the principle of least privilege, whichmeans granting only the permissions that are necessary to perform atask1. References: AWS Identity and Access Management (IAM) - AWS Documentation
Question # 85
Which AWS service could an administrator use to provide desktop environments for several employees?
A. AWS Organizations B. AWS Fargate C. AWS WAF D. AWS Workspaces
Answer: D Explanation: AWS Workspaces is a service that provides fully managed, secure, andreliable virtual desktops for your employees. You can access your personal Windowsenvironment on various devices, such as Android, iOS, Fire, Mac, PC, Chromebook, andLinux. You can choose from different bundles of CPU, memory, storage, and softwareoptions to suit your needs. You can also integrate AWS Workspaces with your existingActive Directory, VPN, and security policies. AWS Workspaces helps you reduce the costand complexity of managing your desktop infrastructure, while enhancing the productivityand security of your remote workers456. References: 4: Amazon WorkSpaces ClientDownload, 5: VDI Desktops - Amazon WorkSpaces Family - AWS, 6: Amazon WorkSpaces
Question # 86
A company needs to block SQL injection attacks. Which AWS service or feature can meet this requirement?
A. AWS WAF B. AWS Shield C. Network ACLs D. Security groups
Answer: A Explanation: AWS WAF is a web application firewall that helps protect web applicationsfrom common web exploits, such as SQL injection attacks. It allows customers to createcustom rules that block malicious requests. AWS Shield is a managed service that protectsagainst distributed denial of service (DDoS) attacks, not SQL injection attacks. NetworkACLs and security groups are network-level security features that filter traffic based on IPaddresses and ports, not web requests or SQL queries. References: [AWS WAF], [AWSShield], [Network ACLs], [Security groups]
Question # 87
A company wants durable storage for static content and infinitely scalable data storage infrastructure at the lowest cost. Which AWS service should the company choose?
A. Amazon Elastic Block Store (Amazon EBS) B. Amazon S3 C. AWS Storage Gateway D. Amazon Elastic File System (Amazon EFS)
Answer: B Explanation: Amazon S3 is a service that provides durable storage for static content and infinitely scalable data storage infrastructure at the lowest cost. Amazon S3 is an objectstorage service that allows you to store and retrieve any amount of data from anywhere onthe internet. Amazon S3 offers industry-leading scalability, availability, and performance, aswell as 99.999999999% (11 9s) of durability and multi-AZ resilience. Amazon S3 alsoprovides various storage classes that offer different levels of performance and costoptimization, such as S3 Standard, S3 Intelligent-Tiering, S3 Standard-Infrequent Access(S3 Standard-IA), S3 One Zone-Infrequent Access (S3 One Zone-IA), and S3Glacier456. Amazon S3 is ideal for storing static content, such as images, videos,documents, and web pages, as well as building data lakes, backup and archive solutions,big data analytics, and machine learning applications456. References: 4: Cloud Storage onAWS, 5: Object Storage - Amazon Simple Storage Service (S3) - AWS, 6: Amazon S3Documentation
Question # 88
A company wants to migrate its on-premises relational databases to the AWS Cloud. The company wants to use infrastructure as close to its current geographical location as possible. Which AWS service or resource should the company use to select its Amazon RDS deployment area?
A. Amazon Connect B. AWS Wavelength C. AWS Regions D. AWS Direct Connect
Answer: C Explanation: AWS Regions are the AWS service or resource that the company should use to select itsAmazon RDS deployment area. AWS Regions are separate geographic areas where AWSclusters its data centers. Each AWS Region consists of multiple, isolated, and physicallyseparate Availability Zones within a geographic area. Each AWS Region is designed to beisolated from the other AWS Regions to achieve the highest possible fault tolerance andstability. AWS provides a more extensive global footprint than any other cloud provider, andto support its global footprint and ensure customers are served across the world, AWSopens new Regions rapidly. AWS maintains multiple geographic Regions, includingRegions in North America, South America, Europe, China, Asia Pacific, South Africa, andthe Middle East. Amazon RDS is available in several AWS Regions worldwide. To createor work with an Amazon RDS DB instance in a specific AWS Region, you must use thecorresponding regional service endpoint. You can choose the AWS Region that meets yourlatency or legal requirements. You can also use multiple AWS Regions to design a disasterrecovery solution or to distribute your read workload. References: Global InfrastructureRegions & AZs - aws.amazon.com, Regions, Availability Zones, and Local Zones - AmazonRelational Database Service
Question # 89
What does the concept of agility mean in AWS Cloud computing? (Select TWO.)
A. The speed at which AWS resources are implemented B. The speed at which AWS creates new AWS Regions C. The ability to experiment quickly D. The elimination of wasted capacity E. The low cost of entry into cloud computing
Answer: A,C Explanation: Agility in AWS Cloud computing means the ability to rapidly provision anddeprovision AWS resources as needed, and the ability to experiment quickly with newideas and solutions. Agility helps businesses to respond to changing customer demands,market opportunities, and competitive threats, and to innovate faster and cheaper. Agilityalso reduces the risk of failure, as businesses can test and validate their assumptionsbefore committing to large-scale deployments. Some of the benefits of agility in AWS Cloudcomputing are:The speed at which AWS resources are implemented: AWS provides a variety ofservices and tools that allow you to create, configure, and launch AWS resourcesin minutes, using the AWS Management Console, the AWS Command LineInterface (AWS CLI), the AWS Software Development Kits (AWS SDKs), or theAWS CloudFormation templates. You can also use the AWS Cloud DevelopmentKit (AWS CDK) to define your AWS resources as code using familiar programminglanguages, and synthesize them into AWS CloudFormation templates. You canalso use the AWS Service Catalog to create and manage standardized portfoliosof AWS resources that meet your organizational policies and best practices. AWSalso offers on-demand, pay-as-you-go pricing models, so you only pay for theresources you use, and you can scale them up or down as your needschange12345The ability to experiment quickly: AWS enables you to experiment quickly with newideas and solutions, without having to invest in upfront capital or long-termcommitments. You can use AWS to create and test multiple prototypes,hypotheses, and minimum viable products (MVPs) in parallel, and measure theirperformance and feedback. You can also use AWS to leverage existing servicesand solutions, such as AWS Marketplace, AWS Solutions, and AWS Quick Starts,that can help you accelerate your innovation process. AWS also supports a cultureof experimentation and learning, by providing tools and resources for continuousintegration and delivery (CI/CD), testing, monitoring, and analytics.References: Six advantages of cloud computing - Overview of Amazon WebServices, AWS Cloud Development Kit (AWS CDK), AWS Service Catalog, AWSPricing, AWS CloudFormation, [Experimentation and Testing - AWS Well-ArchitectedFramework], [AWS Marketplace], [AWS Solutions], [AWS Quick Starts], [AWS DeveloperTools]
Question # 90
A company wants to migrate to AWS and use the same security software it uses on premises. The security software vendor offers its security software as a service on AWS. Where can the company purchase the security solution?
A. AWS Partner Solutions Finder B. AWS Support Center C. AWS Management Console D. AWS Marketplace
Answer: D Explanation: AWS Marketplace is an online store that helps customers find, buy, andimmediately start using the software and services that run on AWS. Customers can choosefrom a wide range of software products in popular categories such as security, networking,storage, machine learning, business intelligence, database, and DevOps. Customers canalso use AWS Marketplace to purchase software as a service (SaaS) solutions that areintegrated with AWS. Customers can benefit from simplified procurement, billing, anddeployment processes, as well as flexible pricing options and free trials. Customers canalso leverage AWS Marketplace to discover and subscribe to solutions offered by AWSPartners, such as the security software vendor mentioned in thequestion. References: AWS Marketplace, [AWS Marketplace: Software as a Service(SaaS)], [AWS Cloud Practitioner Essentials: Module 6 - AWS Pricing, Billing, and Support]
Question # 91
Which AWS service can a company use to visually design and build serverless applications?
A. AWS Lambda B. AWS Batch C. AWS Application Composer D. AWS App Runner
Answer: C Explanation: AWS Application Composer is a service that allows users to visually designand build serverless applications. Users can drag and drop components, such as AWSLambda functions, Amazon API Gateway endpoints, Amazon DynamoDB tables, andAmazon S3 buckets, to create a serverless application architecture. Users can alsoconfigure the properties, permissions, and dependencies of each component, and deploythe application to their AWS account with a few clicks. AWS Application Composer simplifies the design and configuration of serverless applications, and reduces the need towrite code or use AWS CloudFormation templates. References: AWS ApplicationComposer, AWS releases Application Composer to make serverless ‘easier’ but initialscope is limited
Question # 92
A company is hosting an application in the AWS Cloud. The company wants to verify that underlying AWS services and general AWS infrastructure are operating normally. Which combination of AWS services can the company use to gather the required information? (Select TWO.)
A. AWS Personal Health Dashboard B. AWS Systems Manager C. AWS Trusted Advisor D. AWS Service Health Dashboard E. AWS Service Catalog
Answer: A,D Explanation:AWS Personal Health Dashboard and AWS Service Health Dashboard are two AWSservices that can help the company to verify that underlying AWS services and generalAWS infrastructure are operating normally. AWS Personal Health Dashboard provides apersonalized view into the performance and availability of the AWS services you are using,as well as alerts that are automatically triggered by changes in the health of those services.In addition to event-based alerts, Personal Health Dashboard provides proactivenotifications of scheduled activities, such as any changes to the infrastructure powering
Question # 93
A company wants to migrate its on_premises workloads to the AWS Cloud. The company wants to separate workloads for chargeback to different departments. Which AWS services or features will meet these requirements? (Select TWO.)
A. Placement groups B. Consolidated billing C. Edge locations D. AWS Config E. Multiple AWS accounts
Answer: B,E Explanation: Consolidated billing is a feature of AWS Organizations that enables customers to consolidate billing and payment for multiple AWS accounts. With consolidatedbilling, customers can group multiple AWS accounts under one payer account, making iteasier to manage billing and track costs across multiple accounts. Consolidated billing alsooffers benefits such as volume discounts, Reserved Instance discounts, and Savings Plansdiscounts. Consolidated billing is offered at no additional cost.Multiple AWS accounts is a feature of AWS Organizations that enables customers to createand manage multiple AWS accounts from a central location. With multiple AWS accounts,customers can isolate workloads for different departments, projects, or environments, andapply granular access controls and policies to each account. Multiple AWS accounts alsohelps customers improve security, compliance, and governance of their AWSresources56. References: 5: Consolidated billing for AWS Organizations - AWSBilling, 6: Understanding Consolidated Bills - AWS Billing, 7: AWS Consolidated Billing:Tutorial & Best Practices, 8: Simplifying Your Bills With Consolidated Billing on AWS -Aimably, 9: AWS Consolidated Billing - W3Schools
Question # 94
Which AWS service gives users the ability to discover and protect sensitive data that is stored in Amazon S3 buckets?
A. Amazon Macie B. Amazon Detective C. Amazon GuardDuty D. AWS I AM Access Analyzer
Answer: A Explanation: Amazon Macie is a data security and privacy service offered by AWS thatuses machine learning and pattern matching to discover the sensitive data stored withinAmazon S3. You can define your own custom type of sensitive data category that might beunique to your business or use case. Macie also provides you with dashboards and alertsthat give you visibility into how your data is being accessed or moved. Macie helps youprotect your data by enabling you to apply data protection techniques such as encryption,deletion, access control, and auditing. References: Strengthen the security of sensitivedata stored in Amazon S3 by using additional AWS services, Security best practices forAmazon S3, Sensitive Data Protection on AWS, Sensitive Data Protection on Amazon WebServices
Question # 95
Which AWS Cloud Adoption Framework (AWS CAF) capability belongs to the people perspective?
A. Data architecture B. Event management C. Cloud fluency D. Strategic partnership
Answer: C Explanation: Cloud fluency is a capability that belongs to the people perspective of the AWS Cloud Adoption Framework (AWS CAF). Cloud fluency is the ability of the workforceto understand the benefits, challenges, and best practices of cloud computing, and to applythem to their roles and responsibilities. Cloud fluency helps the organization to adopt acloud mindset, culture, and skills, and to leverage the full potential of the cloud. Cloudfluency can be achieved through various methods, such as training, certification,mentoring, coaching, and hands-on experience. Cloud fluency is one of the four capabilitiesof the people perspective, along with culture, organizational structure, and leadership. Theother three capabilities belong to different perspectives of the AWS CAF. Data architectureis a capability of the platform perspective, which helps you design and implement datasolutions that meet your business and technical requirements. Event management is acapability of the operations perspective, which helps you monitor and respond to eventsthat affect the availability, performance, and security of your cloud resources. Strategicpartnership is a capability of the business perspective, which helps you establish andmaintain relationships with external stakeholders, such as customers, partners, suppliers,and regulators, to create value and achieve your business goals. References: AWS CloudAdoption Framework: People Perspective, AWS CAF - Cloud Adoption Framework -W3Schools
Question # 96
Which AWS Cloud deployment model uses AWS Outposts as part of the application deployment infrastructure?
A. On-premises B. Serverless C. Cloud-native D. Hybrid
Answer: D Explanation:AWS Outposts is a fully managed service that extends AWS infrastructure, services, APIs,and tools to customer premises. By providing local access to AWS managed infrastructure,AWS Outposts enables customers to build and run applications on premises using thesame programming interfaces as in AWS Regions, while using local compute and storageresources for lower latency and local data processing needs. An Outpost is a pool of AWScompute and storage capacity deployed at a customer site. AWS operates, monitors, andmanages this capacity as part of an AWS Region. You can create subnets on your Outpostand specify them when you create AWS resources such as EC2 instances, EBS volumes,ECS clusters, and RDS instances. Instances in Outpost subnets communicate with otherinstances in the AWS Region using private IP addresses, all within the same VPC.Outposts solutions allow you to extend and run native AWS services on premises, and isavailable in a variety of form factors, from 1U and 2U Outposts servers to 42U Outpostsracks, and multiple rack deployments. With AWS Outposts, you can run some AWSservices locally and connect to a broad range of services available in the local AWSRegion2. AWS Outposts is a hybrid cloud deployment model that uses AWS Outposts aspart of the application deployment infrastructure. Hybrid cloud is a cloud computingenvironment that uses a mix of on-premises, private cloud, and public cloud services withorchestration between the platforms. Hybrid cloud provides businesses with greaterflexibility, more deployment options, and optimized costs. By using AWS Outposts,customers can benefit from the fully managed infrastructure, services, APIs, and tools ofAWS on premises, while still having access to the full range of AWS services available inthe Region for a truly consistent hybrid experience3. References: On-Premises PrivateCloud - AWS Outposts Family - AWS, What is AWS Outposts? - AWS Outposts
Question # 97
Which of the following is a fully managed graph database service on AWS?
A. Amazon Aurora B. Amazon FSx C. Amazon DynamoDB D. Amazon Neptune
Answer: D Explanation: Amazon Neptune is a fully managed graph database service on AWS. Agraph database is a type of database that stores and queries data as a network of nodesand edges, representing entities and relationships. Graph databases are useful forapplications that deal with highly connected data, such as social networks,recommendation engines, fraud detection, and knowledge graphs45. Amazon Neptune is afast, reliable, and scalable graph database service that supports two popular graph models:property graphs and RDF. Amazon Neptune also supports two open standards for queryinggraphs: Apache TinkerPop Gremlin and SPARQL. Amazon Neptune handles the heavylifting of managing the database, such as provisioning, patching, backup, recovery,encryption, and replication456. References: 4: Managed Graph Database - AmazonNeptune - AWS, 5: Amazon Neptune – A Fully Managed Graph DatabaseService, 6: Working with AWS Neptune. Neptune is a fully-managed graph … - Medium
Question # 98
To reduce costs, a company is planning to migrate a NoSQL database to AWS. Which AWS service is fully managed and can automatically scale throughput capacity to meet database workload demands?
A. Amazon Redshift B. Amazon Aurora C. Amazon DynamoDB D. Amazon RDS
Answer: C Explanation: Amazon DynamoDB is a fully managed, serverless, key-value NoSQLdatabase service that can deliver consistent, single-digit millisecond performance at anyscale. DynamoDB can automatically scale throughput capacity to meet the demands of thedatabase workload, without requiring any manual intervention. DynamoDB is ideal forNoSQL applications that need high performance, availability, and scalability. DynamoDBalso offers features such as encryption at rest, point-in-time recovery, global tables, and inmemorycaching. References: What is NoSQL?, Amazon DynamoDB, [AWS CloudPractitioner Essentials: Module 4 - Databases in the Cloud]
Question # 99
A company is planning to host its workloads on AWS. Which AWS service requires the company to update and patch the guest operating system?
A. Amazon DynamoDB B. Amazon S3 C. Amazon EC2 D. Amazon Aurora
Answer: C Explanation: Amazon EC2 is an AWS service that provides scalable, secure, andresizable compute capacity in the cloud. Amazon EC2 allows customers to launch andmanage virtual servers, called instances, that run a variety of operating systems andapplications. Customers have full control over the configuration and management of theirinstances, including the guest operating system. Therefore, customers are responsible forupdating and patching the guest operating system on their EC2 instances, as well as anyother software or utilities installed on the instances. AWS provides tools and services, suchas AWS Systems Manager and AWS OpsWorks, to help customers automate and simplifythe patching process. References: Shared Responsibility Model, Shared responsibilitymodel, [Amazon EC2]
Question # 100
A company wants to quickly implement a continuous integration/continuous delivery (CI/CD) pipeline. Which AWS service will meet this requirement?
A. AWS Config B. Amazon Cognito C. AWS DataSync D. AWS CodeStar
Answer: D Explanation: AWS CodeStar is a service that enables you to quickly develop, build, anddeploy applications on AWS. It provides a unified user interface for managing yourapplication lifecycle, including code repositories, build pipelines, deployments, and projectdashboards. AWS CodeStar also integrates with other AWS services, such as AWSCodeCommit, AWS CodeBuild, AWS CodeDeploy, and AWS CodePipeline, to create acomplete CI/CD pipeline for your application12. References:AWS CodeStarAWS Certified Cloud Practitioner Exam Guide
Question # 101
A developer wants to deploy an application quickly on AWS without manually creating the required resources. Which AWS service will meet these requirements?
A. Amazon EC2 B. AWS Elastic Beanstalk C. AWS CodeBuild D. Amazon Personalize
Answer: B Explanation: AWS Elastic Beanstalk is a service that allows you to deploy and manageapplications on AWS without manually creating and configuring the required resources,such as EC2 instances, load balancers, security groups, databases, and more. AWSElastic Beanstalk automatically handles the provisioning, scaling, load balancing, healthmonitoring, and updating of your application, while giving you full control over theunderlying AWS resources if needed. AWS Elastic Beanstalk supports a variety ofplatforms and languages, such as Java, .NET, PHP, Node.js, Python, Ruby, Go, andDocker. You can use the AWS Management Console, the AWS CLI, the AWS SDKs, or theAWS Elastic Beanstalk API to create and manage your applications. You can also useAWS CodeStar, AWS CodeCommit, AWS CodeBuild, AWS CodeDeploy, and AWSCodePipeline to integrate AWS Elastic Beanstalk with your development and deploymentworkflows12
Question # 102
A company website is experiencing DDoS attacks. Which AWS service can help protect the company website against these attacks?
A. AWS Resource Access Manager B. AWS Amplify C. AWS Shield D. Amazon GuardDuty
Answer: C Explanation:AWS Shield is a managed DDoS protection service that safeguards applications running onAWS from distributed denial of service (DDoS) attacks. DDoS attacks are maliciousattempts to disrupt the normal functioning of a website or application by overwhelming itwith a large volume of traffic from multiple sources. AWS Shield provides two tiers ofprotection: Standard and Advanced. AWS Shield Standard is automatically enabled for allAWS customers at no additional cost. It protects your AWS resources, such as AmazonCloudFront, AWS Global Accelerator, and Amazon Route 53, from the most common andfrequently occurring network and transport layer DDoS attacks. AWS Shield Advanced isan optional paid service that provides additional protection for your AWS resources andapplications, such as Amazon Elastic Compute Cloud (Amazon EC2), Elastic Load Balancing (ELB), Amazon Simple Storage Service (Amazon S3), Amazon RelationalDatabase Service (Amazon RDS), and AWS Elastic Beanstalk. AWS Shield Advancedoffers enhanced detection and mitigation capabilities, 24/7 access to the AWS DDoSResponse Team (DRT), real-time visibility and reporting, and cost protection againstDDoS-related spikes in your AWS bill12References: AWS Shield, What is a DDOS Attack & How to Protect Your Site Against One
Question # 103
A company wants to generate a list of IAM users. The company also wants to view the status of various credentials that are associated with the users, such as password, access keys: and multi-factor authentication (MFA) devices Which AWS service or feature will meet these requirements?
A. IAM credential report B. AWS IAM Identity Center (AWS Single Sign-On) C. AWS Identity and Access Management Access Analyzer D. AWS Cost and Usage Report
Answer: A Explanation: An IAM credential report is a feature of AWS Identity and AccessManagement (IAM) that allows you to view and download a report that lists all IAM users inyour account and the status of their various credentials, such as passwords, access keys,and MFA devices. You can use this report to audit the security status of your IAM usersand ensure that they follow the best practices for credentialmanagement1. References: 1: AWS Documentation - IAM User Guide - Getting credentialreports for your AWS account
Question # 104
Which AWS service supports a hybrid architecture that gives users the ability to extend AWS infrastructure, AWS services, APIs, and tools to data centers, co-location environments, or on-premises facilities?
A. AWS Snowmobile B. AWS Local Zones C. AWS Outposts D. AWS Fargate
Answer: C Explanation: AWS Outposts is a service that delivers AWS infrastructure and services tovirtually any on-premises or edge location for a truly consistent hybrid experience. AWSOutposts allows you to extend and run native AWS services on premises, and is availablein a variety of form factors, from 1U and 2U Outposts servers to 42U Outposts racks, andmultiple rack deployments. With AWS Outposts, you can run some AWS services locallyand connect to a broad range of services available in the local AWS Region. Runapplications and workloads on premises using familiar AWS services, tools, and APIs2.AWS Outposts is the only AWS service that supports a hybrid architecture that gives usersthe ability to extend AWS infrastructure, AWS services, APIs, and tools to data centers, colocationenvironments, or on-premises facilities. References: On-Premises Infrastructure -AWS Outposts Family
Question # 105
Which cloud concept is demonstrated by using AWS Compute Optimizer?
A. Security validation B. Rightsizing C. Elasticity D. Global reach
Answer: B Explanation: Rightsizing is the cloud concept that is demonstrated by using AWSCompute Optimizer. Rightsizing is the process of adjusting the type and size of your cloudresources to match the optimal performance and cost for your workloads. AWS Compute Optimizer is a service that analyzes the configuration and utilization metrics of your AWSresources, such as Amazon EC2 instances, Amazon EBS volumes, AWS Lambdafunctions, and Amazon ECS services on AWS Fargate. It reports whether your resourcesare optimal, and generates optimization recommendations to reduce the cost and improvethe performance of your workloads. AWS Compute Optimizer uses machine learning toanalyze your historical utilization data and compare it with the most cost-effective AWSalternatives. You can use the recommendations to evaluate the trade-offs between costand performance, and decide when to move or resize your resources to achieve the bestresults. References: Workload Rightsizing - AWS Compute Optimizer - AWS, What is AWSCompute Optimizer? - AWS Compute Optimizer
Question # 106
Which AWS service or resource provides answers to the most frequently asked securityrelated questions that AWS receives from its users'?
A. AWS Artifact B. Amazon Connect C. AWS Chatbot D. AWS Knowledge Center
Answer: A Explanation: AWS Artifact is your go-to, central resource for compliance-relatedinformation that matters to you. It provides on-demand access to AWS’s security andcompliance reports and select online agreements. Reports available in AWS Artifactinclude our Service Organization Control (SOC) reports, Payment Card Industry (PCI)attestation of compliance, and certifications from accreditation bodies across geographiesand compliance verticals that validate the implementation and operating effectiveness ofAWS security controls. Agreements available in AWS Artifact include the BusinessAssociate Addendum (BAA) and the Nondisclosure Agreement (NDA). AWS Artifact helpsyou answer the most frequently asked security and compliance questions that AWSreceives from its users. References: Compliance FAQ, Compliance Solutions Guide
Question # 107
A company wants to receive a notification when a specific AWS cost threshold is reached. Which AWS services or tools can the company use to meet this requirement? (Select TWO.)
A. Amazon Simple Queue Service (Amazon SQS) B. AWS Budgets C. Cost Explorer D. Amazon CloudWatch E. AWS Cost and Usage Report
Answer: B,D Explanation: AWS Budgets and Amazon CloudWatch are two AWS services or tools that the companycan use to receive a notification when a specific AWS cost threshold is reached. AWSBudgets allows users to set custom budgets to track their costs and usage, and respondquickly to alerts received from email or Amazon Simple Notification Service (Amazon SNS)notifications if they exceed their threshold. Users can create cost budgets with fixed orvariable target amounts, and configure their notifications for actual or forecasted spend.Users can also set up custom actions to run automatically or through an approval processwhen a budget target is exceeded. For example, users could automatically apply a customIAM policy that denies them the ability to provision additional resources within an account.Amazon CloudWatch is a service that monitors applications, responds to performancechanges, optimizes resource use, and provides insights into operational health. Users canuse CloudWatch to collect and track metrics, which are variables they can measure fortheir resources and applications. Users can create alarms that watch metrics and sendnotifications or automatically make changes to the resources they are monitoring when athreshold is breached. Users can use CloudWatch to monitor their AWS costs and usageby creating billing alarms that send notifications when their estimated charges exceed aspecified threshold amount. Users can also use CloudWatch to monitor their ReservedInstance (RI) or Savings Plans utilization and coverage, and receive notifications when theyfall below a certain level.References: Cloud Cost And Usage Budgets - AWS Budgets, What is AmazonCloudWatch?, Creating a billing alarm - Amazon CloudWatch
Question # 108
Which AWS service is a cloud security posture management (CSPM) service that aggregates alerts from various AWS services and partner products in a standardized format?
A. AWS Security Hub B. AWS Trusted Advisor C. Amazon EventBndge D. Amazon GuardDuty
Answer: A Explanation: AWS Security Hub is a cloud security posture management (CSPM) servicethat performs security best practice checks, aggregates alerts, and enables automatedremediation. Security Hub collects findings from the security services enabled across yourAWS accounts, such as intrusion detection findings from Amazon GuardDuty, vulnerabilityscans from Amazon Inspector, and sensitive data identification findings from AmazonMacie. Security Hub also collects findings from partner security products using astandardized AWS Security Finding Format, eliminating the need for time-consuming dataparsing and normalization efforts. Customers can designate an administrator account thatcan access all findings across their accounts. References: AWS Security HubOverview, AWS Security Hub FAQs
Question # 109
A company is migrating its workloads to the AWS Cloud. The company must retain full control of patch management for the guest operating systems that host its applications. Which AWS service should the company use to meet these requirements?
A. Amazon DynamoDB B. Amazon EC2 C. AWS Lambda D. Amazon RDS
Answer: B Explanation: Amazon EC2 is the AWS service that the company should use to meet its requirements of retaining full control of patch management for the guest operating systemsthat host its applications. Amazon EC2 is a service that provides secure, resizable computecapacity in the cloud. Users can launch virtual servers, called instances, that run variousoperating systems, such as Linux, Windows, macOS, and more. Users have fulladministrative access to their instances and can install and configure any software,including patches and updates, on their instances. Users are responsible for managing thesecurity and maintenance of their instances, including patching the guest operating systemand applications. Users can also use AWS Systems Manager to automate and simplify thepatching process for their EC2 instances. AWS Systems Manager is a service that helpsusers manage their AWS and on-premises resources at scale. Users can use AWSSystems Manager Patch Manager to scan their instances for missing patches, define patchbaselines and maintenance windows, and apply patches automatically or manually acrosstheir instances. Users can also use AWS Systems Manager to monitor the patchcompliance status and patching history of their instances. References: What is AmazonEC2?, AWS Systems Manager Patch Manager
Question # 110
A customer runs an On-Demand Amazon Linux EC2 instance for 3 hours, 5 minutes, and 6 seconds. For how much time will the customer be billed?
A. 3 hours, 5 minutes B. 3 hours, 5 minutes, and 6 seconds C. 3 hours, 6 minutes D. 4 hours
Answer: C Explanation: Amazon EC2 usage is calculated by either the hour or the second based onthe size of the instance, operating system, and the AWS Region where the instances arelaunched. Pricing is per instance-hour consumed for each instance, from the time aninstance is launched until it’s terminated or stopped. Each partial instance-hour consumedis billed per-second for Linux instances and as a full hour for all other instance types1.Therefore, the customer will be billed for 3 hours and 6 minutes for running an On-DemandAmazon Linux EC2 instance for 3 hours, 5 minutes, and 6 seconds. References: Understand Amazon EC2 instance-hours billing
Question # 111
Which Amazon EC2 instance pricing model can provide discounts of up to 90%?
A. AWS Trusted Advisor B. AWS Consulting Partners C. AWS Artifacts D. AWS Managed Services
Answer: D Explanation: AWS Managed Services is a service that provides operational managementfor AWS infrastructure and applications. It helps users migrate their workloads to AWS andprovides ongoing support, security, compliance, and automation. AWS Trusted Advisor is aservice that provides best practices and recommendations for cost optimization,performance, security, and fault tolerance. AWS Consulting Partners are professionalservices firms that help customers design, architect, build, migrate, and manage theirworkloads and applications on AWS. AWS Artifacts is a service that provides on-demand access to AWS compliance reports and select online agreements.
Question # 112
Which Amazon EC2 instance pricing model can provide discounts of up to 90%?
A. Reserved Instances B. On-Demand C. Dedicated Hosts D. Spot Instances
Answer: D Explanation: Spot Instances are Amazon EC2 instances that are available at a discountedprice compared to On-Demand pricing. Spot Instances use spare EC2 capacity that is notbeing used by other customers, and the price fluctuates based on supply and demand.Customers can request Spot Instances for their applications and specify the maximumprice they are willing to pay per hour. If the Spot price is lower than the customer’s bid, theSpot Instance is launched and the customer pays the current Spot price. However, if theSpot price rises above the customer’s bid, the Spot Instance is terminated by AWS and thecustomer is charged for the partial hour of usage. Therefore, Spot Instances can providediscounts of up to 90% or more, but they are not suitable for applications that requirecontinuous or predictable availability. Spot Instances are recommended for applicationsthat are flexible, fault-tolerant, or have low priority, such as batch processing, data analysis,or testing and development.
Question # 113
A company has deployed an Amazon EC2 instance. Which option is an AWS responsibility under the AWS shared responsibility model?
A. Managing and encrypting application data B. Installing updates and security patches of guest operating system C. Configuration of infrastructure devices D. Configuration of security groups on each instance
Answer: C Explanation: According to the AWS shared responsibility model, AWS is responsible forprotecting the infrastructure that runs all of the services offered in the AWS Cloud, such asdata centers, hardware, software, networking, and facilities1. This includes theconfiguration of infrastructure devices, such as routers, switches, firewalls, and loadbalancers2. Customers are responsible for managing their data, applications, operatingsystems, security groups, and other aspects of their AWS environment1. Therefore, optionsA, B, and D are customer responsibilities, not AWS responsibilities. References: 1: AWSWell-Architected Framework - Elasticity; 2: Reactive Systems on AWS - Elastic
Question # 114
An ecommerce company has migrated its IT infrastructure from an on-premises data center to the AWS Cloud. Which cost is the company's direct responsibility?
A. Cost of application software licenses B. Cost of the hardware infrastructure on AWS C. Cost of power for the AWS servers D. Cost of physical security for the AWS data center
Answer: A Explanation: The cost of application software licenses is the company’s directresponsibility when it migrates its IT infrastructure from an on-premises data center to theAWS Cloud. Application software licenses are the agreements that grant users the right touse specific software products, such as operating systems, databases, or applications.Depending on the type and terms of the license, users may need to pay a fee to the
Question # 115
A company needs a fully managed file server that natively supports Microsoft workloads and file systems The file server must also support the SMB protocol. Which AWS service should the company use to meet these requirements?
A. Amazon Elastic File System (Amazon EFS) B. Amazon FSx for Lustre C. Amazon FSx for Windows File Server D. Amazon Elastic Block Store (Amazon EBS)
Answer: C Explanation: Amazon FSx for Windows File Server is a fully managed file server thatsupports Microsoft workloads and file systems, including the SMB protocol. It providesfeatures such as user quotas, end-user file restore, and Microsoft Active Directoryintegration. Amazon EFS is a fully managed file system that supports the NFS protocol, notSMB. Amazon FSx for Lustre is a fully managed file system that supports highperformancecomputing workloads, not Microsoft workloads. Amazon EBS is a blockstorage service that does not provide a file system or SMB support. References: AmazonFSx for Windows File Server, Amazon FSx for Lustre, Amazon EFS, Amazon EBS
Question # 116
A company plans to migrate to the AWS Cloud. The company is gathering information about its on-premises infrastructure and requires information such as the hostname, IP address, and MAC address. Which AWS service will meet these requirements?
A. AWS DataSync B. AWS Application Migration Service C. AWS Application Discovery Service D. AWS Database Migration Service (AWS DMS)
Answer: C Explanation: AWS Application Discovery Service is a service that helps you plan your migration to the AWS Cloud by collecting usage and configuration data about your onpremisesservers and databases. This data includes information such as the hostname, IPaddress, and MAC address of each server, as well as the performance metrics, networkconnections, and processes running on them. You can use AWS Application DiscoveryService to discover your on-premises inventory, map the dependencies between serversand applications, and estimate the cost and effort of migrating to AWS. You can also exportthe data to other AWS services, such as AWS Migration Hub and AWS Database MigrationService, to support your migration tasks. AWS Application Discovery Service offers twoways of performing discovery: agentless discovery and agent-based discovery. Agentlessdiscovery uses a virtual appliance that you deploy on your VMware vCenter to collect datafrom your virtual machines and hosts. Agent-based discovery uses an agent that you installon each of your physical or virtual servers to collect data. You can choose the method thatbest suits your environment and needs. AWS DataSync is a service that helps you transferdata between your on-premises storage and AWS storage services, such as Amazon S3,Amazon EFS, and Amazon FSx for Windows File Server. AWS DataSync does not collectinformation about your on-premises infrastructure, but rather focuses on optimizing thedata transfer speed, security, and reliability. AWS Application Migration Service is a service that helps you migrate your applications from your on-premises or cloud environment toAWS without making any changes to the applications, their architecture, or the migratedservers. AWS Application Migration Service does not collect information about your onpremisesinfrastructure, but rather uses a lightweight agent to replicate your servers asAmazon Machine Images (AMIs) and launch them as EC2 instances on AWS. AWSDatabase Migration Service is a service that helps you migrate your databases from youron-premises or cloud environment to AWS, either as a one-time migration or as acontinuous replication. AWS Database Migration Service does not collect information aboutyour on-premises infrastructure, but rather uses a source and a target endpoint to connectto your databases and transfer the data. References: AWS Application DiscoveryService, AWS DataSync, AWS Application Migration Service, [AWS Database MigrationService]
Question # 117
A company wants to grant users in one AWS account access to resources in another AWS account. The users do not currently have permission to access the resources.Which AWS service will meet this requirement?
A. IAM group B. IAM role C. IAM tag D. IAM Access Analyzer
Answer: B Explanation: IAM roles are a way to delegate access to resources in different AWSaccounts. IAM roles allow users to assume a set of permissions for a limited time withouthaving to create or share long-term credentials. IAM roles can be used to grant crossaccountaccess by creating a trust relationship between the accounts and specifying thepermissions that the role can perform. Users can then switch to the role and access theresources in the other account using temporary security credentials provided by therole. References: Cross account resource access in IAM, IAM tutorial: Delegate accessacross AWS accounts using IAM roles, How to Enable Cross-Account Access to the AWSManagement Console
Question # 118
A company is storing sensitive customer data in an Amazon S3 bucket. The company wants to protect the data from accidental deletion or overwriting. Which S3 feature should the company use to meet these requirements?
A. S3 Lifecycle rules B. S3 Versioning C. S3 bucket policies D. S3 server-side encryption
Answer: B Explanation: S3 Versioning is a feature that allows you to keep multiple versions of anobject in the same bucket. You can use S3 Versioning to protect your data from accidentaldeletion or overwriting by enabling it on a bucket or a specific object. S3 Versioning alsoallows you to restore previous versions of an object if needed. S3 Lifecycle rules are usedto automate the transition of objects between storage classes or to expire objects after acertain period of time. S3 bucket policies are used to control access to the objects in abucket. S3 server-side encryption is used to encrypt the data at rest in S3. References: S3Versioning, S3 Lifecycle rules, S3 bucket policies, S3 server-side encryption
Question # 119
Which cloud computing advantage is a company applying when it uses AWS Regions to increase application availability to users in different countries?
A. Pay-as-you-go pricing B. Capacity forecasting C. Economies of scale D. Global reach
Answer: D Explanation: Global reach is a cloud computing advantage that a company can applywhen it uses AWS Regions to increase application availability to users in differentcountries. Global reach refers to the ability to deploy applications and services in multiplegeographic locations around the world, and to serve customers with low latency and highperformance. AWS has the largest and most reliable global infrastructure of any cloudprovider, with 25 Regions and 81 Availability Zones across the Americas, Europe, AsiaPacific, Africa, and the Middle East123. By using AWS Regions, a company can choosethe best location for its application based on customer proximity, compliance requirements,and disaster recovery strategies23. References: 1: AWS Global Infrastructure - AmazonWeb Services (AWS), 2: Regions and Availability Zones - Amazon Elastic ComputeCloud, 3: AWS Infrastructure: Regions and Availability Zones Explained
Question # 120
A user needs a relational database but does not have the resources to manage the hardware, resiliency, and replication. Which AWS service option meets the user's requirements'?
A. Run MySQL on Amazon Elastic Container Service (Amazon ECS) B. Run MySQL on Amazon EC2 C. Choose Amazon RDS for MySQL D. Choose Amazon ElastiCache for Redis
Answer: C Explanation: Amazon RDS for MySQL is a fully managed, open-source cloud databaseservice that allows you to easily operate and scale your relational database of choice,including MySQL. With Amazon RDS for MySQL, you don’t have to worry about thehardware, resiliency, and replication of your database, as Amazon RDS handles thesetasks for you. Amazon RDS for MySQL also provides features such as automated backups,multi-AZ deployments, read replicas, encryption, monitoring, and more. Amazon RDS forMySQL is compatible with the MySQL Community Edition versions 5.7 and 8.0, whichmeans that you can use the same code, applications, and tools that you already use withMySQL4567. References: 4: Hosted MySQL - Amazon RDS for MySQL - AWS, 5: AmazonRDS for MySQL - Amazon Relational Database Service, 6: Amazon RDS for MySQL —, 7: Managed SQL Database - Amazon Relational Database Service (RDS) - AWS
Question # 121
Which of the following are pillars of the AWS Well-Architected Framework? (Select TWO)
A. High availability B. Performance efficiency C. Cost optimization D. Going global in minutes E. Continuous development
Answer: B,C Explanation: The AWS Well-Architected Framework is a set of six pillars and lenses thathelp cloud architects design and run workloads in the cloud. The six pillars are: operationalexcellence, security, reliability, performance efficiency, cost optimization, and sustainability.Each pillar has a set of design principles and best practices that guide the architecturaldecisions. High availability is not a separate pillar, but a quality that can be achieved byapplying the principles of the reliability pillar. Going global in minutes and continuousdevelopment are not pillars of the framework, but possible benefits of using AWS servicesand following the framework’s recommendations. References: AWS Well-Architected -Build secure, efficient cloud applications, AWS Well-Architected Framework, The 6 Pillarsof the AWS Well-Architected Framework
Question # 122
Elasticity in the AWS Cloud refers to which of the following? (Select TWO.)
A. How quickly an Amazon EC2 instance can be restarted B. The ability to rightsized resources as demand shifts C. The maximum amount of RAM an Amazon EC2 instance can use D. The pay-as-you-go billing model E. How easily resources can be procured when they are needed
Answer: B,E Explanation:Elasticity in the AWS Cloud refers to the ability to acquire resources as you need them andrelease resources when you no longer need them. In the cloud, you want to do thisautomatically1. This means that you can rightsized resources as demand shifts, and youcan easily procure resources when they are needed. Elasticity is not related to how quicklyan Amazon EC2 instance can be restarted, the maximum amount of RAM an Amazon EC2instance can use, or the pay-as-you-go billing model. These are aspects of scalability,performance, and cost, respectively2.For more information on elasticity, you can refer to the following sources:Elasticity - AWS Well-Architected FrameworkElastic - Reactive Systems on AWSWhat is the difference between scalability and elasticity?
Question # 123
A company wants to automatically add and remove Amazon EC2 instances. The company wants the EC2 instances to adjust to varying workloads dynamically. Which service or feature will meet these requirements?
A. Amazon DynamoDB B. Amazon EC2 Spot Instances C. AWS Snow Family D. Amazon EC2 Auto Scaling
Answer: D Explanation: Amazon EC2 Auto Scaling is a service that helps you maintain applicationavailability and allows you to automatically add or remove EC2 instances according todefinable conditions. You can create collections of EC2 instances, called Auto Scalinggroups, and specify the minimum and maximum number of instances in each group. Youcan also define scaling policies that adjust the number of instances based on the demandon your application. Amazon EC2 Auto Scaling helps you improve the performance,reliability, and cost-efficiency of your EC2 workloads123. References: 1: VDI Desktops -Amazon WorkSpaces Family - AWS, 2: What is Amazon EC2 Auto Scaling? - Amazon EC2Auto Scaling, 3: Discover Amazon EC2 Auto Scaling Unit | Salesforce Trailhead
Question # 124
A company wants to create a globally accessible ecommerce platform for its customers. The company wants to use a highly available and scalable DNS web service to connect users to the platform. Which AWS service will meet these requirements?
A. Amazon EC2 B. Amazon VPC C. Amazon Route 53 D. Amazon RDS
Answer: C Explanation: Amazon Route 53 is a highly available and scalable Domain Name System(DNS) web service that can route internet traffic to the company’s ecommerceplatform1. Route 53 can also register domain names, check the health of resources, andprovide global DNS features2. Route 53 can connect users to the platform by translatinghuman-readable names like www.example.com into the numeric IP addresses thatcomputers use to communicate with each other2. References: 1: Amazon Route 53 | DNSService | AWS; 2: What is Amazon Route 53? - Amazon Route 53
Question # 125
A company needs a bridge between technology and business to help evolve to a culture of continuous growth and learning. Which perspective in the AWS Cloud Adoption Framework (AWS CAF) serves as this bridge?
A. People B. Governance C. Operations D. Security
Answer: A Explanation: The People perspective in the AWS Cloud Adoption Framework (AWS CAF)serves as a bridge between technology and business, accelerating the cloud journey tohelp organizations more rapidly evolve to a culture of continuous growth, learning, andwhere change becomes business-as-normal, with focus on culture, organizationalstructure, leadership, and workforce1. References: People Perspective - AWS CloudAdoption Framework
Question # 126
Which AWS service or tool helps users visualize, understand, and manage spending and usage over time?
A. AWS Organizations B. AWS Pricing Calculator C. AWS Cost Explorer D. AWS Service Catalog
Answer: C Explanation: AWS Cost Explorer is the AWS service or tool that helps users visualize, understand, and manage spending and usage over time. AWS Cost Explorer is a webbased interface that allows users to access interactive graphs and tables that display their AWS costs and usage data. Users can create custom reports that analyze cost and usage data by various dimensions, such as service, region, account, tag, and more. Users can also view historical data for up to the last 12 months, forecast future costs for up to the next 12 months, and get recommendations for cost optimization. AWS Cost Explorer also provides preconfigured views that show common cost and usage scenarios, such as monthly spend by service, daily spend by linked account, and Reserved Instance utilization. Users can use AWS Cost Explorer to monitor their AWS spending and usage trends, identify cost drivers and anomalies, and optimize their resource allocation and budget planning. References: Cloud Cost Analysis - AWS Cost Explorer - AWS, Analyzing your costs with AWS Cost Explorer
Question # 127
Which of the following is a software development framework that a company can use to define cloud resources as code and provision the resources through AWS CloudFormation?
A. AWS CLI B. AWS Developer Center C. AWS Cloud Development Kit (AWS CDK) D. AWS CodeStar
Answer: C Explanation: AWS Cloud Development Kit (AWS CDK) is a software developmentframework that allows you to define cloud resources as code using familiar programminglanguages, such as TypeScript, Python, Java, .NET, and Go (in Developer Preview). Youcan use AWS CDK to model your application resources using high-level constructs thatprovide sensible defaults and best practices, or use low-level constructs that provide fullaccess to the underlying AWS CloudFormation resources. AWS CDK synthesizes yourcode into AWS CloudFormation templates that you can deploy using the AWS CDK CLI orthe AWS Management Console. AWS CDK also integrates with other AWS services, suchas AWS CodeCommit, AWS CodeBuild, AWS CodePipeline, AWS Lambda, Amazon EC2,Amazon S3, and more, to help you automate your development and deploymentprocesses. AWS CDK is an open-source framework that you can extend and contributeto. References: Cloud Development Framework - AWS Cloud Development Kit -AWS, AWS Cloud Development Kit Documentation, AWS Cloud Development Kit -Wikipedia, AWS CDK Intro Workshop | AWS CDK Workshop
Question # 128
A company wants to migrate its database to a managed AWS service that is compatible with PostgreSQL. Which AWS services will meet these requirements? (Select TWO)
A. Amazon Athena B. Amazon RDS C. Amazon EC2 D. Amazon DynamoDB E. Amazon Aurora
Answer: B,E Explanation: Amazon RDS and Amazon Aurora are both managed AWS services thatsupport the PostgreSQL database engine. Amazon RDS makes it easier to set up, operate,and scale PostgreSQL deployments on the cloud, while Amazon Aurora is a cloud-nativedatabase engine that is compatible with PostgreSQL and offers higher performance andavailability. Amazon Athena is a serverless query service that does not supportPostgreSQL, but can analyze data in Amazon S3 using standard SQL. Amazon EC2 is acompute service that allows users to launch virtual machines, but does not provide anydatabase management features. Amazon DynamoDB is a NoSQL database service that isnot compatible with PostgreSQL, but offers fast and consistent performance at anyscale. References: Hosted PostgreSQL - Amazon RDS for PostgreSQL - AWS, AmazonRDS for PostgreSQL - Amazon Relational Database Service, AWS PostgreSQL: Managedor Self-Managed? - NetApp, AWS Announces Amazon Aurora Supports PostgreSQL 12 InfoQ, Amazon Aurora vs PostgreSQL | What are the differences? - StackShare
Question # 129
A company wants to establish a private network connection between AWS and its corporate network. Which AWS service or feature will meet this requirement?
A. Amazon Connect B. Amazon Route 53 C. AWS Direct Connect D. VPC peering
Answer: C Explanation: AWS Direct Connect is a cloud service solution that makes it easy toestablish a dedicated network connection from your premises to AWS. Using AWS DirectConnect, you can establish private connectivity between AWS and your datacenter, office,or colocation environment, which in many cases can reduce your network costs, increasebandwidth throughput, and provide a more consistent network experience than internetbasedconnections12. References: 1: Dedicated Network Connection - AWS DirectConnect - AWS, 2: What is AWS Direct Connect? - AWS Direct Connect
Question # 130
What is a benefit of using AWS serverless computing?
A. Application deployment and management are not required B. Application security will be fully managed by AWS C. Monitoring and logging are not needed D. Management of infrastructure is offloaded to AWS
Answer: D Explanation: AWS serverless computing is a way of building and running applicationswithout thinking about servers. AWS manages the infrastructure for you, so you don’t haveto provision, scale, patch, or monitor servers. You only pay for the compute time youconsume, and you can focus on your application logic instead of managingservers12. References: Serverless Computing – Amazon Web Services, AWS ServerlessComputing, Benefits, Architecture and Use-cases - XenonStack
Question # 131
A team of researchers is going to collect data at remote locations around the world Many locations do not have internet connectivity. The team needs to capture the data in the field, and transfer it to the AWS Cloud later Which AWS service will support these requirements?
A. AWS Outposts B. AWS Transfer Family C. AWS Snow Family D. AWS Migration Hub
Answer: C Explanation: AWS Snow Family is a group of devices that transport data in and out ofAWS. AWS Snow Family devices are physical devices that can transfer up to exabytes ofdata. One exabyte is 1 000 000 000 000 megabytes. AWS Snow Family devices aredesigned for use in remote locations where internet connectivity is limited or unavailable.You can use these devices to collect and process data at the edge, and then ship themback to AWS for data upload. AWS Snow Family consists of three types of devices: AWSSnowcone, AWS Snowball, and AWS Snowmobile1234. References: 1: Edge ComputingDevices, Secure Data Transfer - AWS Snow Family - AWS, 2: AWS Snow FamilyDocumentation, 3: AWS Snow Family - W3Schools, 4: AWS Snow Family: Data Storage,Migration, and Computation
Question # 132
Which AWS service or feature gives users the ability to capture information about network traffic in a VPC?
A. VPC Flow Logs B. Amazon Inspector C. VPC route tables D. AWS CloudTrail
Answer: A Explanation: VPC Flow Logs is a feature that enables you to capture information about theIP traffic going to and from network interfaces in your VPC. Flow log data can be publishedto Amazon CloudWatch Logs, Amazon S3, or Amazon Kinesis Data Firehose. You can useVPC Flow Logs to diagnose network issues, monitor traffic patterns, detect securityanomalies, and comply with auditing requirements34. References: Logging IP traffic usingVPC Flow Logs - Amazon Virtual Private Cloud, New – VPC Traffic Mirroring – Capture &Inspect Network Traffic | AWS News Blog
Question # 133
A company is running a monolithic on-premises application that does not scale and is difficult to maintain. The company has a plan to migrate the application to AWS and divide the application into microservices. Which best practice of the AWS Well-Architected Framework is the company following with this plan?
A. Integrate functional testing as part of AWS deployment. B. Use automation to deploy changes. C. Deploy the application to multiple locations. D. Implement loosely coupled dependencies.
Answer: D Explanation: The company is following the best practice of implementing loosely coupled dependencies by migrating the application to AWS and dividing the application intomicroservices. Loosely coupled dependencies are a design principle of the AWS Well-Architected Framework that helps to reduce the interdependencies between componentsand improve the scalability, reliability, and performance of the system. By breaking downthe monolithic application into smaller, independent, and modular services, the companycan reduce the complexity and maintenance costs, increase the agility and flexibility, andenable faster and more frequent deployments. AWS CloudFormation is an AWS servicethat provides the ability to manage infrastructure as code. Infrastructure as code is aprocess of defining and provisioning AWS resources using code or templates, rather thanmanual actions or scripts. AWS CloudFormation allows users to create and update stacksof AWS resources based on predefined templates that describe the desired state andconfiguration of the resources. AWS CloudFormation automates and simplifies thedeployment and management of AWS resources, and ensures consistency andrepeatability across different environments and regions. AWS CloudFormation alsosupports rollback, change sets, drift detection, and nested stacks features that help usersto monitor and control the changes to their infrastructure. References: ImplementingLoosely Coupled Dependencies, What is AWS CloudFormation?
Question # 134
A company wants to query its server logs to gain insights about its customers' experiences. Which AWS service will store this data MOST cost-effectively?
A. Amazon Aurora B. Amazon Elastic File System (Amazon EFS) C. Amazon Elastic Block Store (Amazon EBS) D. Amazon S3
Answer: D Explanation: Amazon S3 is an AWS service that provides scalable, durable, and costeffectiveobject storage in the cloud. Amazon S3 can store any amount and type of data,such as server logs, and offers various storage classes with different performance andpricing characteristics. Amazon S3 is the most cost-effective option for storing server logs,as it offers low-cost storage classes, such as S3 Standard-Infrequent Access (S3Standard-IA) and S3 Intelligent-Tiering, that are suitable for infrequently accessed orchanging access patterns data. Amazon S3 also integrates with other AWS services, suchas Amazon Athena and Amazon OpenSearch Service, that can query the server logsdirectly from S3 without requiring any additional data loading ortransformation. References: Amazon S3, Amazon S3 Storage Classes, Querying Data inAmazon S3
Question # 135
A cloud practitioner needs to obtain AWS compliance reports before migrating an environment to the AWS Cloud How can these reports be generated?
A. Contact the AWS Compliance team B. Download the reports from AWS Artifact C. Open a case with AWS Support D. Generate the reports with Amazon Made
Answer: B Explanation: AWS Artifact is a service that provides on-demand access to security andcompliance reports from AWS and Independent Software Vendors (ISVs) who sell theirproducts on AWS Marketplace. You can use AWS Artifact to download auditor-issuedreports, certifications, accreditations, and other third-party attestations of AWS compliancewith various standards and regulations, such as PCI-DSS, HIPAA, FedRAMP, GDPR, andmore1234. You can also use AWS Artifact to review, accept, and manage your agreementswith AWS and apply them to current and future accounts within your
Question # 136
A company is using Amazon DynamoDB. Which task is the company's responsibility, according to the AWS shared responsibility model?
A. Patch the operating system B. Provision hosts C. Manage database access permissions. D. Secure the operating system
Answer: C Explanation: According to the AWS shared responsibility model, AWS is responsible forthe security of the cloud, while customers are responsible for the security in the cloud. Thismeans that AWS is responsible for the physical servers, networking, and operating systemthat run DynamoDB, while customers are responsible for the security of their data andaccess to the database. Customers need to manage database access permissions, suchas creating and managing AWS Identity and Access Management (IAM) policies and roles,and using encryption and key management options to protect theirdata123. References: 1: Shared Responsibility Model - Amazon Web Services(AWS), 2: Security in Amazon DynamoDB - Amazon DynamoDB, 3: AWS SharedResponsibility Model - Introduction to DevOps …
Question # 137
Which type of AWS storage is ephemeral and is deleted when an Amazon EC2 instance is stopped or terminated?
A. Amazon Elastic Block Store (Amazon EBS) B. Amazon EC2 instance store C. Amazon Elastic File System (Amazon EFS) D. Amazon S3
Answer: B Explanation: Amazon EC2 instance store provides temporary block-level storage for your EC2 instance. This storage is located on disks that are physically attached to the hostcomputer. Instance store is ideal for temporary storage of information that changesfrequently, such as buffers, caches, scratch data, and other temporary content. It can alsobe used to store temporary data that you replicate across a fleet of instances, such as aload-balanced pool of web servers. An instance store consists of one or more instancestore volumes exposed as block devices. The size of an instance store as well as thenumber of devices available varies by instance type and instance size. The virtual devicesfor instance store volumes are ephemeral[0-23]. Instance types that support one instancestore volume have ephemeral0. Instance types that support two or more instance storevolumes have ephemeral0, ephemeral1, and so on. Instance store pricing Instance storevolumes are included as part of the instance’s usage cost. The data on an instance storevolume persists even if the instance is rebooted. However, the data does not persist if theinstance is stopped, hibernated, or terminated. When the instance is stopped, hibernated,or terminated, every block of the instance store volume is cryptographically erased.Therefore, do not rely on instance store volumes for valuable, long-term data. If you needto retain the data stored on an instance store volume beyond the lifetime of the instance,you need to manually copy that data to more persistent storage, such as an Amazon EBSvolume, an Amazon S3 bucket, or an Amazon EFS file system. There are some events thatcan result in your data not persisting throughout the lifetime of the instance. The followingtable indicates whether data on instance store volumes is persisted during specific events,for both virtualized and bare metal instances1. References: Amazon EC2 instance store -Amazon Elastic Compute Cloud
Question # 138
What is the purpose of having an internet gateway within a VPC?
A. To create a VPN connection to the VPC B. To allow communication between the VPC and the internet C. To impose bandwidth constraints on internet traffic D. To load balance traffic from the internet across Amazon EC2 instances
Answer: B Explanation:An internet gateway is a service that allows for internet traffic to enter into a VPC.Otherwise, a VPC is completely segmented off and then the only way to get to it ispotentially through a VPN connection rather than through internet connection. An internetgateway is a logical connection between an AWS VPC and the internet. It supports IPv4and IPv6 traffic. It does not cause availability risks or bandwidth constraints on yournetwork traffic1. An internet gateway enables resources in your public subnets (such asEC2 instances) to connect to the internet if the resource has a public IPv4 address or anIPv6 address. Similarly, resources on the internet can initiate a connection to resources inyour subnet using the public IPv4 address or IPv6 address2. An internet gateway alsoprovides a target in your VPC route tables for internet-routable traffic. For communicationusing IPv4, the internet gateway also performs network address translation (NAT). Forcommunication using IPv6, NAT is not needed because IPv6 addresses are public2. Toenable access to or from the internet for instances in a subnet in a VPC using an internetgateway, you must create an internet gateway and attach it to your VPC, add a route toyour subnet’s route table that directs internet-bound traffic to the internet gateway, ensurethat instances in your subnet have a public IPv4 address or an IPv6 address, and ensurethat your network access control lists and security group rules allow the desired internettraffic to flow to and from your instance2. References: Connect to the internet using aninternet gateway, AWS Internet Gateway and VPC Routingc
Question # 139
A company has teams that have different job roles and responsibilities. The company's employees often change teams. The company needs to manage permissions for the employees so that the permissions are appropriate for the job responsibilities. Which IAM resource should the company use to meet this requirement with the LEAST operational overhead?
A. IAM user groups B. IAM roles C. IAM instance profiles D. IAM policies for individual users
Answer: B Explanation: IAM roles are a way of granting temporary permissions to entities that needto access AWS resources, such as users, applications, or services. IAM roles allowcustomers to assign permissions to entities without having to create or manage IAM usersor credentials for them. IAM roles can be assumed by different entities depending on thetrust policy attached to the role. For example, IAM roles can be assumed by IAM users inthe same or different AWS accounts, AWS services such as EC2 or Lambda, or externalidentities such as federated users or web identities. IAM roles can also be switched by IAMusers to temporarily change their permissions. IAM roles are recommended for managing
Question # 140
A company is running an Amazon EC2 instance in a VPC. An ecommerce company is using Amazon EC2 Auto Scaling groups to manage a fleet of web servers running on Amazon EC2. This architecture follows which AWS Well-Architected Framework best practice?
A. Secure the workload B. Decouple infrastructure components C. Design for failure D. Think parallel
Answer: C Explanation: Design for failure is one of the best practices of the AWS Well-ArchitectedFramework. It means that the architecture should be resilient and fault-tolerant, and able tohandle failures without impacting the availability and performance of the applications. Byusing Amazon EC2 Auto Scaling groups, the ecommerce company can design for failureby automatically scaling the number of EC2 instances up or down based on demand orhealth status. Amazon EC2 Auto Scaling groups can also distribute the EC2 instancesacross multiple Availability Zones, which are isolated locations within an AWS Region thathave independent power, cooling, and network connectivity. This way, the company canensure that their web servers can handle traffic spikes, recover from failures, and provide aconsistent user experience
Question # 141
Which AWS service can a company use to find security and compliance reports, including International Organization for Standardization (ISO) reports?
A. AWS Artifact B. Amazon CloudWatch C. AWS Config D. AWS Audit Manager
Answer: A Explanation: AWS Artifact is a self-service portal that provides on-demand access to AWSsecurity and compliance reports and select online agreements. You can use AWS Artifactto download AWS service audit reports, such as ISO, PCI, and SOC, and to accept andmanage agreements with AWS, such as the Business Associate Addendum (BAA).
Question # 142
Which perspective in the AWS Cloud Adoption Framework (AWS CAF) includes a capability for well-designed data and analytics architecture?
A. Security B. Governance C. Operations D. Platform
Answer: D Explanation:The correct answer is D. Platform.The Platform perspective in the AWS Cloud Adoption Framework (AWS CAF) includes acapability for well-designed data and analytics architecture. This capability helps youdesign, implement, and optimize your data and analytics solutions on AWS, using servicessuch as Amazon S3, Amazon Redshift, Amazon EMR, Amazon Kinesis, Amazon Athena,and Amazon QuickSight. A well-designed data and analytics architecture enables you tocollect, store, process, analyze, and visualize data from various sources, and deriveinsights that can drive your business decisions12.The Security perspective does not include a capability for data and analytics architecture,but it does include a capability for data protection, which helps you secure your data at restand in transit using encryption, key management, access control, and auditing13.The Governance perspective does not include a capability for data and analyticsarchitecture, but it does include a capability for data governance, which helps you manage the quality, availability, usability, integrity, and security of your data assets14.The Operations perspective does not include a capability for data and analyticsarchitecture, but it does include a capability for data operations, which helps you monitor,troubleshoot, and optimize the performance and availability of your data pipelines andworkloads1 .References:1: Foundational capabilities - An Overview of the AWS Cloud Adoption Framework 2: [AWSCloud Adoption Framework: Platform Perspective] 3: [AWS Cloud Adoption Framework:Security Perspective] 4: [AWS Cloud Adoption Framework: Governance Perspective] :[AWS Cloud Adoption Framework: Operations Perspective]
Question # 143
A company has set up a VPC on AWS. The company needs a dedicated connection between the VPC and the company’s on-premises network. Which action should the company take to meet this requirement?
A. Establish a VPN connection between the VPC and the company's on-premises network. B. Establish an AWS Direct Connect connection between the VPC and the company's onpremisesnetwork. C. Attach an internet gateway to the VPC. Use the AWS public endpoints for connectivity. D. Configure Amazon Connect to provide connectivity between the VPC and thecompany's on-premisesnetwork.
Answer: B Explanation: Establishing an AWS Direct Connect connection between the VPC and thecompany’s on-premises network is the action that the company should take to meet therequirement of having a dedicated connection between the VPC and the company’s onpremisesnetwork. AWS Direct Connect is a service that lets you establish a dedicatednetwork connection between your network and one of the AWS Direct Connect locations.Using AWS Direct Connect, you can create a private connection between AWS and yourdatacenter, office, or colocation environment, which can reduce your network costs,increase bandwidth throughput, and provide a more consistent network experience thaninternet-based connections. Establishing a VPN connection between the VPC and the company’s on-premises network is an action that the company can take to create a secureand encrypted connection between the VPC and the company’s on-premises network, butit is not a dedicated connection, as it uses the public internet as the transport mechanism.Attaching an internet gateway to the VPC and using the AWS public endpoints forconnectivity is an action that the company can take to enable communication between theVPC and the internet, but it is not a dedicated connection, as it also uses the public internetas the transport mechanism. Configuring Amazon Connect to provide connectivity betweenthe VPC and the company’s on-premises network is not an action that the company cantake, because Amazon Connect is a service that lets you set up and manage a contactcenter in the cloud, but it does not provide network connectivity between the VPC and thecompany’s on-premises network.
Question # 144
Which AWS service is an in-memory data store service?
A. Amazon Aurora B. Amazon RDS C. Amazon DynamoDB D. Amazon ElastiCache
Answer: D Explanation: Amazon ElastiCache is a fully managed in-memory data store and cacheservice that delivers sub-millisecond response times to applications. You can useElastiCache as a primary data store for your applications, or as a cache to improve theperformance of your existing databases. ElastiCache supports two popular open-source inmemoryengines: Redis and Memcached5.
Question # 145
Which option is the default pricing model for Amazon EC2 instances?
A. On-Demand Instances B. Savings Plans C. Spot Instances D. Reserved Instances
Answer: A Explanation: On-Demand Instances are the default pricing model for Amazon EC2instances. They allow users to pay for compute capacity by the second, with no long-termcommitments or upfront payments. They are suitable for applications with short-term,irregular, or unpredictable workloads that cannot be interrupted3. Savings Plans are apricing model that offer significant savings on Amazon EC2 and AWS Fargate usage, inexchange for a commitment to a consistent amount of usage (measured in $/hour) for a 1-year or 3-year term. Spot Instances are a pricing model that offer spare Amazon EC2compute capacity at up to 90% discount compared to On-Demand prices, but they can beinterrupted by AWS with a two-minute notice when the demand exceeds the supply.Reserved Instances are a pricing model that offer up to 75% discount compared to On-Demand prices, in exchange for a commitment to use a specific instance type and size in aspecific region for a 1-year or 3-year term.
Question # 146
Which AWS service will allow a user to set custom cost and usage limits, and will alert when the thresholds are exceeded?
A. AWS Organizations B. AWS Budgets C. Cost Explorer D. AWS Trusted Advisor
Answer: B Explanation: AWS Budgets allows you to set custom budgets that alert you when yourcosts or usage exceed (or are forecasted to exceed) your budgeted amount. You can alsouse AWS Budgets to set reservation utilization or coverage targets and receive alerts whenyour utilization drops below the threshold you define. AWS Budgets provides you with acomprehensive view of your cost and usage, as well as your reservation utilization andcoverage1.
Question # 147
A company's headquarters is located on a different continent from where the majority of the company's customers live. The company wants an AWS Cloud environment setup that will provide the lowest latency to the customers. A company wants to automate the creation of new AWS accounts and automatically prevent all users from creating Amazon EC2 instances. Which AWS service provides this functionality?
A. AWS Service Catalog B. AWS Organizations C. EC2 Image Builder D. AWS Systems Manager
Answer: B Explanation: AWS Organizations is a service that enables you to create and managemultiple AWS accounts centrally. You can use AWS Organizations to automate accountcreation, apply policies to control access and permissions, and consolidate billing acrossyour accounts. You can also use AWS Organizations to prevent users from creatingAmazon EC2 instances in certain regions or with certain configurations2
Question # 148
A company is moving to the AWS Cloud to reduce operational overhead for its application infrastructure. Which IT operation will the company still be responsible for after the migration to AWS?
A. Security patching of AWS Elastic Beanstalk B. Backups of data that is stored in Amazon Aurora C. Termination of Amazon EC2 instances that are managed by AWS Auto Scaling D. Configuration of 1AM access controls
Answer: D Explanation: AWS Elastic Beanstalk, Amazon Aurora, and AWS Auto Scaling aremanaged services that reduce the operational overhead for the customers. AWS isresponsible for security patching, backups, and termination of these services. However, thecustomers are still responsible for configuring IAM access controls to manage thepermissions and policies for their AWS resources. This is part of the AWS sharedresponsibility model, which defines the security and compliance responsibilities of AWSand the customers. You can learn more about the AWS shared responsibility modelfrom this whitepaper or this digital course.
Question # 149
Which AWS Cloud benefit describes the ability to acquire resources as they are needed and release resources when they are no longer needed?
A. Economies of scale B. Elasticity C. Agility D. Security
Answer: B Explanation: The AWS Cloud benefit that describes the ability to acquire resources asthey are needed and release resources when they are no longer needed is elasticity.Elasticity means that users can quickly add and remove resources to match the demand oftheir applications, and only pay for what they use. Elasticity enables users to handleunpredictable workloads, reduce costs, and improve performance1. Economies of scale,agility, and security are other benefits of the AWS Cloud, but they do not describe thespecific ability of acquiring and releasing resources on demand.
Question # 150
Which AWS service provides storage that can be mounted across multiple Amazon EC2 instances?
A. Amazon Workspaces B. Amazon Elastic File System (Amazon EFS) C. AWS Database Migration Service (AWS DMS) D. AWS Snowball Edge
Answer: B Explanation: Amazon EFS is a fully managed service that provides scalable and elasticfile storage for multiple Amazon EC2 instances. Amazon EFS supports the Network FileSystem (NFS) protocol, which allows multiple EC2 instances to access the same filesystem concurrently. You can learn more about Amazon EFS from this webpage or thisdigital course.
Question # 151
Which AWS service or storage class provides low-cost, long-term data storage?
A. Amazon S3 Glacier Deep Archive B. AWS Snowball C. Amazon MQ D. AWS Storage Gateway
Answer: A Explanation: Amazon S3 Glacier Deep Archive is a storage class within Amazon S3 thatprovides the lowest-cost, long-term data storage for data that is rarely accessed. AWSSnowball is a service that provides a physical device for transferring large amounts of datainto and out of AWS. Amazon MQ is a service that provides managed message brokerservice for Apache ActiveMQ. AWS Storage Gateway is a service that provides hybridcloud storage for on-premises applications.
Question # 152
A company is planning to migrate to the AWS Cloud. The company is conducting organizational transformation and wants to become more responsive to customer inquiries and feedback. Which tasks should the company perform to meet these requirements, according to the AWS Cloud Adoption Framework (AWS CAF)? (Select TWO.)
A. Realign teams to focus on products and value streams. B. Create new value propositions with new products and services. C. Use agile methods to rapidly iterate and evolve. D. Use a new data and analytics platform to create actionable insights. E. Migrate and modernize legacy infrastructure.
Answer: A,C Explanation: Realigning teams to focus on products and value streams, and using agilemethods to rapidly iterate and evolve are tasks that the company should perform to meetthe requirements of becoming more responsive to customer inquiries and feedback, according to the AWS Cloud Adoption Framework (AWS CAF). AWS CAF organizesguidance into six areas of focus, called perspectives: business, people, governance,platform, security, and operations. Each perspective is divided into capabilities, whichdescribe the skills and processes to execute the transition effectively. The peopleperspective helps you prepare your organization for cloud adoption, and includescapabilities such as organizational change management, staff skills and readiness, andorganizational alignment. The business perspective helps you align IT strategy withbusiness strategy, and includes capabilities such as business case development, valueproposition, and product ownership. Creating new value propositions with new productsand services is a task that belongs to the business perspective, but it is not directly relatedto the requirement of becoming more responsive to customer inquiries and feedback. Usinga new data and analytics platform to create actionable insights is a task that belongs to theplatform perspective, which helps you design, implement, and optimize the architecture ofthe AWS environment. However, it is also not directly related to the requirement ofbecoming more responsive to customer inquiries and feedback. Migrating and modernizinglegacy infrastructure is a task that belongs to the operations perspective, which helps youenable, run, use, operate, and recover IT workloads to the level agreed upon with yourbusiness stakeholders. However, it is also not directly related to the requirement ofbecoming more responsive to customer inquiries and feedback.
Question # 153
A company is assessing its AWS Business Support plan to determine if the plan still meets the company's needs. The company is considering switching to AWS Enterprise Support. Which additional benefit will the company receive with AWS Enterprise Support?
A. A full set of AWS Trusted Advisor checks B. Phone, email, and chat access to cloud support engineers 24 hours a day, 7 days aweek C. A designated technical account manager (TAM) to assist in monitoring and optimization D. A consultative review and architecture guidance for the company's applications
Answer: C Explanation:The additional benefit that the company will receive with AWS Enterprise Support is C. Adesignated technical account manager (TAM) to assist in monitoring and optimization.A TAM is a dedicated point of contact who works with the customer to understand their usecases, applications, and goals, and provides proactive guidance and best practices to helpthem optimize their AWS environment. A TAM also helps the customer with casemanagement, escalations, service updates, and feature requests12.A full set of AWS Trusted Advisor checks is available for customers with Business,Enterprise On-Ramp, or Enterprise Support plans1. Phone, email, and chat access to cloudsupport engineers 24/7 is available for customers with Business, Enterprise On-Ramp, orEnterprise Support plans1. A consultative review and architecture guidance for thecompany’s applications is available for customers with Enterprise On-Ramp or EnterpriseSupport plans1. Therefore, these benefits are not exclusive to AWS Enterprise Support.Reference:1: AWS Support Plan Comparison | Developer, Business, Enterprise …
Question # 154
A company needs to implement identity management for a fleet of mobile apps that are running in the AWS Cloud. Which AWS service will meet this requirement?
A. Amazon Cognito B. AWS Security Hub C. AWS Shield D. AWS WAF
Answer: A Explanation: Amazon Cognito is a service that provides identity management for mobileand web applications, allowing users to sign up, sign in, and access AWS resources withdifferent identity providers. AWS Security Hub is a service that provides a comprehensiveview of the security posture of AWS accounts and resources. AWS Shield is a service thatprovides protection against distributed denial of service (DDoS) attacks. AWS WAF is aweb application firewall that helps protect web applications from common web exploits.
Question # 155
A company is running a workload in the AWS Cloud. Which AWS best practice ensures the MOST cost-effective architecture for the workload?
A. Loose coupling B. Rightsizing C. Caching D. Redundancy
Answer: B Explanation: The AWS best practice that ensures the most cost-effective architecture forthe workload is rightsizing. Rightsizing means selecting the most appropriate instancetype or resource configuration that matches the needs of the workload. Rightsizing canhelp optimize performance and reduce costs by avoiding over-provisioning or under- provisioning of resources1. Loose coupling, caching, and redundancy are other AWS bestpractices that can improve the scalability, availability, and performance of the workload, butthey do not necessarily ensure the most cost-effective architecture.
Question # 156
A company is building an application on AWS. The application needs to comply with credit card regulatory requirements. The company needs proof that the AWS services and deployment are in compliance. Which actions should the company take to meet these requirements? (Select TWO.)
A. Use Amazon Inspector to submit the application for certification. B. Ensure that the application's underlying hardware components comply withrequirements. C. Use AWS Artifact to access AWS documents about the compliance of the services. D. Get the compliance of the application certified by a company assessor. E. Use AWS Security Hub to certify the compliance of the application.
Answer: C,D Explanation: Using AWS Artifact to access AWS documents about the compliance of theservices, and getting the compliance of the application certified by a company assessor areactions that the company should take to meet the requirements of complying with creditcard regulatory requirements. AWS Artifact is a service that provides on-demand access toAWS security and compliance reports and select online agreements. Reports available inAWS Artifact include our Service Organization Control (SOC) reports, Payment Card Industry (PCI) reports, and certifications from accreditation bodies across geographies andcompliance verticals that validate the implementation and operating effectiveness of AWSsecurity controls. AWS Artifact can help you demonstrate compliance with credit cardregulatory requirements by providing you with proof that the AWS services and deploymentare in compliance. Getting the compliance of the application certified by a companyassessor is an action that the company should take to ensure that the application meetsthe specific requirements of the credit card industry. A company assessor is anindependent third-party entity that is qualified to assess the compliance of the applicationwith the relevant standards and regulations. Using Amazon Inspector to submit theapplication for certification is not an action that the company should take, because AmazonInspector is a service that helps you improve the security and compliance of yourapplications deployed on AWS by automatically assessing them for vulnerabilities anddeviations from best practices, but it does not provide certification for the applications.Ensuring that the application’s underlying hardware components comply with requirementsis not an action that the company should take, because the application is deployed onAWS, and AWS is responsible for the security and compliance of the underlying hardwarecomponents. This is part of the shared responsibility model, where AWS is responsible forsecurity of the cloud, and customers are responsible for security in the cloud. Using AWSSecurity Hub to certify the compliance of the application is not an action that the companyshould take, because AWS Security Hub is a service that gives you a comprehensive viewof your security posture across your AWS accounts and helps you check your environmentagainst security industry standards and best practices, but it does not provide certificationfor the applications.
Question # 157
Which Amazon S3 storage class is the MOST cost-effective for long-term storage?
A. S3 Glacier Deep Archive B. S3 Standard C. S3 Standard-Infrequent Access (S3 Standard-IA) D. S3 One Zone-Infrequent Access (S3 One Zone-IA)
Answer: A Explanation: Amazon S3 Glacier Deep Archive is the lowest-cost storage class in thecloud. It is designed for long-term data archiving that is rarely accessed. It offers a retrievaltime of 12 hours and a durability of 99.999999999% (11 9’s). It is ideal for data that mustbe retained for 7 years or longer to meet regulatory compliance requirements.
Question # 158
A company deployed an application on an Amazon EC2 instance. The application ran as expected for 6 months. In the past week, users have reported latency issues. A system administrator found that the CPU utilization was at 100% during business hours. The company wants a scalable solution to meet demand. Which AWS service or feature should the company use to handle the load for its application during periods of high demand?
A. Auto Scaling groups B. AWS Global Accelerator C. Amazon Route 53 D. An Elastic IP address
Answer: A Explanation: Auto Scaling groups are a feature that allows users to automatically scale thenumber of Amazon EC2 instances up or down based on demand or a predefinedschedule. Auto Scaling groups can help improve the performance and availability ofapplications by adjusting the capacity in response to traffic fluctuations1. AWS GlobalAccelerator is a service that improves the availability and performance of applications byrouting traffic through AWS edge locations2. Amazon Route 53 is a service that provides scalable and reliable domain name system (DNS) service3. An Elastic IP address is astatic IPv4 address that can be associated with an Amazon EC2 instance4.
Question # 159
A company wants a list of all users in its AWS account, the status of all of the users' access keys, and if multi-factor authentication (MFA) has been configured. Which AWS service or feature will meet these requirements?
A. AWS Key Management Service (AWS KMS) B. IAM Access Analyzer C. IAM credential report D. Amazon CloudWatch
Answer: C Explanation: IAM credential report is a feature that allows you to generate and download areport that lists all IAM users in your AWS account and the status of their variouscredentials, including access keys and MFA devices. You can use this report to audit thesecurity status of your IAM users and ensure that they follow the best practices for usingAWS1.AWS Key Management Service (AWS KMS) is a service that allows you to create and manage encryption keys to protect your data. It does not provide information about IAMusers or their credentials2.IAM Access Analyzer is a feature that helps you identify the resources in your AWSaccount, such as S3 buckets or IAM roles, that are shared with an external entity. It doesnot provide information about IAM users or their credentials3.Amazon CloudWatch is a service that monitors and collects metrics, logs, and events fromyour AWS resources and applications. It does not provide information about IAM users ortheir credentials4.References:Getting credential reports for your AWS account - AWS Identity and AccessManagementAWS Key Management Service - Amazon Web ServicesIAM Access Analyzer - AWS Identity and Access ManagementAmazon CloudWatch - Amazon Web Services
Question # 160
Which of the following actions are controlled with AWS Identity and Access Management (1AM)? (Select TWO.)
A. Control access to AWS service APIs and to other specific resources. B. Provide intelligent threat detection and continuous monitoring. C. Protect the AWS environment using multi-factor authentication (MFA). D. Grant users access to AWS data centers. E. Provide firewall protection for applications from common web attacks.
Answer: A,C Explanation: AWS Identity and Access Management (IAM) is a service that enables youto manage access to AWS services and resources securely. You can use IAM to performthe following actions:Control access to AWS service APIs and to other specific resources: You cancreate users, groups, roles, and policies that define who can access which AWSresources and how. You can also use IAM to grant temporary access to users orapplications that need to perform certain tasks on your behalf3Protect the AWS environment using multi-factor authentication (MFA): You canenable MFA for your IAM users and root user to add an extra layer of security toyour AWS account. MFA requires users to provide a unique authentication codefrom an approved device or SMS text message, in addition to their user name andpassword, when they sign in to AWS4
Question # 161
A company needs an automated vulnerability management service that continually scans AWS workloads for software vulnerabilities. Which AWS service will meet these requirements?
A. Amazon GuardDuty B. Amazon Inspector C. AWS Security Hub D. AWS Shield
Answer: B Explanation:The correct answer is B. Amazon Inspector.Amazon Inspector is an automated vulnerability management service that continually scansAWS workloads for software vulnerabilities and unintended network exposure. AmazonInspector automatically discovers workloads, such as Amazon EC2 instances, containers,and Lambda functions, and scans them for software vulnerabilities and unintended networkexposure12.Amazon GuardDuty is a threat detection service that monitors your AWS accounts andworkloads for malicious or unauthorized activity. Amazon GuardDuty does not scan forsoftware vulnerabilities, but rather analyzes AWS CloudTrail, Amazon VPC Flow Logs, andDNS logs to detect threats such as compromised credentials, backdoors, or cryptomining3.AWS Security Hub is a security and compliance service that aggregates and prioritizessecurity findings from multiple AWS services and partner solutions. AWS Security Hubdoes not scan for software vulnerabilities, but rather provides a comprehensive view ofyour security posture across your AWS accounts4.AWS Shield is a managed service that protects your web applications and networkresources from distributed denial-of-service (DDoS) attacks. AWS Shield does not scan forsoftware vulnerabilities, but rather provides detection and mitigation of DDoS attacks at thenetwork and application layers5.References:1: Automated Software Vulnerability Management - Amazon Inspector - AWS 3: [AmazonGuardDuty – Intelligent Threat Detection Made Easy] 2: AWS Re-Launches AmazonInspector with New Architecture and Features - InfoQ 4: [AWS Security Hub – UnifiedSecurity and Compliance Center] 5: [AWS Shield – Managed DDoS Protection]
Question # 162
For which AWS service is the customer responsible for maintaining the underlying operating system?
A. Amazon DynamoDB B. Amazon S3 C. Amazon EC2 D. AWS Lambda
Answer: C Explanation: Amazon EC2 is a service that provides resizable compute capacity in thecloud. Users can launch and manage virtual servers, known as instances, that run on theAWS infrastructure. Users are responsible for maintaining the underlying operating systemof the instances, as well as any applications or software that run on them. AmazonDynamoDB is a service that provides a fully managed NoSQL database that delivers fastand consistent performance at any scale. Users do not need to manage the underlyingoperating system or the database software. Amazon S3 is a service that provides scalableand durable object storage in the cloud. Users do not need to manage the underlyingoperating system or the storage infrastructure. AWS Lambda is a service that allows usersto run code without provisioning or managing servers. Users only need to upload their codeand configure the triggers and parameters. AWS Lambda takes care of the underlyingoperating system and the execution environment.
Question # 163
A company wants to use the latest technologies and wants to minimize its capital investment. Instead of upgrading on-premises infrastructure, the company wants to move to the AWS Cloud. Which AWS Cloud benefit does this scenario describe?
A. Increased speed to market B. The trade of infrastructure expenses for operating expenses C. Massive economies of scale D. The ability to go global in minutes
Answer: B Explanation: The trade of infrastructure expenses for operating expenses is one of thebenefits of the AWS Cloud. By moving to the AWS Cloud, the company can avoid theupfront costs of purchasing and maintaining on-premises infrastructure, such as servers,storage, network, and software. Instead, the company can pay only for the AWS resourcesand services that they use, as they use them. This reduces the risk and complexity ofplanning and managing IT infrastructure, and allows the company to focus on innovationand growth. Increased speed to market, massive economies of scale, and the ability to goglobal in minutes are also benefits of the AWS Cloud, but they are not the best ones todescribe this scenario. Increased speed to market means that the company can launch new products and services faster by using AWS services and tools. Massive economies ofscale means that the company can benefit from the lower costs and higher performancethat AWS achieves by operating at a large scale. The ability to go global in minutes meansthat the company can deploy their applications and data in multiple regions and availabilityzones around the world to reach their customers faster and improve performance andreliability5
Question # 164
A company has deployed an application in the AWS Cloud. The company wants to ensure that the application is highly resilient. Which component of AWS infrastructure can the company use to meet this requireme
A. Content delivery network (CDN) B. Edge locations C. Wavelength Zones D. Availability Zones
Answer: D Explanation: Availability Zones are components of AWS infrastructure that can help thecompany ensure that the application is highly resilient. Availability Zones are multiple,isolated locations within each AWS Region. Each Availability Zone has independent power,cooling, and physical security, and is connected to the other Availability Zones in the sameRegion via low-latency, high-throughput, and highly redundant networking. AvailabilityZones allow you to operate production applications and databases that are more highlyavailable, fault tolerant, and scalable than would be possible from a single data center.
Question # 165
A company wants an AWS service to provide product recommendations based on its customer data. Which AWS service will meet this requirement?
A. Amazon Polly B. Amazon Personalize C. Amazon Comprehend D. Amazon Rekognition
Answer: B Explanation: Amazon Personalize is an AWS service that helps developers quickly build and deploy acustom recommendation engine with real-time personalization and user segmentation1. Ituses machine learning (ML) to analyze customer data and provide relevantrecommendations based on their preferences, behavior, and context. Amazon Personalizecan be used for various use cases such as optimizing recommendations, targetingcustomers more accurately, maximizing the value of unstructured text, and promoting itemsusing business rules1.The other options are not suitable for providing product recommendations based oncustomer data. Amazon Polly is a service that converts text into lifelike speech. AmazonComprehend is a service that uses natural language processing (NLP) to extract insightsfrom text and documents. Amazon Rekognition is a service that uses computer vision (CV)to analyze images and videos for faces, objects, scenes, and activities.References:1: Cloud Products - Amazon Web Services (AWS)2: Recommender System – Amazon Personalize – Amazon Web Services3: Top 25 AWS Services List 2023 - GeeksforGeeks4: AWS to Azure services comparison - Azure Architecture Center5: The 25+ Best AWS Cost Optimization Tools (Updated 2023) - CloudZero6: Amazon Polly – Text-to-Speech Service - AWS7: Natural Language Processing - Amazon Comprehend - AWS8: Image and Video Analysis - Amazon Rekognition - AWS
Question # 166
A company needs to set a maximum spending limit on AWS services each month. The company also needs to set up alerts for when the company reaches its spending limit. Which AWS service or tool should the company use to meet these requirements?
A. Cost Explorer B. AWS Trusted Advisor C. Service Quotas D. AWS Budgets
Answer: D Explanation: AWS Budgets is a service that helps you plan your service usage, service costs, and instance reservations, and track how close your plan is to your budgetedamount. You can set custom budgets that alert you when you exceed (or are forecasted toexceed) your budgeted thresholds. You can also use AWS Budgets to set a maximumspending limit on AWS services each month and set up alerts for when you reach yourspending limit. Cost Explorer is a service that enables you to visualize, understand, andmanage your AWS costs and usage over time. You can use Cost Explorer to view chartsand graphs that show how your costs are trending, identify areas that need further inquiry,and see the impact of your cost management actions. However, Cost Explorer does notallow you to set a maximum spending limit or alerts for your AWS services. AWS TrustedAdvisor is a service that provides you real time guidance to help you provision yourresources following AWS best practices, including security and performance. It can helpyou monitor for cost optimization opportunities, such as unused or underutilized resources,but it does not allow you to set a maximum spending limit or alerts for your AWS services.Service Quotas is a service that enables you to view and manage your quotas, alsoreferred to as limits, from a central location. Quotas, also referred to as limits, are themaximum number of resources that you can create in your AWS account. However,Service Quotas does not allow you to set a maximum spending limit or alerts for your AWSservices.
Question # 167
A company is migrating to the AWS Cloud to meet storage needs. The company wants to optimize costs based on the amount of storage that the company uses. Which AWS offering or benefit will meet these requirements MOST cost-effectively?
A. Pay-as-you-go pricing B. Savings Plans C. AWS Free Tier D. Volume-based discounts
Answer: D Explanation: Volume-based discounts are an AWS offering or benefit that can help thecompany optimize costs based on the amount of storage that the company uses. Volume- based discounts are discounts that AWS provides for some storage services, such asAmazon S3 and Amazon EBS, when the company stores a large amount of data. The moredata the company stores, the lower the price per GB. For example, Amazon S3 offers sixstorage classes, each with a different price per GB. The price per GB decreases as theamount of data stored in each storage class increases
Question # 168
A company has a MySQL database running on a single Amazon EC2 instance. The company now requires higher availability in the event of an outage. Which set of tasks would meet this requirement?
A. Add an Application Load Balancer in front of the EC2 instance. B. Configure EC2 Auto Recovery to move the instance to another Availability Zone. C. Migrate to Amazon RDS and enable Multi-AZ. D. Enable termination protection for the EC2 instance to avoid outages.
Answer: C Explanation: The set of tasks that would meet the requirement of having higher availabilityfor a MySQL database running on a single Amazon EC2 instance is to migrate to AmazonRDS and enable Multi-AZ. Amazon RDS is a fully managed relational database service thatsupports MySQL and other popular database engines. By enabling Multi-AZ, users canhave a primary database in one Availability Zone and a synchronous standby replica inanother Availability Zone. In case of a planned or unplanned outage of the primarydatabase, Amazon RDS automatically fails over to the standby replica with minimaldisruption3. Adding an Application Load Balancer in front of the EC2 instance, configuringEC2 Auto Recovery to move the instance to another Availability Zone, or enablingtermination protection for the EC2 instance would not provide higher availability for thedatabase, as they do not address the single point of failure or data replication issues.
Question # 169
A company is building an application in the AWS Cloud. The company wants to use temporary credentials for the application to access other AWS resources. Which AWS service will meet these requirements?
A. AWS Key Management Service (Aws KMS) B. AWS CloudHSM C. Amazon Cognito D. AWS Security Token Service (Aws STS)
Answer: D Explanation: AWS Security Token Service (AWS STS) is a service that providestemporary security credentials to users or applications that need to access AWS resources.The temporary credentials have a limited lifetime and can be configured to last from a fewminutes to several hours. The credentials are not stored with the user or application, butare generated dynamically and provided on request. The credentials work almostidentically to long-term access key credentials, but have the advantage of not requiringdistribution, rotation, or revocation1.AWS Key Management Service (AWS KMS) is a service that provides encryption anddecryption services for data and keys. It does not provide temporary security credentials2.AWS CloudHSM is a service that provides hardware security modules (HSMs) forcryptographic operations and key management. It does not provide temporary securitycredentials3.Amazon Cognito is a service that provides user authentication and authorization for weband mobile applications. It can also provide temporary security credentials forauthenticated users, but not for applications4.
Question # 170
Which AWS service uses AWS Compute Optimizer to provide sizing recommendations based on workload metrics?
A. Amazon EC2 B. Amazon RDS C. Amazon Lightsail D. AWS Step Functions
Answer: A Explanation:Amazon EC2 is a web service that provides secure, resizable compute capacity in thecloud. It allows you to launch virtual servers, called instances, with different configurationsof CPU, memory, storage, and networking resources. AWS Compute Optimizer analyzesthe specifications and utilization metrics of your Amazon EC2 instances and generatesrecommendations for optimal instance types that can reduce costs and improveperformance. You can view the recommendations on the AWS Compute Optimizer consoleor the Amazon EC2 console12.Amazon RDS, Amazon Lightsail, and AWS Step Functions are not supported by AWSCompute Optimizer. Amazon RDS is a managed relational database service that lets youset up, operate, and scale a relational database in the cloud. Amazon Lightsail is an easyto-use cloud platform that offers everything you need to build an application or website,plus a cost-effective, monthly plan. AWS Step Functions lets you coordinate multiple AWSservices into serverless workflows so you can build and update apps quickly3 .
Question # 171
Which of the following is a benefit of operating in the AWS Cloud?
A. The ability to migrate on-premises network devices to the AWS Cloud B. The ability to expand compute, storage, and memory when needed C. The ability to host custom hardware in the AWS Cloud D. The ability to customize the underlying hypervisor layer for Amazon EC2
Answer: B Explanation: One of the benefits of operating in the AWS Cloud is the ability to expandcompute, storage, and memory when needed, which enables users to scale theirapplications and resources up or down based on demand. This also helps users optimizetheir costs and performance. The ability to migrate on-premises network devices to theAWS Cloud, the ability to host custom hardware in the AWS Cloud, and the ability tocustomize the underlying hypervisor layer for Amazon EC2 are not benefits of operating inthe AWS Cloud, as they are either not possible or not recommended by AWS
Question # 172
Which AWS service or feature enables users to encrypt data at rest in Amazon S3?
A. 1AM policies B. Server-side encryption C. Amazon GuardDuty D. Client-side encryption
Answer: B Explanation: Server-side encryption is an encryption option that Amazon S3 provides toencrypt data at rest in Amazon S3. With server-side encryption, Amazon S3 encrypts anobject before saving it to disk in its data centers and decrypts it when you download theobjects. You have three server-side encryption options to choose from: SSE-S3, SSE-C,and SSE-KMS. SSE-S3 uses keys that are managed by Amazon S3. SSE-C allows you tomanage your own encryption keys. SSE-KMS uses keys that are managed by AWS KeyManagement Service (AWS KMS)5.
Question # 173
A company runs a MySQL database in its on-premises data center. The company wants to run a copy of this database in the AWS Cloud. Which AWS service would support this workload?
A. Amazon RDS B. Amazon Neptune C. Amazon ElastiCache for Redis D. Amazon Quantum Ledger Database (Amazon QLDB)
Answer: A Explanation: Amazon Relational Database Service (Amazon RDS) is a web service thatmakes it easier to set up, operate, and scale a relational database in the cloud. It providescost-efficient and resizable capacity, while automating time-consuming administration taskssuch as hardware provisioning, database setup, patching, and backups. Amazon RDSsupports six popular database engines: Amazon Aurora, PostgreSQL, MySQL, MariaDB,Oracle Database, and SQL Server. Amazon RDS can support running a copy of a MySQLdatabase in the AWS Cloud, as it offers compatibility, scalability, and availability features.
Question # 174
A company wants to set up a high-speed connection between its data center and its applications that run on AWS. The company must not transfer data over the internet. Which action should the company take to meet these requirements?
A. Transfer data to AWS by using AWS Snowball. B. Transfer data to AWS by using AWS Storage Gateway. C. Set up a VPN connection between the data center and an AWS Region. D. Set up an AWS Direct Connect connection between the company network and AWS.
Answer: D Explanation: AWS Direct Connect is a cloud service solution that makes it easy toestablish a dedicated network connection from a customer’s premises to AWS. AWS DirectConnect does not involve the public internet, and therefore can reduce network costs,increase bandwidth throughput, and provide a more consistent network experience thaninternet-based connections. AWS Snowball is a petabyte-scale data transport service thatuses secure devices to transfer large amounts of data into and out of the AWS Cloud. AWSStorage Gateway is a hybrid cloud storage service that gives customers on-premisesaccess to virtually unlimited cloud storage. A VPN connection enables customers toestablish a secure and private connection between their network and AWS.
Question # 175
A company has an application that runs periodically in an on-premises environment. The application runs for a few hours most days, but runs for 8 hours a day for a week at the end of each month. Which AWS service or feature should be used to host the application in the AWS Cloud?
A. Amazon EC2 Standard Reserved Instances B. Amazon EC2 On-Demand Instances C. AWS Wavelength D. Application Load Balancer
Answer: B Explanation: Amazon EC2 On-Demand Instances are instances that let you pay for compute capacity by the hour or second (minimum of 60 seconds) with no long-termcommitments. This frees you from the costs and complexities of planning, purchasing, andmaintaining hardware and transforms what are commonly large fixed costs into muchsmaller variable costs. On-Demand Instances are suitable for applications with short-term,irregular, or unpredictable workloads that cannot be interrupted, such as periodicapplications that run for a few hours most days, but run for 8 hours a day for a week at theend of each month2. Amazon EC2 Standard Reserved Instances are instances thatprovide you with a significant discount (up to 75%) compared to On-Demand Instancepricing. In exchange, you select a term and make an upfront payment to reserve a certainamount of compute capacity for that term. Reserved Instances are suitable for applicationswith steady state or predictable usage that require reserved capacity3. AWS Wavelength isa service that enables developers to build applications that deliver ultra-low latency tomobile devices and users by deploying AWS compute and storage at the edge of the 5Gnetwork. Wavelength is suitable for applications that require single-digit millisecond latencies, such as game and live video streaming, machine learning inference at the edge,and augmented and virtual reality (AR/VR). Application Load Balancer is a service thatoperates at the request level (layer 7) and distributes incoming application traffic acrossmultiple targets, such as EC2 instances, containers, Lambda functions, and IP addresses.Application Load Balancer is suitable for applications that need advanced routingcapabilities, such as microservices or container-based architectures.
Question # 176
A company wants to launch its web application in a second AWS Region. The company needs to determine which services must be regionally configured for this launch. Which AWS services can be configured at the Region level? (Select TWO.)
A. Amazon EC2 B. Amazon Route 53 C. Amazon CloudFront D. AWS WAF E. Amazon DynamoDB
Answer: B,DExplanation: Amazon Route 53 and AWS WAF are AWS services that can be configured at the Region level. Amazon Route 53 is a highly available and scalable cloud DomainName System (DNS) web service that lets you register domain names, route traffic toresources, and check the health of your resources. AWS WAF is a web application firewallthat helps protect your web applications or APIs against common web exploits that mayaffect availability, compromise security, or consume excessive resources. Amazon EC2,Amazon CloudFront, and Amazon DynamoDB are AWS services that can be configured atthe global level or the Availability Zone level .
Question # 177
A company has created an AWS Cost and Usage Report and wants to visualize the report. Which AWS service should the company use to ingest and display this information?
A. Amazon QuickSight B. Amazon Pinpoint C. Amazon Neptune D. Amazon Kinesis
Answer: A Explanation: Amazon QuickSight is an AWS service that provides business intelligenceand data visualization capabilities. Amazon QuickSight enables you to ingest, analyze, anddisplay data from various sources, such as AWS Cost and Usage Reports, Amazon S3,Amazon Athena, Amazon Redshift, and Amazon RDS. You can use Amazon QuickSight tocreate interactive dashboards and charts that show insights and trends from your data. Youcan also share your dashboards and charts with other users or embed them into yourapplications.
Question # 178
A company is looking for a managed machine learning (ML) service that can recommend products based on a customer's previous behaviors. Which AWS service meets this requirement?
A. Amazon Personalize B. Amazon SageMaker C. Amazon Pinpoint D. Amazon Comprehend
Answer: A Explanation: The AWS service that meets the requirement of providing a managedmachine learning (ML) service that can recommend products based on a customer’sprevious behaviors is Amazon Personalize. Amazon Personalize is a fully managedservice that enables developers to create personalized recommendations for customersusing their own data. Amazon Personalize can automatically process and examine thedata, identify what is meaningful, select the right algorithms, and train and optimize apersonalized recommendation model2. Amazon SageMaker, Amazon Pinpoint, andAmazon Comprehend are other AWS services related to machine learning, but they do notprovide the specific functionality of product recommendation.
Question # 179
Which benefits can customers gain by using AWS Marketplace? (Select TWO.)
A. Speed of business B. Fewer legal objections C. Ability to pay with credit cards D. No requirement for product licenses for any products E. Free use of all services for the first hour
Answer: A,B Explanation: AWS Marketplace is a digital catalog that offers thousands of softwareproducts and solutions from independent software vendors (ISVs) and AWS partners.Customers can use AWS Marketplace to find, buy, and deploy software on AWS. Some ofthe benefits of using AWS Marketplace are:Speed of business: You can quickly and easily discover and deploy software thatmeets your business needs, without having to go through lengthy procurementprocesses. You can also use AWS Marketplace to test and compare differentsolutions before making a purchase decision. Fewer legal objections: You can benefit from standardized contract terms andconditions that are pre-negotiated between AWS and the ISVs. This reduces thetime and effort required to review and approve legal agreements.
Question # 180
A company wants to use guidelines from the AWS Well-Architected Framework to limit human error and facilitate consistent responses to events. Which of the following is a Well-Architected design principle that will meet these requirements?
A. Use AWS CodeDeploy. B. Perform operations as code. C. Migrate workloads to a Dedicated Host. D. Use AWS Compute Optimizer.
Answer: B Explanation: This is a design principle of the operational excellence pillar of the AWSWell-Architected Framework. Performing operations as code means using scripts,templates, or automation tools to perform routine tasks, such as provisioning, configuration,deployment, and monitoring. This reduces human error, increases consistency, andenables faster recovery from failures. You can learn more about the operational excellencepillar from this whitepaper or this digital course.
Question # 181
A company needs to set up user authentication for a new application. Users must be able to sign in directly with a user name and password, or through a third-party provider. Which AWS service should the company use to meet these requirements?
A. AWS 1AM Identity Center (AWS Single Sign-On) B. AWS Signer C. Amazon Cognito D. AWS Directory Service
Answer: C Explanation: Amazon Cognito is a service that provides user authentication andauthorization for web and mobile applications. You can use Amazon Cognito to enableusers to sign in directly with a user name and password, or through a third-party provider,such as Facebook, Google, or Amazon. You can also use Amazon Cognito to manage userprofiles, preferences, and security settings3
Question # 182
AWS has the ability to achieve lower pay-as-you-go pricing by aggregating usage across hundreds of thousands of users. This describes which advantage of the AWS Cloud?
A. Launch globally in minutes B. Increase speed and agility C. High economies of scale D. No guessing about compute capacity
Answer: C Explanation: AWS has the ability to achieve lower pay-as-you-go pricing by aggregatingusage across hundreds of thousands of users. This means that AWS can leverage itsmassive scale and purchasing power to reduce the costs of infrastructure, hardware,software, and operations. These savings are then passed on to the customers, who onlypay for the resources they use. You can learn more about the AWS pricing model from [thiswebpage] or [this digital course].
Question # 183
Which AWS service or feature offers security for a VPC by acting as a firewall to control traffic in and out of subnets?
A. AWS Security Hub B. Security groups C. Network ACL D. AWSWAF
Answer: C Explanation: A network access control list (network ACL) is a feature that acts as a firewall for controlling traffic in and out of one or more subnets in a virtual private cloud(VPC). Network ACLs can be configured with rules that allow or deny traffic based on thesource and destination IP addresses, ports, and protocols1. AWS Security Hub is a servicethat provides a comprehensive view of the security posture of AWS accounts andresources2. Security groups are features that act as firewalls for controlling traffic at theinstance level3. AWS WAF is a web application firewall that helps protect web applicationsfrom common web exploits4.
Question # 184
A company is using a central data platform to manage multiple types of data for its customers. The company wants to use AWS services to discover, transform, and visualize the data. Which combination of AWS services should the company use to meet these requirements? (Select TWO.)
A. AWS Glue B. Amazon Elastic File System (Amazon EFS) C. Amazon Redshift D. Amazon QuickSight E. Amazon Quantum Ledger Database (Amazon QLDB)
Answer: A,C Explanation: AWS Glue is a fully managed extract, transform, and load (ETL) service thatmakes it easy to prepare and load data for analytics. AWS Glue can discover data sources,transform data, and make it available for analysis by using data catalogs and workflows.Amazon Redshift is a fully managed, petabyte-scale data warehouse service in the cloudthat enables customers to analyze data using standard SQL and existing businessintelligence tools. Amazon Redshift can also integrate with other AWS services to visualizeand transform data. Amazon Elastic File System (Amazon EFS) provides a simple,scalable, fully managed elastic NFS file system for use with AWS Cloud services and onpremisesresources. Amazon QuickSight is a fast, cloud-powered business intelligenceservice that makes it easy to deliver insights to everyone in an organization. AmazonQuantum Ledger Database (Amazon QLDB) is a fully managed ledger database thatprovides a transparent, immutable, and cryptographically verifiable transaction log ownedby a central trusted authority.
Question # 185
A software engineer wants to launch a virtual machine (VM) and MySQL database on AWS.Which AWS service will meet these requirements with the LEAST operational effort?
A. Amazon Elastic Container Service (Amazon ECS) B. AWS Elastic Beanstalk C. Amazon Lightsail D. Amazon EC2
Answer: B Explanation: AWS Elastic Beanstalk is a service that enables you to quickly deploy andmanage applications in the AWS Cloud without worrying about the infrastructure that runsthose applications. You simply upload your application, and Elastic Beanstalk automaticallyhandles the details of capacity provisioning, load balancing, scaling, and application healthmonitoring. Elastic Beanstalk supports several platform configurations for Java, .NET, PHP,Node.js, Python, Ruby, Go, and Docker web applications that can run on familiar serverssuch as Apache, Nginx, Passenger, and IIS. You can also use Elastic Beanstalk to launcha virtual machine (VM) and MySQL database on AWS with the least operational effort.Amazon Elastic Container Service (Amazon ECS) is a fully managed containerorchestration service that enables you to easily run, scale, and secure Dockercontainerized applications on AWS. However, it requires more operational effort thanElastic Beanstalk, as you need to define your application architecture and the specificationsof the containers that run it. Amazon Lightsail is an easy-to-use cloud platform that offerseverything you need to build an application or website, plus a cost-effective, monthly plan.It is designed for developers who have little or no prior cloud experience and want tolaunch and manage applications on AWS with minimal complexity. However, it does notsupport MySQL databases, and it requires more operational effort than Elastic Beanstalk,as you need to configure your VM and database settings. Amazon EC2 is a web servicethat provides secure, resizable compute capacity in the cloud. It allows you to launch avirtual machine (VM) and MySQL database on AWS, but it requires the most operationaleffort, as you need to provision, monitor, and manage your EC2 instances and database.
Question # 186
A software engineer wants to launch a virtual machine (VM) and MySQL database on AWS.Which AWS service will meet these requirements with the LEAST operational effort?
A. Amazon Elastic Container Service (Amazon ECS) B. AWS Elastic Beanstalk C. Amazon Lightsail D. Amazon EC2
Answer: B Explanation: AWS Elastic Beanstalk is a service that enables you to quickly deploy andmanage applications in the AWS Cloud without worrying about the infrastructure that runsthose applications. You simply upload your application, and Elastic Beanstalk automaticallyhandles the details of capacity provisioning, load balancing, scaling, and application healthmonitoring. Elastic Beanstalk supports several platform configurations for Java, .NET, PHP,Node.js, Python, Ruby, Go, and Docker web applications that can run on familiar serverssuch as Apache, Nginx, Passenger, and IIS. You can also use Elastic Beanstalk to launcha virtual machine (VM) and MySQL database on AWS with the least operational effort.Amazon Elastic Container Service (Amazon ECS) is a fully managed containerorchestration service that enables you to easily run, scale, and secure Dockercontainerized applications on AWS. However, it requires more operational effort thanElastic Beanstalk, as you need to define your application architecture and the specificationsof the containers that run it. Amazon Lightsail is an easy-to-use cloud platform that offerseverything you need to build an application or website, plus a cost-effective, monthly plan.It is designed for developers who have little or no prior cloud experience and want tolaunch and manage applications on AWS with minimal complexity. However, it does notsupport MySQL databases, and it requires more operational effort than Elastic Beanstalk,as you need to configure your VM and database settings. Amazon EC2 is a web servicethat provides secure, resizable compute capacity in the cloud. It allows you to launch avirtual machine (VM) and MySQL database on AWS, but it requires the most operationaleffort, as you need to provision, monitor, and manage your EC2 instances and database.
Question # 187
A company wants to ensure that all of its Amazon EC2 instances have compliant operating system patches. Which AWS service will meet these requirements?
A. AWS Compute Optimizer B. AWS Elastic Beanstalk C. AWS AppSync D. AWS Systems Manager
Answer: D Explanation: AWS Systems Manager gives you visibility and control of your infrastructureon AWS. Systems Manager provides a unified user interface so you can view operationaldata from multiple AWS services and allows you to automate operational tasks across yourAWS resources. You can use Systems Manager to apply OS patches, create systemimages, configure Windows and Linux operating systems, and execute PowerShellcommands5. Systems Manager can help you ensure that all of your Amazon EC2instances have compliant operating system patches by using the Patch Manager feature.
Question # 188
Which AWS service helps developers use loose coupling and reliable messaging between microservices?
A. Elastic Load Balancing B. Amazon Simple Notification Service (Amazon SNS) C. Amazon CloudFront D. Amazon Simple Queue Service (Amazon SQS)
Answer: D Explanation: Amazon Simple Queue Service (Amazon SQS) is a service that providesfully managed message queues for asynchronous communication betweenmicroservices. It helps developers use loose coupling and reliable messaging by allowingthem to send, store, and receive messages between distributed components without losingthem or requiring each component to be always available1. Elastic Load Balancing is aservice that distributes incoming traffic across multiple targets, such as Amazon EC2instances, containers, and IP addresses. Amazon Simple Notification Service (AmazonSNS) is a service that provides fully managed pub/sub messaging for event-driven andpush-based communication between microservices. Amazon CloudFront is a service thatprovides a fast and secure content delivery network (CDN) for web applications.
Question # 189
A company is running an Amazon EC2 instance in a VPC. An ecommerce company is using Amazon EC2 Auto Scaling groups to manage a fleet of web servers running on Amazon EC2. This architecture follows which AWS Well-Architected Framework best practice?
A. Secure the workload B. Decouple infrastructure components C. Design for failure D. Think parallel
Answer: C Explanation: Design for failure is one of the best practices of the AWS Well-ArchitectedFramework. It means that the architecture should be resilient and fault-tolerant, and able tohandle failures without impacting the availability and performance of the applications. Byusing Amazon EC2 Auto Scaling groups, the ecommerce company can design for failureby automatically scaling the number of EC2 instances up or down based on demand orhealth status. Amazon EC2 Auto Scaling groups can also distribute the EC2 instancesacross multiple Availability Zones, which are isolated locations within an AWS Region thathave independent power, cooling, and network connectivity. This way, the company canensure that their web servers can handle traffic spikes, recover from failures, and provide aconsistent user experience
Question # 190
A company hosts a large amount of data in AWS. The company wants to identify if any of the data should be considered sensitive. Which AWS service will meet the requirement?
A. Amazon Inspector B. Amazon Macie C. AWS Identity and Access Management (IAM) D. Amazon CloudWatch
Answer: B Explanation: Amazon Macie is a fully managed service that uses machine learning andpattern matching to help you detect, classify, and better protect your sensitive data storedin the AWS Cloud1. Macie can automatically discover and scan your Amazon S3 bucketsfor sensitive data such as personally identifiable information (PII), financial information,healthcare information, intellectual property, and credentials1. Macie also provides you witha dashboard that shows the type, location, and volume of sensitive data in your AWSenvironment, as well as alerts and findings on potential security issues1.The other options are not suitable for identifying sensitive data in AWS. Amazon Inspectoris a service that helps you find security vulnerabilities and deviations from best practices inyour Amazon EC2 instances2. AWS Identity and Access Management (IAM) is a servicethat helps you manage access to your AWS resources by creating users, groups, roles,and policies3. Amazon CloudWatch is a service that helps you monitor and troubleshootyour AWS resources and applications by collecting metrics, logs, events, and alarms4. References:1: What Is Amazon Macie? - Amazon Macie2: What Is Amazon Inspector? - Amazon Inspector3: What Is IAM? - AWS Identity and Access Management4: What Is Amazon CloudWatch? - Amazon CloudWatch
Question # 191
A company wants to launch multiple workloads on AWS. Each workload is related to a different business unit. The company wants to separate and track costs for each business unit. Which solution will meet these requirements with the LEAST operational overhead?
A. Use AWS Organizations and create one account for each business unit. B. Use a spreadsheet to control the owners and cost of each resource. C. Use an Amazon DynamoDB table to record costs for each business unit. D. Use the AWS Billing console to assign owners to resources and track costs.
Answer: A Explanation: AWS Organizations is a service that helps you centrally manage and governyour AWS environment. You can use AWS Organizations to create multiple accounts fordifferent business units, and group them into organizational units (OUs) that reflect yourorganizational structure1. By doing so, you can separate and track costs for each businessunit using the account ID as a cost allocation tag2. You can also use AWS Organizations toapply policies and controls to your accounts, such as service control policies (SCPs) andtag policies1.The other options are not suitable for meeting the requirements with the least operational
Question # 192
A company has all of its servers in the us-east-1 Region. The company is considering the deployment of additional servers different Region. Which AWS tool should the company use to find pricing information for other Regions?
A. Cost Explorer B. AWS Budgets C. AWS Purchase Order Management D. AWS Pricing Calculator
Answer: D Explanation: AWS Pricing Calculator lets customers explore AWS services, and create anestimate for the cost of their use cases on AWS. AWS Pricing Calculator can also comparethe costs of different AWS Regions and configurations. Cost Explorer is a tool that enablescustomers to visualize, understand, and manage their AWS costs and usage over time.AWS Budgets gives customers the ability to set custom budgets that alert them when theircosts or usage exceed (or are forecasted to exceed) their budgeted amount. AWSPurchase Order Management is a feature that allows customers to pay for their AWSinvoices using purchase orders.
Question # 193
A company wants its Amazon EC2 instances to share the same geographic area but use multiple independent underlying power sources. Which solution achieves this goal?
A. Use EC2 instances in a single Availability Zone. B. Use EC2 instances in multiple AWS Regions. C. Use EC2 instances in multiple Availability Zones in the same AWS Region. D. Use EC2 instances in the same edge location and the same AWS Region.
Answer: C Explanation: The solution that achieves the goal of having Amazon EC2 instances sharethe same geographic area but use multiple independent underlying power sources is to useEC2 instances in multiple Availability Zones in the same AWS Region. An AvailabilityZone is a physically isolated location within an AWS Region that has its own power,cooling, and network connectivity. An AWS Region is a geographical area that consists oftwo or more Availability Zones. By using multiple Availability Zones, users can increase thefault tolerance and resilience of their applications, as well as reduce latency for end users3.Using EC2 instances in a single Availability Zone, multiple AWS Regions, or the sameedge location and the same AWS Region would not meet the requirement of havingmultiple independent power sources.
Question # 194
Which company needs to apply security rules to a subnet for Amazon EC2 instances. Which AWS service or feature provides this functionality?
A. Network ACLs B. Security groups C. AWS Certificate Manager (ACM) D. AWS Config
Answer: A Explanation: Network ACLs (network access control lists) are an AWS service or feature that provides the functionality of applying security rules to a subnet for EC2 instances. Asubnet is a logical partition of an IP network within a VPC (virtual private cloud). A VPC is alogically isolated section of the AWS Cloud where the company can launch AWS resourcesin a virtual network that they define. A network ACL is a virtual firewall that controls theinbound and outbound traffic for one or more subnets. The company can use networkACLs to allow or deny traffic based on protocol, port, or source and destination IP address.Network ACLs are stateless, meaning that they do not track the traffic that flows throughthem. Therefore, the company must create rules for both inbound and outbound traffic4
Question # 195
A company has migrated its workloads to AWS. The company wants to adopt AWS at scale and operate more efficiently and securely. Which AWS service or framework should the company use for operational support?
A. AWS Support B. AWS Cloud Adoption Framework (AWS CAF) C. AWS Managed Services (AMS) D. AWS Well-Architected Framework
Answer: D Explanation: The AWS Well-Architected Framework is a set of best practices and guidelines for designing and operating workloads on AWS. It helps customers achieveoperational excellence, security, reliability, performance efficiency, cost optimization, andsustainability. The framework is based on six pillars, each with its own design principles,best practices, and questions. Customers can use the framework to assess their currentstate, identify gaps, and implement improvements12.AWS Support is a service that provides technical assistance, guidance, and resources forAWS customers. It offers different plans with varying levels of access to AWS experts,response times, and features3. AWS Support does not provide a comprehensiveframework for operational support.AWS Cloud Adoption Framework (AWS CAF) is a guidance tool that helps customers planand execute their cloud migration journey. It provides a set of perspectives, capabilities,and best practices to align the business and technical aspects of cloud adoption4. AWSCAF does not focus on operational support for existing workloads on AWS.AWS Managed Services (AMS) is a service that operates AWS infrastructure on behalf ofcustomers. It provides a secure and compliant environment, automates common activities,and applies best practices for provisioning, patching, backup, recovery, and monitoring5.AMS does not provide a framework for customers to operate their own workloads on AWS.
Question # 196
Which AWS Support plan is the minimum recommended tier for users who have production workloads on AWS?
A. AWS Developer Support B. AWS Enterprise Support C. AWS Business Support D. AWS Enterprise On-Ramp Support
Answer: C Explanation: AWS Business Support is the minimum recommended tier for users whohave production workloads on AWS. AWS Business Support provides 24x7 access tocloud support engineers via phone, chat, or email, as well as a guaranteed response timeof less than one hour for urgent issues. AWS Business Support also includes access toAWS Trusted Advisor, a tool that provides real-time guidance to help you provision yourresources following AWS best practices4.
Question # 197
A developer has been hired by a large company and needs AWS credentials. Which are security best practices that should be followed? (Select TWO.)
A. Grant the developer access to only the AWS resources needed to perform the job. B. Share the AWS account root user credentials with the developer. C. Add the developer to the administrator's group in AWS IAM. D. Configure a password policy that ensures the developer's password cannot be changed. E. Ensure the account password policy requires a minimum length.
Answer: A,E Explanation: The security best practices that should be followed are A and E.A. Grant the developer access to only the AWS resources needed to perform the job. Thisis an example of the principle of least privilege, which means giving the minimumpermissions necessary to achieve a task. This reduces the risk of unauthorized access,data leakage, or accidental damage to AWS resources. You can use AWS Identity andAccess Management (IAM) to create users, groups, roles, and policies that grant finegrainedaccess to AWS resources12.E. Ensure the account password policy requires a minimum length. This is a basic securitymeasure that helps prevent brute-force attacks or guessing of passwords. A longerpassword is harder to crack than a shorter one. You can use IAM to configure a passwordpolicy that enforces a minimum password length, as well as other requirements such ascomplexity, expiration, and history34.B. Share the AWS account root user credentials with the developer. This is a bad practicethat should be avoided. The root user has full access to all AWS resources and services,and can perform sensitive actions such as changing billing information, closing the account,or deleting all resources. Sharing the root user credentials exposes your account topotential compromise or misuse. You should never share your root user credentials withanyone, and use them only for account administration tasks5 .C. Add the developer to the administrator’s group in IAM. This is also a bad practice thatshould be avoided. The administrator’s group has full access to all AWS resources andservices, which is more than what a developer needs to perform their job. Adding thedeveloper to the administrator’s group violates the principle of least privilege and increasesthe risk of unauthorized access, data leakage, or accidental damage to AWS resources.You should create a custom group for the developer that grants only the necessary permissions for their role12.D. Configure a password policy that ensures the developer’s password cannot be changed.This is another bad practice that should be avoided. Preventing the developer fromchanging their password reduces their ability to protect their credentials and comply withsecurity policies. For example, if the developer’s password is compromised, they cannotchange it to prevent further unauthorized access. Or if the company requires periodicpassword rotation, they cannot update their password to meet this requirement. You shouldallow the developer to change their password as needed, and enforce a password policythat sets reasonable rules for password management34.
Question # 198
A company uses AWS for its web application. The company wants to minimize latency and perform compute operations for the application as close to end users as possible. Which AWS service or infrastructure component will provide this functionality?
A. AWS Regions B. Availability Zones C. Edge locations D. AWS Direct Connect
Answer: C Explanation: Edge locations are sites that Amazon CloudFront uses to cache copies ofyour content for faster delivery to users at any location. You can use Amazon CloudFront todeliver your entire website, including dynamic, static, streaming, and interactive contentusing a global network of edge locations. Requests for your content are automaticallyrouted to the nearest edge location, so content is delivered with the best possibleperformance3. Edge locations can also host AWS Lambda functions to perform computeoperations for your web application as close to end users as possible4.
Question # 199
Which AWS services can be used to store files? (Select TWO.)
A. Amazon S3 B. AWS Lambda C. Amazon Elastic Block Store (Amazon EBS) D. Amazon SageMaker E. AWS Storage Gateway
Answer: A,C Explanation: Amazon S3 and Amazon EBS are two AWS services that can be used tostore files . Amazon S3 is an object storage service that offers high scalability, durability,availability, and performance. Amazon EBS is a block storage service that providespersistent and low-latency storage volumes for Amazon EC2 instances. AWS Lambda,Amazon SageMaker, and AWS Storage Gateway are other AWS services that havedifferent purposes, such as serverless computing, machine learning, and hybrid cloudstorage .
Question # 200
A company wants to define a central data protection policy that works across AWS services for compute, storage, and database resources. Which AWS service will meet this requirement?
A. AWS Batch B. AWS Elastic Disaster Recovery C. AWS Backup D. Amazon FSx
Answer: C Explanation: The AWS service that will meet this requirement is C. AWS Backup.AWS Backup is a service that allows you to define a central data protection policy thatworks across AWS services for compute, storage, and database resources. You can useAWS Backup to create backup plans that specify the frequency, retention, and lifecycle ofyour backups, and apply them to your AWS resources using tags or resource IDs. AWSBackup supports various AWS services, such as Amazon EC2, Amazon EBS, AmazonRDS, Amazon DynamoDB, Amazon EFS, Amazon FSx, and AWS Storage Gateway12.AWS Batch is a service that allows you to run batch computing workloads on AWS. AWSBatch does not provide a central data protection policy, but rather enables you to optimizethe allocation and utilization of your compute resources3.AWS Elastic Disaster Recovery is a service that allows you to prepare for and recover fromdisasters using AWS. AWS Elastic Disaster Recovery does not provide a central dataprotection policy, but rather helps you minimize downtime and data loss by replicating yourapplications and data to AWS4.Amazon FSx is a service that provides fully managed file storage for Windows and Linuxapplications. Amazon FSx does not provide a central data protection policy, but ratheroffers features such as encryption, snapshots, backups, and replication to protect your filesystems5.References:1: AWS Backup – Centralized backup across AWS services 3: AWS Batch – Run BatchComputing Jobs on AWS 2: Data Protection Reference Architectures with AWS Backup 4:AWS Elastic Disaster Recovery – Prepare for and recover from disasters using AWS 5:Amazon FSx – Fully managed file storage for Windows and Linux applications
Question # 201
A company is migrating its data center to AWS. The company needs an AWS Support plan that provides chat access to a cloud sup engineer 24 hours a day, 7 days a week. The company does not require access to infrastructure event management. What is the MOST cost-effective AWS Support plan that meets these requirements?
A. AWS Enterprise Support B. AWS Business Support C. AWS Developer Support D. AWS Basic Support
Answer: B Explanation: AWS Business Support is the most cost-effective AWS Support plan thatprovides chat access to a cloud support engineer 24/7. AWS Business Support also offersphone and email support, as well as a response time of less than one hour for urgentissues. AWS Business Support does not include access to infrastructure eventmanagement, which is a feature of AWS Enterprise Support. AWS Enterprise Support ismore expensive and provides additional benefits, such as a technical account manager, asupport concierge, and a response time of less than 15 minutes for critical issues. AWSDeveloper Support and AWS Basic Support do not provide chat access to a cloud supportengineer. AWS Developer Support provides email support and a response time of less than12 hours for general guidance issues. AWS Basic Support provides customer service andaccount support, as well as access to forums and documentation1
Question # 202
A company needs to store infrequently used data for data archives and long-term backups. A company needs a history report about how its Amazon EC2 instances were modified last month. Which AWS service can be used to meet this requirement?
A. AWS Service Catalog B. AWS Config C. Amazon CloudWatch D. AWS Artifact
Answer: B Explanation: AWS Config is a service that enables you to assess, audit, and evaluate theconfigurations of your AWS resources. AWS Config continuously monitors and recordsyour AWS resource configurations and allows you to automate the evaluation of recordedconfigurations against desired configurations. AWS Config can also track changes to yourEC2 instances over time and provide a history report of the modifications. AWS ServiceCatalog, Amazon CloudWatch, and AWS Artifact are not the best services to meet thisrequirement. AWS Service Catalog is a service that allows you to create and managecatalogs of IT services that are approved for use on AWS. Amazon CloudWatch is aservice that monitors your AWS resources and applications and provides metrics, alarms,dashboards, and logs. AWS Artifact is a service that provides on-demand access to AWSsecurity and compliance reports and online agreements
Question # 203
Which option is a perspective that includes foundational capabilities of the AWS Cloud Adoption Framework (AWS CAF)?
A. Sustainability B. Security C. Performance efficiency D. Reliability
Answer: B Explanation: The AWS Cloud Adoption Framework (AWS CAF) helps organizationsunderstand how cloud adoption transforms the way they work, and it provides structure toidentify and address gaps in skills and processes. The AWS CAF organizes guidance intosix areas of focus, called perspectives. Each perspective reflects a different stakeholderviewpoint with its own distinct responsibilities, skills, and attributes. The SecurityPerspective helps you structure the selection and implementation of security controls thatmeet your organization’s needs2.
Question # 204
Which actions are best practices for an AWS account root user? (Select TWO.)
A. Share root user credentials with team members. B. Create multiple root users for the account, separated by environment. C. Enable multi-factor authentication (MFA) on the root user. D. Create an IAM user with administrator privileges for daily administrative tasks, instead ofusing the root user. E. Use programmatic access instead of the root user and password.
Answer: C,D Explanation: The AWS account root user is the identity that has complete access to all AWS services and resources in the account. It is accessed by signing in with the emailaddress and password that were used to create the account1. The root user should beprotected and used only for a few account and service management tasks that require it1.Therefore, the following actions are best practices for an AWS account root user:Enable multi-factor authentication (MFA) on the root user. MFA is a securityfeature that requires users to provide two or more pieces of information toauthenticate themselves, such as a password and a code from a device. MFAadds an extra layer of protection for the root user credentials, which can accesssensitive information and perform critical operations in the account2.Create an IAM user with administrator privileges for daily administrative tasks,instead of using the root user. IAM is a service that helps customers manage access to AWS resources for users and groups. Customers can create IAM usersand assign them permissions to perform specific tasks on specificresources. Customers can also create IAM roles and policies to delegate access toother AWS services or external entities3. By creating an IAM user withadministrator privileges, customers can avoid using the root user for everydaytasks and reduce the risk of accidental or malicious changes to the account1.
Question # 205
A company encourages its teams to test failure scenarios regularly and to validate their understanding of the impact of potential failures. Which pillar of the AWS Well-Architected Framework does this philosophy represent?
A. Operational excellence B. Cost optimization C. Performance efficiency D. Security
Answer: A Explanation: This is the pillar of the AWS Well-Architected Framework that represents thephilosophy of testing failure scenarios regularly and validating the understanding of theimpact of potential failures. The operational excellence pillar covers the best practices fordesigning, running, monitoring, and improving systems in the AWS Cloud. Testing failurescenarios is one of the ways to improve the system’s resilience, reliability, and recovery.You can learn more about the operational excellence pillar from this whitepaper or thisdigital course.
Question # 206
A company needs to engage third-party consultants to help maintain and support its AWS environment and the company's business needs. Which AWS service or resource will meet these requirements?
A. AWS Support B. AWS Organizations C. AWS Service Catalog D. AWS Partner Network (APN)
Answer: D Explanation: The AWS service or resource that will meet these requirements is D. AWS Partner Network (APN).AWS Partner Network (APN) is a global community of consulting and technology partnersthat offer a wide range of services and solutions for AWS customers. APN partners canhelp customers design, architect, build, migrate, and manage their workloads andapplications on AWS. APN partners have access to various resources, training, tools, andsupport to enhance their AWS expertise and deliver value to customers12.AWS Support is a service that provides technical assistance and guidance for AWScustomers. AWS Support offers different plans with varying levels of response time, accesschannels, and features. AWS Support does not directly engage third-party consultants, butrather connects customers with AWS experts and resources3.AWS Organizations is a service that allows customers to manage multiple AWS accountswithin a single organization. AWS Organizations enables customers to create groups ofaccounts, apply policies, automate account creation, and consolidate billing. AWSOrganizations does not directly engage third-party consultants, but rather helps customerssimplify and optimize their AWS account management4.AWS Service Catalog is a service that allows customers to create and manage catalogs ofIT services that are approved for use on AWS. AWS Service Catalog enables customers tocontrol the configuration, deployment, and governance of their IT services. AWS ServiceCatalog does not directly engage third-party consultants, but rather helps customersstandardize and streamline their IT service delivery5.References:1: AWS Partner Network (APN) - Amazon Web Services (AWS) 2: Find an APN Partner -Amazon Web Services (AWS) 3: AWS Support – Amazon Web Services 4: AWSOrganizations – Amazon Web Services 5: AWS Service Catalog – Amazon Web Services
Question # 207
An ecommerce company wants to distribute traffic between the Amazon EC2 instances that host its website. Which AWS service or resource will meet these requirements?
A. Application Load Balancer B. AWS WAF C. AWS CloudHSM D. AWS Direct Connect
Answer: A Explanation: This is the AWS service or resource that will meet the requirements ofdistributing traffic between the Amazon EC2 instances that host the website. ApplicationLoad Balancer is a type of Elastic Load Balancing that distributes incoming applicationtraffic across multiple targets, such as Amazon EC2 instances, containers, IP addresses,and Lambda functions. Application Load Balancer operates at the application layer (layer 7)of the OSI model and supports advanced features such as path-based routing, host-basedrouting, health checks, and SSL termination. You can learn more about Application LoadBalancer from [this webpage] or [this digital course].
Question # 208
Which AWS service or feature can a company use to apply security rules to specific Amazon EC2 instances?
A. Network ACLs B. Security groups C. AWS Trusted Advisor D. AWS WAF
Answer: B Explanation: Security groups are the AWS service or feature that can be used to applysecurity rules to specific Amazon EC2 instances. Security groups are virtual firewalls thatcontrol the inbound and outbound traffic for one or more instances. Customers can createsecurity groups and add rules that reflect the role of the instance that is associated with thesecurity group. For example, a web server instance needs security group rules that allowinbound HTTP and HTTPS access, while a database instance needs rules that allowaccess for the type of database12. Security groups are stateful, meaning that theresponses to allowed inbound traffic are also allowed, regardless of the outboundrules1. Customers can assign multiple security groups to an instance, and the rules fromeach security group are effectively aggregated to create one set of rules1.Network ACLs are another AWS service or feature that can be used to control the traffic fora subnet. Network ACLs are stateless, meaning that they do not track the traffic that theyallow. Therefore, customers must add rules for both inbound and outbound traffic3.Network ACLs are applied at the subnet level, not at the instance level.AWS Trusted Advisor is an AWS service that provides best practice recommendations forsecurity, performance, cost optimization, and fault tolerance. AWS Trusted Advisor doesnot apply security rules to specific Amazon EC2 instances, but it can help customers identify security gaps and improve their security posture4.AWS WAF is an AWS service that helps protect web applications from common webexploits, such as SQL injection, cross-site scripting, and bot attacks. AWS WAF does notapply security rules to specific Amazon EC2 instances, but it can be integrated with otherAWS services, such as Amazon CloudFront, Amazon API Gateway, and Application LoadBalancer.
Question # 209
Which AWS service or feature can a company use to apply security rules to specific Amazon EC2 instances?
A. Network ACLs B. Security groups C. AWS Trusted Advisor D. AWS WAF
Answer: B Explanation: Security groups are the AWS service or feature that can be used to applysecurity rules to specific Amazon EC2 instances. Security groups are virtual firewalls thatcontrol the inbound and outbound traffic for one or more instances. Customers can createsecurity groups and add rules that reflect the role of the instance that is associated with thesecurity group. For example, a web server instance needs security group rules that allowinbound HTTP and HTTPS access, while a database instance needs rules that allowaccess for the type of database12. Security groups are stateful, meaning that theresponses to allowed inbound traffic are also allowed, regardless of the outboundrules1. Customers can assign multiple security groups to an instance, and the rules fromeach security group are effectively aggregated to create one set of rules1.Network ACLs are another AWS service or feature that can be used to control the traffic fora subnet. Network ACLs are stateless, meaning that they do not track the traffic that theyallow. Therefore, customers must add rules for both inbound and outbound traffic3.Network ACLs are applied at the subnet level, not at the instance level.AWS Trusted Advisor is an AWS service that provides best practice recommendations forsecurity, performance, cost optimization, and fault tolerance. AWS Trusted Advisor doesnot apply security rules to specific Amazon EC2 instances, but it can help customers identify security gaps and improve their security posture4.AWS WAF is an AWS service that helps protect web applications from common webexploits, such as SQL injection, cross-site scripting, and bot attacks. AWS WAF does notapply security rules to specific Amazon EC2 instances, but it can be integrated with otherAWS services, such as Amazon CloudFront, Amazon API Gateway, and Application LoadBalancer.
Question # 210
A company’s IT team is managing MySQL database server clusters. The IT team has to patch the database and take backup snapshots of the data in the clusters. The company wants to move this workload to AWS so that these tasks will be completed automatically. What should the company do to meet these requirements?
A. Deploy MySQL database server clusters on Amazon EC2 instances. B. Use Amazon RDS with a MySQL database. C. Use an AWS CloudFormation template to deploy MySQL database servers on AmazonEC2 instances. D. Migrate all the MySQL database data to Amazon S3.
Answer: B Explanation: Amazon RDS is a service that makes it easy to set up, operate, and scale arelational database in the cloud. Amazon RDS supports MySQL as one of the databaseengines. By using Amazon RDS with a MySQL database, the company can offload thetasks of patching the database and taking backup snapshots to AWS. Amazon RDSautomatically patches the database software and operating system of the database
Question # 211
A company uses AWS Organizations. The company wants to apply security best practices from the AWS Well-Architected Framework to all of its AWS accounts. Which AWS service will meet these requirements?
A. Amazon Macie B. Amazon Detective C. AWS Control Tower D. AWS Secrets Manager
Answer: C Explanation: AWS Control Tower is the easiest way to set up and govern a secure, multiaccountAWS environment based on best practices established through AWS’s experienceworking with thousands of enterprises as they move to the cloud. With AWS Control Tower,builders can provision new AWS accounts in a few clicks, while you have peace of mindknowing your accounts conform to your organization’s policies. AWS Control Towerautomates the setup of a baseline environment, or landing zone, that is a secure, wellarchitectedmulti-account AWS environment1. AWS Control Tower helps you apply securitybest practices from the AWS Well-Architected Framework to all of your AWS accounts2.
Question # 212
A company needs to run some of its workloads on premises to comply with regulatory guidelines. The company wants to use the AWS Cloud to run workloads that are not required to be on premises. The company also wants to be able to use the same API calls for the on-premises workloads and the cloud workloads. Which AWS service or feature should the company use to meet these requirements?
A. Dedicated Hosts B. AWS Outposts C. Availability Zones D. AWS Wavelength
Answer: B Explanation: AWS Outposts is a fully managed service that extends AWS infrastructure,AWS services, APIs, and tools to virtually any datacenter, co-location space, or onpremisesfacility for a truly consistent hybrid experience1. AWS Outposts enablescustomers to run workloads on premises using the same AWS APIs, tools, and servicesthat they use in the cloud2. Dedicated Hosts are physical servers with EC2 instancecapacity fully dedicated to a customer’s use3. Availability Zones are one or more discretedata centers, each with redundant power, networking, and connectivity, housed in separatefacilities within an AWS Region4. AWS Wavelength is an AWS Infrastructure offeringoptimized for mobile edge computing applications.
Question # 213
A company is assessing its AWS Business Support plan to determine if the plan still meets the company's needs. The company is considering switching to AWS Enterprise Support. Which additional benefit will the company receive with AWS Enterprise Support?
A. A full set of AWS Trusted Advisor checks B. Phone, email, and chat access to cloud support engineers 24 hours a day, 7 days aweek C. A designated technical account manager (TAM) to assist in monitoring and optimization D. A consultative review and architecture guidance for the company's applications
Answer: C Explanation: AWS Enterprise Support provides customers with a designated technicalaccount manager (TAM) who is a single point of contact for all technical and operationalissues. The TAM provides consultative architectural and operational guidance delivered inthe context of the customer’s applications and use-cases to help them achieve the greatestvalue from AWS. The TAM also helps customers with proactive services, such as strategicbusiness reviews, security improvement programs, guided Well-Architected reviews, costoptimization workshops, and more1.A full set of AWS Trusted Advisor checks is not an additional benefit of AWS EnterpriseSupport, as it is also included in the AWS Business Support plan2. AWS Trusted Advisor is a tool that provides best practice recommendations for cost optimization, performance,security, fault tolerance, and service limits.Phone, email, and chat access to cloud support engineers 24 hours a day, 7 days a weekis not an additional benefit of AWS Enterprise Support, as it is also included in the AWSBusiness Support plan2. Cloud support engineers can help customers with technicalissues, such as troubleshooting, configuration, usage, and service features.A consultative review and architecture guidance for the company’s applications is not anadditional benefit of AWS Enterprise Support, as it is also included in the AWS BusinessSupport plan2. Customers can request a consultative review from a solutions architect whowill provide best practices and recommendations based on the customer’s use-cases andgoals.
Question # 214
Which AWS service provides threat detection by monitoring for malicious activities and unauthorized actions to protect AWS accounts, workloads, and data that is stored in Amazon S3?
A. AWS Shield B. AWS Firewall Manager C. Amazon GuardDuty D. Amazon Inspector
Answer: C Explanation: Amazon GuardDuty is a service that provides intelligent threat detection andcontinuous monitoring for your AWS accounts, workloads, and data. Amazon GuardDutyanalyzes and processes data sources, such as VPC Flow Logs, AWS CloudTrail eventlogs, and DNS logs, to identify malicious activities and unauthorized actions, such asreconnaissance, instance compromise, account compromise, and data exfiltration. Amazon
Question # 215
A company wants to migrate a database from an on-premises environment to Amazon RDS. After the migration is complete, which management task will the company still be responsible for?
A. Hardware lifecycle management B. Application optimization C. Server maintenance D. Power, network, and cooling provisioning
Answer: B Explanation: Amazon RDS is a managed database service that handles most of thecommon database administration tasks, such as hardware provisioning, servermaintenance, backup and recovery, patching, scaling, and replication. However, AmazonRDS does not optimize the application that interacts with the database. The company is stillresponsible for tuning the performance, security, and availability of the applicationaccording to its business requirements and best practices12.References:What is Amazon Relational Database Service (Amazon RDS)?Perform common DBA tasks for Amazon RDS DB instances
Question # 216
A developer who has no AWS Cloud experience wants to use AWS technology to build a web application. Which AWS service should the developer use to start building the application?
A. Amazon SageMaker B. AWS Lambda C. Amazon Lightsail D. Amazon Elastic Container Service (Amazon ECS)
Answer: C Explanation: Amazon Lightsail is an easy-to-use cloud platform that offers everything youneed to build an application or website, plus a cost-effective, monthly plan1. It is designedfor developers who have little or no prior cloud experience and want to launch and manageapplications on AWS with minimal complexity2. Amazon SageMaker is a service forbuilding, training, and deploying machine learning models3. AWS Lambda is a service thatlets you run code without provisioning or managing servers4. Amazon Elastic ContainerService (Amazon ECS) is a fully managed container orchestration service.
Question # 217
A company wants to set AWS spending targets and track costs against those targets. Which AWS tool or feature should the company use to meet these requirements?
A. AWS Cost Explorer B. AWS Budgets C. AWS Cost and Usage Report D. Savings Plans
Answer: B Explanation: AWS Budgets is a tool that allows users to set AWS spending targets andtrack costs against those targets. Users can create budgets for various dimensions, suchas service, linked account, tag, and more. Users can also receive alerts when the actual orforecasted costs exceed or are projected to exceed the budgeted amount. AWS CostExplorer, AWS Cost and Usage Report, and Savings Plans are other AWS tools or featuresthat can help users manage and optimize their AWS costs, but they do not enable users toset and track spending targets .
Question # 218
A company is expecting a short-term spike in internet traffic for its application. During the traffic increase, the application cannot be interrupted. The company also needs to minimize cost and maximize flexibility. A company needs to use a serverless interactive query service to analyze data in Amazon S3. The query service must support standard SQL. Which AWS service will meet these requirements?
A. Amazon Redshift B. AWS Glue C. Amazon Athena D. Amazon Kinesis Data Streams
Answer: C Explanation: Amazon Athena is a serverless interactive query service that makes it easyto analyze data in Amazon S3 using standard SQL. Athena is ideal for quick, ad-hocquerying but it can also handle complex analysis, including large joins, window functions,and arrays. Athena scales automatically—executing queries in parallel—so results are fast,even with large datasets and complex queries. Amazon Redshift is a fully managed,petabyte-scale data warehouse service that can run complex analytic queries againststructured and semi-structured data using standard SQL. However, it is not a serverlessservice and requires provisioning and managing clusters of nodes. AWS Glue is a fullymanaged extract, transform, and load (ETL) service that makes it easy to prepare and loadyour data for analytics. However, it is not a query service and does not support standardSQL. Amazon Kinesis Data Streams is a service that enables you to build customapplications that process or analyze streaming data for specialized needs. However, it isnot a query service and does not support standard SQL.
Question # 219
A company wants to minimize network latency between its Amazon EC2 instances. The EC2 instances do not need to be highly available. Which solution meets these requirements?
A. Use EC2 instances in a single Availability Zone. B. Use Amazon CloudFront as the database for the EC2 instances. C. Use EC2 instances in the same edge location and the same Availability Zone. D. Use EC2 instances in the same edge location and the same AWS Region.
Answer: A Explanation: Using EC2 instances in a single Availability Zone is a solution that meets therequirements of minimizing network latency between the EC2 instances and not needinghigh availability. An Availability Zone is a physically isolated location within an AWS Regionthat has its own power, cooling, and network connectivity. EC2 instances within the sameAvailability Zone can communicate with each other using low-latency private IPaddresses. However, EC2 instances in a single Availability Zone are not highly available, because they are vulnerable to failures or disruptions that affect the Availability Zone
Question # 220
Which AWS service provides a single location to track the progress of application migrations?
A. AWS Application Discovery Service B. AWS Application Migration Service C. AWS Service Catalog D. AWS Migration Hub
Answer: D Explanation: AWS Migration Hub is a service that provides a single location to track theprogress of application migrations across multiple AWS and partner solutions. It allows youto choose the AWS and partner migration tools that best fit your needs, while providingvisibility into the status of migrations across your portfolio of applications1. AWS MigrationHub supports migration status updates from the following tools: AWS Application MigrationService, AWS Database Migration Service, CloudEndure Migration, Server Migration Service, and Migrate for Compute Engine1.The other options are not correct for the following reasons:AWS Application Discovery Service is a service that helps you plan your migrationprojects by automatically identifying servers, applications, and dependencies inyour on-premises data centers2. It does not track the progress of applicationmigrations, but rather provides information to help you plan and scope yourmigrations.AWS Application Migration Service is a service that helps you migrate andmodernize applications from any source infrastructure to AWS with minimaldowntime and disruption3. It is one of the migration tools that can send statusupdates to AWS Migration Hub, but it is not the service that provides a singlelocation to track the progress of application migrations.AWS Service Catalog is a service that allows you to create and manage catalogsof IT services that are approved for use on AWS4. It does not track the progress ofapplication migrations, but rather helps you manage the provisioning andgovernance of your IT services.References:1: What Is AWS Migration Hub? - AWS Migration Hub2: What Is AWS Application Discovery Service? - AWS Application DiscoveryService3: App Migration Tool - AWS Application Migration Service - AWS4: What Is AWS Service Catalog? - AWS Service Catalog
Question # 221
Which task must a user perform by using the AWS account root user credentials?
A. Make changes to AWS production resources. B. Change AWS Support plans. C. Access AWS Cost and Usage Reports. D. Grant auditors’ access to an AWS account for a compliance audit.
Answer: B Explanation: The AWS account root user is the email address that you used to sign up forAWS. The root user has complete access to all AWS services and resources in theaccount. You should use the root user only to perform a few account and servicemanagement tasks. One of these tasks is changing AWS Support plans, which requiresroot user credentials. For other tasks, you should create an IAM user or role with theappropriate permissions and use that instead of the root user.
Question # 222
A company wants to create a set of custom dashboards to collect metrics to monitor its applications. Which AWS service will meet these requirements?
A. Amazon CloudWatch B. AWS X-Ray C. AWS Systems Manager D. AWS CloudTrail
Answer: A Explanation: Amazon CloudWatch is a service that provides monitoring and observabilityfor AWS resources and applications. Users can create custom dashboards to collect andvisualize metrics, logs, alarms, and events from different sources5. AWS X-Ray is a servicethat provides distributed tracing and analysis for applications. AWS Systems Manager is aservice that provides operational management for AWS resources and applications. AWSCloudTrail is a service that provides governance, compliance, and auditing for AWS account activity.
Question # 223
A company wants an automated process to continuously scan its Amazon EC2 instances for software vulnerabilities. Which AWS service will meet these requirements?
A. Amazon GuardDuty B. Amazon Inspector C. Amazon Detective D. Amazon Cognito
Answer: B Explanation: Amazon Inspector is the AWS service that can be used to performvulnerability scans on AWS EC2 instances for software vulnerabilities automatically in aperiodic fashion. Amazon Inspector automatically discovers EC2 instances and scans themfor software vulnerabilities and unintended network exposure. Amazon Inspector usesAWS Systems Manager (SSM) and the SSM Agent to collect information about thesoftware application inventory of the EC2 instances. This data is then scanned by AmazonInspector for software vulnerabilities12. Amazon Inspector also integrates with other AWSservices, such as Amazon EventBridge and AWS Security Hub, to automate discovery,expedite vulnerability routing, and shorten mean time to remediate (MTTR) vulnerabilities2.
Question # 224
Which tasks are the responsibility of the customer, according to the AWS shared responsibility model? (Select TWO.)
A. Patch the Amazon RDS operating system. B. Upgrade the firmware of the network infrastructure. C. Manage data encryption. D. Maintain physical access control in an AWS Region. E. Grant least privilege access to 1AM users.
Answer: C,E Explanation: According to the AWS shared responsibility model, the customer isresponsible for security in the cloud, which includes the tasks of managing data encryptionand granting least privilege access to IAM users. Data encryption is the process oftransforming data into an unreadable format that can only be accessed with a key or apassword. The customer must decide whether to encrypt their data at rest (when it isstored on AWS) or in transit (when it is moving between AWS and the customer or betweenAWS services). The customer must also choose the encryption method, algorithm, and keymanagement solution that best suit their needs. AWS provides various services andfeatures that support data encryption, such as AWS Key Management Service (AWSKMS), AWS Certificate Manager (ACM), and AWS Encryption SDK5 IAM users are entitiesthat represent the people or applications that interact with AWS resources and services.The customer must grant the IAM users the minimum permissions that they need toperform their tasks, and avoid giving them unnecessary or excessive access. This is knownas the principle of least privilege, and it helps reduce the risk of unauthorized or maliciousactions. The customer can use IAM policies, roles, groups, and permissions boundaries tomanage the access of IAM users.
Question # 225
Which options are AWS Cloud Adoption Framework (AWS CAF) people perspective capabilities? (Select TWO.)
A. Organizational alignment B. Portfolio management C. Organization design D. Risk management E. Modern application development
Answer: A,C Explanation: The AWS Cloud Adoption Framework (AWS CAF) people perspective capabilities are theorganizational skills and processes that enable effective cloud adoption. According to theAWS CAF people perspective whitepaper1, there are seven capabilities in this perspective,two of which are:Organizational alignment: This capability helps you align your organizationalstructure, roles, and responsibilities to support your cloud transformation goals andobjectives. It involves assessing your current and desired state of alignment,identifying gaps and misalignments, and designing and implementing changes tooptimize your cloud performance1.Organization design: This capability helps you design and evolve your organizationto enable agility, innovation, and collaboration in the cloud. It involves defining yourcloud operating model, identifying the skills and competencies needed for cloudroles, and creating career paths and development plans for your cloud workforce1.The other options are not capabilities in the AWS CAF people perspective. Portfoliomanagement, risk management, and modern application development are capabilities inthe AWS CAF business perspective, governance perspective, and platform perspectiverespectively2. References:1: AWS Cloud Adoption Framework: People Perspective - AWS Cloud AdoptionFramework: People Perspective2: AWS Cloud Adoption Framework - AWS Cloud Adoption Framework
Question # 226
A company wants to design a reliable web application that is hosted on Amazon EC2. Which approach will achieve this goal?
A. Launch large EC2 instances in the same Availability Zone. B. Spread EC2 instances across more than one security group. C. Spread EC2 instances across more than one Availability Zone. D. Use an Amazon Machine Image (AMI) from AWS Marketplace.
Answer: C Explanation: The approach that will achieve the goal of designing a reliable web application that is hosted on Amazon EC2 is to spread EC2 instances across more thanone Availability Zone. An Availability Zone is a physically isolated location within an AWSRegion that has its own power, cooling, and network connectivity. By spreading EC2instances across multiple Availability Zones, users can increase the fault tolerance andavailability of their web applications, as well as reduce latency for end users2. Launchinglarge EC2 instances in the same Availability Zone, spreading EC2 instances across morethan one security group, or using an Amazon Machine Image (AMI) from AWS Marketplaceare not sufficient to ensure reliability, as they do not provide redundancy or resilience incase of an outage in one Availability Zone.
Question # 227
Which options are AWS Cloud Adoption Framework (AWS CAF) cloud transformation journey recommendations? (Select TWO.)
A. Envision phase B. Align phase C. Assess phase D. Mobilize phase E. Migrate and modernize phase
Answer: A,B Explanation: The AWS Cloud Adoption Framework (AWS CAF) cloud transformationjourney is a four-phase process that helps customers plan and execute their cloudmigration and digital transformation. The four phases are:Envision phase: This phase focuses on demonstrating how cloud will helpaccelerate the business outcomes of the customer. It involves identifying andprioritizing transformation opportunities across four domains: business, people,governance, and platform. It also involves associating the transformation initiativeswith key stakeholders and measurable business outcomes1.Align phase: This phase focuses on identifying capability gaps across sixperspectives: business, people, governance, platform, security, and operations. Italso involves identifying cross-organizational dependencies and surfacingstakeholder concerns and challenges. The goal of this phase is to createstrategies for improving the cloud readiness, ensure stakeholder alignment, andfacilitate relevant organizational change management activities1.Launch phase: This phase focuses on delivering pilot initiatives in production anddemonstrating incremental business value. Pilots should be highly impactful andinfluence future direction. The customer should learn from the pilots and adjusttheir approach before scaling to full production1.Scale phase: This phase focuses on expanding production pilots and businessvalue to the desired scale and ensuring that the business benefits associated withthe cloud investments are realized and sustained1.
Question # 228
A company is building a mobile app to provide shopping recommendations to its customers. The company wants to use a graph database as part of the shopping recommendation engine. Which AWS database service should the company choose?
A. Amazon DynamoDB B. Amazon Aurora C. Amazon Neptune D. Amazon DocumentDB (with MongoDB compatibility)
Answer: C Explanation: Amazon Neptune is a service that provides a fully managed graph databasethat supports property graphs and RDF graphs. It can be used to build applications thatwork with highly connected datasets, such as shopping recommendations, social networks,fraud detection, and knowledge graphs2. Amazon DynamoDB is a service that provides afully managed NoSQL database that delivers fast and consistent performance at any scale.Amazon Aurora is a service that provides a fully managed relational database that iscompatible with MySQL and PostgreSQL. Amazon DocumentDB (with MongoDBcompatibility) is a service that provides a fully managed document database that iscompatible with MongoDB.
Question # 229
Which tasks are customer responsibilities, according to the AWS shared responsibility model? (Select TWO.)
A. Configure the AWS provided security group firewall. B. Classify company assets in the AWS Cloud. C. Determine which Availability Zones to use for Amazon S3 buckets. D. Patch or upgrade Amazon DynamoDB. E. Select Amazon EC2 instances to run AWS Lambda on. F. AWS Config
Answer: A,B Explanation: According to the AWS shared responsibility model, the customer isresponsible for security in the cloud, which includes the tasks of configuring the AWSprovided security group firewall and classifying company assets in the AWS Cloud. Asecurity group is a virtual firewall that controls the inbound and outbound traffic for one ormore EC2 instances. The customer must configure the security group rules to allow ordeny traffic based on protocol, port, or source and destination IP address2 Classifying company assets in the AWS Cloud means identifying the types, categories, and sensitivitylevels of the data and resources that the customer stores and processes on AWS. Thecustomer must also determine the applicable compliance requirements and regulations thatapply to their assets, and implement the appropriate security controls and measures toprotect them
Question # 230
Which of the following is a benefit of using an AWS managed service?
A. Reduced operational overhead for a company's IT staff B. Increased fixed costs that can be predicted by a finance team C. Removal of the need to have a backup strategy D. Removal of the need to follow compliance standards
Answer: A Explanation: This is a benefit of using an AWS managed service, such as Amazon S3,Amazon DynamoDB, or AWS Lambda. AWS managed services are fully managed byAWS, which means that AWS handles the provisioning, scaling, patching, backup, andrecovery of the underlying infrastructure and software. This reduces the operationaloverhead for the company’s IT staff, who can focus on their core business logic andinnovation. You can learn more about the AWS managed services from thiswebpage or this digital course.
Question # 231
A company wants to make an upfront commitment for continued use of its production Amazon EC2 instances in exchange for a reduced overall cost. Which pricing options meet these requirements with the LOWEST cost? (Select TWO.)
A. Spot Instances B. On-Demand Instances C. Reserved Instances D. Savings Plans E. Dedicated Hosts
Answer: C,D Explanation:Reserved Instances (RIs) are a pricing model that allows you to reserve EC2 instances fora specified period of time (one or three years) and receive a significant discount comparedto On-Demand pricing. RIs are suitable for workloads that have predictable usage patternsand require a long-term commitment. You can choose between three payment options: AllUpfront, Partial Upfront, or No Upfront. The more you pay upfront, the greater thediscount1.Savings Plans are a flexible pricing model that can help you reduce your EC2 costs by upto 72% compared to On-Demand pricing, in exchange for a commitment to a consistentamount of usage (measured in $/hour) for a one or three year term. Savings Plans apply tousage across EC2, AWS Lambda, and AWS Fargate. You can choose between two typesof Savings Plans: Compute Savings Plans and EC2 Instance Savings Plans. ComputeSavings Plans offer the most flexibility and apply to any instance family, size, OS, tenancy,or region. EC2 Instance Savings Plans offer the highest discount and apply to a specificinstance family within a region2.Spot Instances are a pricing model that allows you to bid for unused EC2 capacity in theAWS cloud and are available at a discount of up to 90% compared to On-Demand pricing.Spot Instances are suitable for fault-tolerant or stateless workloads that can run onheterogeneous hardware and have flexible start and end times. However, Spot Instancesare not guaranteed and can be interrupted by AWS at any time if the demand for capacityincreases or your bid price is lower than the current Spot price3.On-Demand Instances are a pricing model that allows you to pay for compute capacity bythe hour or second with no long-term commitments. On-Demand Instances are suitable forshort-term, spiky, or unpredictable workloads that cannot be interrupted, or for applicationsthat are being developed or tested on EC2 for the first time. However, On-DemandInstances are the most expensive option among the four pricing models4.Dedicated Hosts are physical EC2 servers fully dedicated for your use. Dedicated Hostscan help you reduce costs by allowing you to use your existing server-bound softwarelicenses, such as Windows Server, SQL Server, and SUSE Linux Enterprise Server.Dedicated Hosts can be purchased On-Demand or as part of Savings Plans. DedicatedHosts are suitable for workloads that need to run on dedicated physical servers or havestrict licensing requirements. However, Dedicated Hosts are not the lowest cost optionamong the four pricing models.
Question # 232
Which benefit does AWS offer exclusively to users who have an AWS Enterprise Support plan?
A. Access to a technical project manager B. Access to a technical account manager (TAM) C. Access to a cloud support engineer D. Access to a solutions architectA company wants to automatically set up and govern a multi-account AWS environment.
Answer: B Explanation: AWS Enterprise Support plan is the highest level of support that AWS offersto its customers. One of the exclusive benefits of this plan is the access to a technicalaccount manager (TAM), who is a dedicated point of contact for guidance, advocacy, andsupport2. A technical project manager, a cloud support engineer, and a solutions architectare not exclusive benefits of the AWS Enterprise Support plan, as they are also available tocustomers with lower-tier support plans or through other AWS services or programs345.
Question # 233
A company wants to receive alerts to monitor its overall operating costs for its AWS public cloud infrastructure. Which AWS offering will meet these requirements?
A. Amazon EventBridge B. Compute Savings Plans C. AWS Budgets D. Migration Evaluator
Answer: C Explanation: AWS Budgets is a service that enables you to plan your service usage,service costs, and instance reservations. You can use AWS Budgets to create custombudgets that alert you when your costs or usage exceed (or are forecasted to exceed) yourbudgeted amount. You can also use AWS Budgets to monitor how close your usage andcosts are to meeting your reservation purchases1
Question # 234
Which AWS service or feature offers security for a VPC by acting as a firewall to control traffic in and out of subnets?
A. AWS Security Hub B. Security groups C. Network ACL D. AWSWAF
Answer: C Explanation: A network access control list (network ACL) is a feature that acts as a firewallfor controlling traffic in and out of one or more subnets in a virtual private cloud (VPC).AWS Security Hub is a service that provides a comprehensive view of the security postureof AWS accounts and resources. Security groups are features that act as firewalls forcontrolling traffic at the instance level. AWS WAF is a web application firewall that helpsprotect web applications from common web exploits.
Question # 235
A company needs to identify who accessed an AWS service and what action was performed for a given time period. Which AWS service should the company use to meet this requirement?
A. Amazon CloudWatch B. AWS CloudTrail C. AWS Security Hub D. Amazon Inspector
Answer: B Explanation: AWS CloudTrail is a service that enables governance, compliance,operational auditing, and risk auditing of your AWS account. With CloudTrail, you can log,continuously monitor, and retain account activity related to actions across your AWSinfrastructure. You can use CloudTrail to identify who accessed an AWS service and whataction was performed for a given time period. Amazon CloudWatch, AWS Security Hub,and Amazon Inspector are AWS services that provide different types of monitoring andsecurity capabilities.
Question # 236
A company runs business applications in an on-premises data center and in the AWS Cloud. The company needs a shared file system that can be available to both environments. Which AWS service meets these requirements?
A. Amazon Elastic Block Store (Amazon EBS) B. Amazon S3 C. Amazon ElastiCache D. Amazon Elastic File System (Amazon EFS)
Answer: D Explanation: Amazon Elastic File System (Amazon EFS) is a service that provides asimple, scalable, fully managed elastic NFS file system for use with AWS Cloud servicesand on-premises resources. It is built to scale on demand to petabytes without disruptingapplications, growing and shrinking automatically as you add and remove files, eliminatingthe need to provision and manage capacity to accommodate growth. You can use AmazonEFS to create a shared file system that can be available to both your on-premises datacenter and your AWS Cloud environment. Amazon Elastic Block Store (Amazon EBS) is aservice that provides persistent block storage volumes for use with Amazon EC2 instancesin the AWS Cloud. Each Amazon EBS volume is automatically replicated within itsAvailability Zone to protect you from component failure, offering high availability anddurability. However, Amazon EBS volumes are not shared file systems, and they cannot beavailable to both your on-premises data center and your AWS Cloud environment. AmazonS3 is a service that provides object storage through a web services interface. You can useAmazon S3 to store and protect any amount of data for a range of use cases, such as datalakes, websites, mobile applications, backup and restore, archive, enterprise applications,IoT devices, and big data analytics. However, Amazon S3 is not a shared file system, and itcannot be available to both your on-premises data center and your AWS Cloudenvironment without additional configuration. Amazon ElastiCache is a service that enablesyou to seamlessly set up, run, and scale popular open-source compatible in-memory datastores in the cloud. You can use Amazon ElastiCache to improve the performance of yourapplications by allowing you to retrieve information from fast, managed, in-memory datastores, instead of relying entirely on slower disk-based databases. However, AmazonElastiCache is not a shared file system, and it cannot be available to both your on-premisesdata center and your AWS Cloud environment.
Guiding You Through Your AWS Certified Cloud Practitioner Journey
AWS Certified Cloud Practitioner (CLF-C02) is the entry point to the world of AWS. For entering and coming out unscathed, foolproof training is necessary.
Salesforcexamdumps got solutions, i.e., the CLF-C02 practice test. These real-like CLF-C02 question answers simulation ensures a successful attempt every time. But before that, let us find out what the exam has for us.
What is the CLF-C02 Exam?
The CLF-C02 exam is the go-through passage to become AWS Certified. It is a 90-minute exam comprising approximately 65 CLF-C02 real exam questions.
AWS Certified Cloud Practitioner question answers take various formats, including multiple-choice and multiple-response. There is a hurdle of a minimum of 700 out of 1000 score.
What Does the AWS CCP Exam Covers?
The exam has four domains, each addressing distinct aspects of AWS:
1.Cloud Concepts: 26%
2.Security and Compliance: 25%
3.Technology: 33%
4.Billing and Pricing: 16%
The AWS CLF-C02 Exam Study Guide provides a comprehensive breakdown of what to expect in the exam. You can get quality CLF-C02 dumps at a feasible price from Salesforcexamdumps.
What is in CLF-C02 for my Career?
The CLF-C02 exam is a gateway for AWS Cloud professionals. It is a starting point leading to other AWS certifications. It helps you become cloud-literate, enabling you to work confidently with AWS services and tools.
CLF-C02 Dumps - Your Trusted Companion For Successful Exam Prep
You can trust CLF-C02 braindumps at Salesforcexamdumps to relay a complete review of each exam topic along with detailed explanations. Plus, our reliable staff regularly updates CLF-C02 question answers to keep pace with what is latest in the exam. Here are some FAQs to help you understand how the CLF-C02 dumps can enhance your AWS CCP exam preparation:
Q1: Why use the CLF-C02 Practice Test?
Think of it as a rehearsal before the actual big event. One can not ignore the prowess of CLF-C02 real exam questions simulation. It allows you to get comfortable with the actual exam.
Q2: How do CLF-C02 Braindumps help?
At the end of every practice, you receive feedback detailing your mistakes as well as your strong points. This insight is invaluable in understanding where to focus. Detailed explanations help you understand underlying concepts.
Q3: Are CLF-C02 Practice Tests Affordable?
Yes, we have made sure everybody can access the CLF-C02 braindumps. For a reasonable amount, we offer absolutely free access to the first three months of updates and demos.
Q4: Is Real-World Experience Important?
Absolutely! There is no denying that the CLF-C02 dumps will get you through all CLF-C02 real exam questions. Yet combining them with hands-on experience is your best bet in achieving AWS certification.
Q5: How To Access CLF-Co2 Question Answers?
Ready to try out our practice test? Click the "Start" button and begin your journey in the AWS Certified Cloud Practitioner direction.
If you have more questions or need further assistance, feel free to contact us at [email protected].
Good luck with your CLF-C02 exam preparation!
Amazon CLF-C02 Frequently Asked Questions
Customers Feedback
What our clients say about CLF-C02 Study Resources
Leave a comment
Your email address will not be published. Required fields are marked *
Leave a comment
Your email address will not be published. Required fields are marked *