Which AWS services or features give users the ability to create a network connection between two VPCs? (Select TWO.)
A. VPC endpoints B. Amazon Route 53 C. VPC peering D. AWS Direct Connect E. AWS Transit Gateway
Answer: C,E Explanation: VPC peering and AWS Transit Gateway are two AWS services or featuresthat give users the ability to create a network connection between two VPCs. VPC peeringis a networking connection between two VPCs that enables you to route traffic betweenthem privately. You can create a VPC peering connection between your own VPCs, with aVPC in another AWS account, or with a VPC in a different AWS Region. Traffic betweenpeered VPCs never traverses the public internet. VPC peering does not support transitivepeering relationships, which means that if VPC A is peered with VPC B, and VPC B ispeered with VPC C, then VPC A and VPC C are not automatically peered789. AWS TransitGateway is a networking service that acts as a regional router for your VPCs and onpremisesnetworks. You can attach up to 5,000 VPCs and VPN connections to a singletransit gateway and route traffic between them. AWS Transit Gateway simplifies themanagement and scalability of your network architecture, as you only need to create andmanage a single connection from the central transit gateway to each connectednetwork. AWS Transit Gateway supports transitive routing, which means that any networkthat is attached to the transit gateway can communicate with any other network that isattached to the same transit gateway . References: 7: VPC peering - Amazon VirtualPrivate Cloud, 8: Connect VPCs using VPC peering - Amazon Virtual PrivateCloud, 9: Amazon VPC-to-Amazon VPC connectivity options - Amazon Virtual PrivateCloud, : [AWS Transit Gateway - Amazon Web Services], : [Connect VPCs using AWSTransit Gateway - Amazon Virtual Private Cloud], : [AWS Transit Gateway: Simplify YourNetwork Architecture]
Question # 52
According to security best practices, how should an Amazon EC2 instance be given access to an Amazon S3 bucket?
A. Hard code an IAM user's secret key and access key directly in the application, andupload the file. B. Store the IAM user's secret key and access key in a text file on the EC2 instance, readthe keys, then upload the file. C. Have the EC2 instance assume a role to obtain the privileges to upload the file. D. Modify the S3 bucket policy so that any service can upload to it at any time.
Answer: C Explanation: According to security best practices, the best way to give an Amazon EC2 instance access to an Amazon S3 bucket is to have the EC2 instance assume a role toobtain the privileges to upload the file. A role is an AWS Identity and Access Management(IAM) entity that defines a set of permissions for making AWS service requests. You canuse roles to delegate access to users, applications, or services that don’t normally haveaccess to your AWS resources. For example, you can create a role that allows EC2instances to access S3 buckets, and then attach the role to the EC2 instance. This way,the EC2 instance can assume the role and obtain temporary security credentials to accessthe S3 bucket. This method is more secure and scalable than storing or hardcoding IAMuser credentials on the EC2 instance, as it avoids the risk of exposing or compromising thecredentials. It also allows you to manage the permissions centrally and dynamically, and toaudit the access using AWS CloudTrail. For more information on how to create and useroles for EC2 instances, see Using an IAM role to grant permissions to applications runningon Amazon EC2 instances1The other options are not recommended for security reasons. Hardcoding or storing IAMuser credentials on the EC2 instance is a bad practice, as it exposes the credentials topotential attackers or unauthorized users who can access the instance or the applicationcode. It also makes it difficult to rotate or revoke the credentials, and to track the usage ofthe credentials. Modifying the S3 bucket policy to allow any service to upload to it at anytime is also a bad practice, as it opens the bucket to potential data breaches, data loss, ordata corruption. It also violates the principle of least privilege, which states that you shouldgrant only the minimum permissions necessary for a task.References: Using an IAM role to grant permissions to applications running on AmazonEC2 instances
Question # 53
Which of the following is an AWS Well-Architected Framework design principle for operational excellence in the AWS Cloud?
A. Go global in minutes B. Make frequent, small, reversible changes C. Implement a strong foundation of identity and access management D. Stop spending money on hardware infrastructure for data center operations
Answer: B Explanation: Making frequent, small, reversible changes is one of the design principles foroperational excellence in the AWS Cloud, as defined by the AWS Well-ArchitectedFramework. This principle means that you should design your workloads to allow for rapidand safe changes, such as deploying updates, rolling back failures, and experimenting withnew features. By making small and reversible changes, you can reduce the risk of errors,minimize the impact of failures, and increase the speed of recovery2. References: 2: AWSDocumentation - AWS Well-Architected Framework - Operational Excellence Pillar
Question # 54
A user has a stateful workload that will run on Amazon EC2 for the next 3 years. What is the MOST cost-effective pricing model for this workload?
A. On-Demand Instances B. Reserved Instances C. Dedicated Instances D. Spot Instances
Answer: B Explanation: Reserved Instances are a pricing model that offers significant discounts onAmazon EC2 usage compared to On-Demand Instances. Reserved Instances are suitablefor stateful workloads that have predictable and consistent usage patterns for a long-termperiod. By committing to a one-year or three-year term, customers can reduce their totalcost of ownership and optimize their cloud spend. Reserved Instances also providecapacity reservation, ensuring that customers have access to the EC2 instances they needwhen they need them. References: AWS Pricing Calculator, Amazon EC2 Pricing, [AWSCloud Practitioner Essentials: Module 3 - Compute in the Cloud]
Question # 55
A company wants to integrate its online shopping website with social media login credentials. Which AWS service can the company use to make this integration?
A. AWS Directory Service B. AWS Identity and Access Management (IAM) C. Amazon Cognito D. AWS IAM Identity Center (AWS Single Sign-On)
Answer: C Explanation: Amazon Cognito is a service that enables you to add user sign-up and signinfeatures to your web and mobile applications. Amazon Cognito also supports social and enterprise identity federation, which means you can allow your users to sign in with theirexisting credentials from identity providers such as Google, Facebook, Apple, and Amazon.Amazon Cognito integrates with OpenID Connect (OIDC) and Security Assertion MarkupLanguage (SAML) 2.0 protocols to facilitate the authentication and authorization process.Amazon Cognito also provides advanced security features, such as adaptiveauthentication, user verification, and multi-factor authentication(MFA). References: Amazon Cognito, What is Amazon Cognito?
Question # 56
Which maintenance task is the customer's responsibility, according to the AWS shared responsibility model?
A. Physical connectivity among Availability Zones B. Network switch maintenance C. Hardware updates and firmware patches D. Amazon EC2 updates and security patches
Answer: D Explanation: According to the AWS shared responsibility model, customers areresponsible for managing their data, applications, operating systems, security groups, andother aspects of their AWS environment. This includes installing updates and securitypatches of the guest operating system and any application software or utilities installed bythe customer on the instances. AWS is responsible for protecting the infrastructure thatruns all of the services offered in the AWS Cloud, such as data centers, hardware,software, networking, and facilities. This includes the physical connectivity amongAvailability Zones, the network switch maintenance, and the hardware updates and
Question # 57
A company is using Amazon DynamoDB for its application database. Which tasks are the responsibility of AWS, according to the AWS shared responsibility model? (Select TWO.)
A. Classify data. B. Configure access permissions. C. Manage encryption options. D. Provide public endpoints to store and retrieve data. E. Manage the infrastructure layer and the operating system.
Answer: D,E Explanation: According to the AWS shared responsibility model, AWS is responsible forsecurity of the cloud, while customers are responsible for security in the cloud. This meansthat AWS is responsible for protecting the infrastructure that runs AWS services, such ashardware, software, networking, and facilities. Customers are responsible for managingtheir data, classifying their assets, and using IAM tools to apply the appropriatepermissions. For abstracted services, such as Amazon DynamoDB, AWS operates theinfrastructure layer, the operating system, and platforms, and provides customers withpublic endpoints to store and retrieve data. Customers are responsible for classifying theirdata, managing their encryption options, and configuring their accesspermissions. References: Shared Responsibility Model, Security and compliance inAmazon DynamoDB, [AWS Cloud Practitioner Essentials: Module 2 - Security in the Cloud]
Question # 58
A development team wants to deploy multiple test environments for an application in a fast repeatable manner. Which AWS service should the team use?
A. Amazon EC2 B. AWS CloudFormation C. Amazon QuickSight D. Amazon Elastic Container Service (Amazon ECS)
Answer: B Explanation: AWS CloudFormation is a service that allows you to model and provisionyour AWS resources using templates. You can define your infrastructure as code andautomate the creation and update of your resources. AWS CloudFormation also supportsnested stacks, change sets, and rollback features to help you manage complex anddynamic environments34. References:AWS CloudFormationAWS Certified Cloud Practitioner Exam Guide
Question # 59
Which of the following services can be used to block network traffic to an instance? (Select TWO.)
A. Amazon OpenSearch Service B. AWS Control Tower C. AWS IAM Access Analyzer D. AWS Fargate
Answer: C Explanation: AWS IAM Access Analyzer is an AWS service that helps customers identifyand review the resources in their AWS account that are shared with an external entity, suchas another AWS account, a root user, an organization, or a public entity. AWS IAM AccessAnalyzer uses automated reasoning, a form of mathematical logic and inference, toanalyze the resource-based policies in the account and generate comprehensive findingsthat show the access level, the source of the access, the affected resource, and thecondition under which the access applies. Customers can use AWS IAM Access Analyzer to audit their shared resources, validate their access policies, and monitor any changes tothe resource sharing status. References: AWS IAM Access Analyzer, Identify and reviewresources shared with external entities, How AWS IAM Access Analyzer works
Question # 60
Which of the following services can be used to block network traffic to an instance? (Select TWO.)
A. Security groups B. Amazon Virtual Private Cloud (Amazon VPC) flow logs C. Network ACLs D. Amazon CloudWatch E. AWS CloudTrail
Answer: A,C Explanation: Security groups and network ACLs are two AWS services that can be used to block network traffic to an instance. Security groups are virtual firewalls that control theinbound and outbound traffic for your instances at the instance level. You can specify whichprotocols, ports, and source or destination IP addresses are allowed or denied for eachinstance. Security groups are stateful, which means that they automatically allow returntraffic for any allowed inbound or outbound traffic123. Network ACLs are virtual firewallsthat control the inbound and outbound traffic for your subnets at the subnet level. You cancreate rules to allow or deny traffic based on protocols, ports, and source or destination IPaddresses. Network ACLs are stateless, which means that you have to explicitly allowreturn traffic for any allowed inbound or outbound traffic456. References: 1: Securitygroups for your VPC - Amazon Virtual Private Cloud, 2: Security Groups for Your VPC -Amazon Elastic Compute Cloud, 3: AWS Security Groups: Everything You Need toKnow, 4: Network ACLs - Amazon Virtual Private Cloud, 5: Control traffic to subnets usingnetwork ACLs - Amazon Virtual Private Cloud, 6: AWS Network ACLs: Everything YouNeed to Know