Mock pdf.pdf

Full Transcript

522 Mock Tests

You want to be able to answer all the questions correctly before you enter the exam room.
You should use these tests to identify any questions that you did not answer correctly and
then go back and review the chapter that covers the concepts examined in the question.
This way, you will fill any gaps in your knowledge and be in a better position to get a high
score on the official exam.

Mock test 1
1. Which type of cloud service model is most like an on-premises environment, where
you configure virtual infrastructure components such as compute, network, and
storage services that you can host your applications on?

A. Software as a Service (SaaS)
B. Platform as a Service (PaaS)
C. Infrastructure as a Service (IaaS)
D. Function as a Service (FaaS)

2. Your company is looking to move all its applications and services to the cloud but
would like to migrate workloads in stages. This would require you to ensure that
there is connectivity between the on-premises infrastructure and the applications
you deploy on AWS for a while. What cloud deployment model would you need
to establish?

A. Private cloud
B. Public cloud
C. Hybrid cloud
D. Multi-cloud

3. Which of the following statements are valid reasons for choosing a specific AWS
Region to deploy your applications in? (Choose two)

A. Your organization would choose a specific AWS Region that enables you to
ensure that your applications are closer to your end users, thereby reducing
any latency.
B. If your organization has specific compliance or data residency laws to follow,
then your choice of an AWS Region will be dictated by this requirement.
C. Your organization would choose a Region closer to its location since your IT
staff will need to visit the AWS data centers to set up servers and networking
equipment.
 Mock test 1 523

D. Your organization would choose a Region-based location where your business
has an established legal presence. This is because you cannot access other
Regions unless you have a legal establishment in that Region.
E. Your organization would select an AWS Region that offered higher variable
costs but lower upfront costs.

4. Which component of the AWS Global Infrastructure enables you to cache content
(videos, images, and documents) and offer low-latency access when your users try
to download them?

A. AWS Regions
B. Availability Zones
C. Edge locations
D. Local Zones

5. Which of the following AWS services can help you design a hybrid cloud
architecture and enable your on-premises applications to get access to Amazon S3
cloud storage?

A. Amazon Snowball Edge
B. AWS Storage Gateway
C. Amazon Elastic Block Store
D. Amazon CloudFront

6. You are planning on using AWS services to host an application that is still under
development, and you need to decide which AWS support plan you should
subscribe to. You do not need production-level support currently and are happy
with a 12-hour response time for any system-impaired issues. Which is the most
cost-effective support plan you should subscribe to?

A. Basic Support plan
B. Developer Support plan
C. Business Support plan
D. Enterprise Support plan
524 Mock Tests

7. Which of the following are regarded as global services on AWS? (Choose two)

A. AWS IAM
B. Amazon Route53
C. Amazon EC2
D. Amazon EFS
E. Amazon RDS

8. Which of the following statements closely relates to the advantage of cloud
computing that discusses the ability to go global in minutes?

A. The ability to trade capital expenses for variable expenses and thus avoid
huge CAPEX.
B. The ability to provision resources just in time for when you need them using
tools such as Auto Scaling.
C. The ability to deploy your applications across multiple Regions with just a few
mouse clicks.
D. The ability to focus on experimentation and the development of your
applications rather than infrastructure builds, management, and maintenance.

9. Which AWS service can you configure to send out an alert to an email address if
your total expenditure crosses a predefined monthly cost?

A. Set up a billing alarm in Amazon CloudWatch
B. Set up a billing alarm in Amazon CloudTrail
C. Set up a billing alarm in Amazon Config
D. Set up a billing blarm in Amazon Trusted Advisor

10. Which of the following resource types is tied to the Availability Zone that it was
launched in?

A. Elastic Block Store (EBS)
B. Elastic File Store (EFS)
C. Amazon Route53 Hosted Zones
D. Amazon DynamoDB
 Mock test 1 525

11. As part of enhancing the security of your AWS account, you need to ensure that
all IAM users use complex passwords comprising of at least one capital letter, a
number, a symbol, and a minimum of 9 characters. Which AWS IAM feature can
you use to configure these requirements?

A. Password policies
B. Permission boundaries
C. Service Control Policies (SCPs)
D. Resource policies

12. As a recommended best practice, what additional authentication security measure
can you implement for your root user and IAM users?

A. Implement MFA.
B. Implement LastPass.
C. Implement AWS WAF.
D. Implement AWS Shield.

13. What is the easiest way to assign permissions to many IAM users who share a
common job function?

A. Create a customer-managed IAM policy and attach the same policies to all IAM
users who share a common job function.
B. Create an IAM Group, add IAM users who share the common job function
to that group, and apply an IAM policy to the group with the necessary
permissions.
C. Create an SCP to restrict users who share a common job function for specific
permissions.
D. Create an IAM role with the necessary permissions and assign the role to all
IAM users who share the common job function.
526 Mock Tests

14. You have outsourced the development of your application to a third-party provider.
This provider will require temporary access to your AWS account to set up the
necessary infrastructure and deploy the application. What type of identity should
you configure for the provider to use to gain access?

A. IAM User
B. IAM Group
C. IAM role
D. Root user

15. Which tool on AWS can be used to estimate your monthly costs?

A. AWS Pricing Calculator
B. AWS TCO Calculator
C. AWS Free Tier Calculator
D. AWS Monthly Calculator

16. You need to differentiate the cost of running different workloads in your AWS
account by business unit and department. How you can identify your resources,
as well as their owners, in the billing reports generated by AWS?

A. Designate specific tags as cost allocation tags in the AWS Billing and Cost
Management Console.
B. Set up an SNS alert for each department.
C. Create a billing alarm.
D. Configure consolidated billing in AWS Organizations.

17. Which AWS tool enables you to view your Reserved Instance (RI) utilization?

A. AWS Cost Explorer
B. AWS Config
C. AWS CloudTrail
D. AWS Personal Health Dashboard
 Mock test 1 527

18. Which set of credentials do you need to configure for IAM users who need to access
your AWS account via the command-line interface (CLI)?

A. IAM username and password
B. IAM access key ID and secret access key
C. IAM MFA
D. IAM key pairs

19. An application is to be deployed on EC2 instances that will need to access an
Amazon S3 bucket to upload any artifacts that are created. Which security option is
considered a best practice to grant the application running on the EC2 instances the
necessary permissions to upload files to the Amazon S3 bucket?

A. Create an IAM user account with a set of access keys and assign the required
level of permissions using an IAM policy. Hardcode the application with the
access keys.
B. Create an IAM user account with a username and password and assign the
required level of permissions using an IAM policy. Hardcode the application
with the username and password.
C. Create an IAM role with the required level of permissions using an IAM policy.
Attach the role to the application running on the EC2 instance.
D. Create an IAM role with the required level of permissions using an IAM policy.
Attach the role to the EC2 instances that will host the application.

20. Which AWS service enables you to troubleshoot IAM policies by identifying which
set of permissions are allowed and which are denied?

A. AWS Policy Simulator
B. AWS Policy Manager
C. AWS CloudTrail
D. AWS SCPs
528 Mock Tests

21. As part of your regular compliance processes, you are required to regularly audit
the list of your IAM users and review information such as if they have been
configured with passwords and access keys, as well as if MFA has been enabled on
those accounts. Which AWS IAM service enables you to produce regular reports
containing the preceding information?

A. IAM Credentials Report
B. IAM MFA Report
C. AWS CloudWatch
D. AWS Config

22. Which type of AWS policy enables you to define boundaries against what an IAM
user or IAM role can be permitted to do in your AWS account?

A. IAM policies
B. Resource-based policies
C. SCPs
D. Permission boundaries

23. Which type of AWS policy enables you to control the maximum set of permissions
that can be defined for AWS member accounts of an organization?

A. IAM policies
B. Resource-based policies
C. SCPs
D. Permission boundaries

24. Which of the following Amazon S3 storage classes can help you reduce the cost of
storage for objects that are infrequently accessed, and yet still give you instant access
when you need it?

A. Amazon S3 Standard-IA
B. Amazon S3 Glacier
C. Amazon S3 Glacier Deep Archive
D. Amazon S3 Standard
 Mock test 1 529

25. You are hosting an Amazon S3 bucket that contains important documents, and you
want to enhance security whereby IAM users who try to access the objects can only
do so from within the corporate office network. How would you configure your S3
bucket to fulfill this requirement?

A. Create a resource policy granting the necessary level of access with a condition
statement that defines and specifies the corporate office IP block.
B. Create a resource policy granting the necessary level of access with a condition
statement that specifies your corporate IAM users' accounts.
C. Create an SCP granting access with a condition statement that specifies the
corporate office IP block.
D. Create an Amazon S3 Access Control List (ACL) with a condition statement
that specifies your corporate IAM users' accounts.

26. Which type of Amazon S3 Storage class is cost-effective where you are unsure of
your access patterns for the data contained within the S3 bucket?

A. Amazon S3 Standard storage class
B. Amazon S3 Standard-IA storage class
C. Amazon S3 One-Zone IA
D. Amazon S3 Intelligent Tiering

27. Your junior colleague accidentally deleted some financial data that was stored in
an Amazon S3 bucket. How can you prevent such accidental deletions of data in
Amazon S3?

A. Do not give junior administrators access to Amazon S3.
B. Set up Amazon S3 Versioning on your S3 bucket.
C. Set up Amazon S3 Lifecycle Management.
D. Set up Amazon S3 Termination Protection.

28. Which feature of Amazon S3 enables you to create a secondary copy of
your objects in a given S3 bucket that will be stored in a different Region for
compliance purposes?

A. Amazon S3 Cross-Region Replication (CRR)
B. Amazon S3 Same Region Replication
C. Amazon S3 Versioning
D. Amazon S3 Multi-Copy
530 Mock Tests

29. Company policy dictates that objects stored in Amazon S3 must be encrypted at
rest. It is also mandated that your choice of encryption should offer an auditing
feature that shows when your Customer Master Key (CMK) was used and by
whom. Which type of Amazon S3 encryption option will you need to configure to
fulfill the requirements?

A. Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)
B. Client-Side Encryption
C. Server-Side Encryption with KMS keys stored in AWS Key Management
Service (SSE-KMS) Bitlocker

30. You need to retrieve a small subset of some archive data urgently to resolve a
pending investigation. The data is stored in the Amazon S3 Glacier storage class.
Which retrieval option can use to access the data urgently?

A. Standard retrieval option
B. Expedited retrieval option
C. Bulk retrieval option
D. Power retrieval option

31. You have a team of remote workers who need to upload research documents and
videos to your Amazon S3 bucket hosted in the us-east-1 Region. You would like
to ensure that your remote staff can upload research material with low latency
access. What can you do to reduce speed variability for uploads, which are often
experienced due to the architecture of the public internet?

A. Enable Amazon S3 Transfer Acceleration (S3TA) for your bucket.
B. Configure an IPSec site-to-site VPN connection between your remote workers
and the VPC in the us-east-1 Region.
C. Use the Amazon Storage Gateway service.
D. Set up Amazon Express Route.
 Mock test 1 531

32. You need to transfer large amounts of data from your on-premises network to the
Amazon S3 platform. The total data capacity is around 400 TB. You have decided
to opt for the Amazon Snowball Edge service to complete the transfer. No data
compute or processing is required. Which flavor of the Amazon Snowball Edge
service would you recommend?

A. Snowball Edge Compute Optimized
B. Snowball Edge Storage Optimized
C. Snowball Edge Data Optimized
D. Snowball Edge Function Optimized

33. You host several Microsoft Windows applications on-premises that need low
latency access to large amounts of storage. You would like to use the Amazon
Storage Gateway service to host all application-level data. Which gateway option
would you recommend?

A. Amazon S3 File Gateway
B. Amazon FSx File Gateway
C. Volume Gateway Cached Mode
D. Tape Gateway

34. Following best practices, you have deployed your application servers within
the private subnets of a VPC. However, these servers require internet access to
download updates and security patches. Which type of resource can enable you to
grant internet access to EC2 instances in private subnets without having to assign
public IP addresses to those instances?

A. Internet gateway
B. NAT gateway
C. Subnet
D. Route table
532 Mock Tests

35. Which of the following statements is true about security groups?

A. Security groups are stateful and you need to configure both inbound and the
corresponding outbound rules for traffic to flow bidirectionally.
B. Security groups are stateless and you do not need to configure both inbound
and the corresponding outbound rules for traffic to flow bidirectionally.
C. Security groups can be used to explicitly deny inbound traffic from a specific IP
address range.
D. Security groups are used to limit what actions IAM users that are members of
the group can perform.

36. Which feature of the AWS VPC service enables you to connect multiple VPCs so
that traffic between those VPCs can be sent using private IP address space?

A. VPC peering
B. VPC Flow Logs
C. Subnets
D. VPC endpoints

37. Which service enables you to reduce the complexity associated with establishing
multiple VPC peering connections?

A. AWS Transit Gateway
B. AWS VPC Manager
C. AWS Direct Connect
D. IPSec VPN Tunnel

38. Which AWS service enables you to connect your on-premises network to your AWS
account using a dedicated private connection that bypasses the internet altogether?

A. IPSec VPN
B. Express Route
C. Direct Connect
D. Snowball
 Mock test 1 533

39. Which AWS feature can help you establish connectivity between your on-premises
network and your AWS VPC using an IPSec tunnel?

A. Direct Connect
B. Virtual Private Network (VPN)
C. AWS Outposts
D. Amazon SNS

40. You are about to publish your web application using an Application Load Balancer
(ALB) and would like to use a friendly domain name to advertise the site to
your users rather than the ALB's DNS name. Which AWS service can you use to
configure the alias's name so that when users type in the friendly domain name into
the browser, they are directed to the ALB's DNS URL?

A. Amazon Route53
B. Amazon CloudFront
C. Amazon S3
D. Amazon Direct Connect

41. Which AWS service enables you to purchase and register new domain names that
can be used to publish your website on the internet?

A. Route53
B. VPC
C. RDS
D. Elastic Beanstalk

42. You have developed a web application that you want to offer redundancy and
resilience for. Which feature of the Amazon Route53 service can help you design
your web application with a primary site where all users' traffic is directed to, by
default, and if the primary site is offline, then users are redirected to a secondary site
located in a different Region.

A. Simple routing policy
B. Weighted routing policy
C. Failover routing policy
D. Geolocation routing policy
534 Mock Tests

43. You plan to host a new Amazon S3 static website through which you will offer free
recipe guides. The site is going to be accessed by users across the globe. The site
contains lots of videos and images about the recipes you offer. Which AWS service
can help you cache your digital assets locally to where users are located and thus
reduce latency when your users access content on your website?

A. Amazon Route53
B. Amazon VPC
C. Amazon CloudFront
D. Amazon Cloud9

44. You have created an EC2 AMI that contains the base operating system and all
necessary corporate settings/configurations. Your colleagues in another Region are
trying to launch new EC2 instances but they are unable to access your AMI. What
do you need to do so that your colleagues can use the new image?

A. Copy the AMI to other Regions.
B. Set up a VPC endpoint between the Regions to allow your colleagues to
download the AMI.
C. Copy the AMI to an S3 bucket.
D. Use the Amazon Snowball service to send a copy of the AMI to your colleagues.

45. Which EC2 instance type is designed for floating-point number calculations,
graphics processing, or data pattern matching?

A. General Purpose
B. Memory-Optimized
C. Compute Optimized
D. Accelerated Computing

46. You need to deploy a certain third-party application on an EC2 instance where the
licensing term is based on a per-CPU core/socket basis. Which EC2 pricing option
do you need to use for this requirement?

A. On-Demand
B. Reserved Instance
C. Spot Instance
D. Dedicated Host
 Mock test 1 535

47. You are currently running a test phase for a new application that is being developed
in-house. Your UAT testers will need to access test servers for 3 hours a day, three
times a week. The test phase is supposed to last 5 weeks. You cannot afford any
interruptions to the application while the tests are being run. Which EC2 pricing
option will be the most cost-effective?

A. On-Demand
B. Reserved
C. Spot
D. Dedicated Host

48. Which EBS volume type is designed for critical, I/O-intensive databases and
application workloads?
A. gp2
B. st1
C. sc1
D. io1

49. Which of the following payment options will help you achieve the maximum
discount for your RIs?

A. A 1-year commitment with payment made using the Partial Upfront option.
B. A 1-year commitment with payment made using the All Upfront option.
C. A 1-year commitment with payment made using the No Upfront option.
D. A 3-year commitment with payment made using the All Upfront option.

50. Which AWS service enables you to quickly deploy a Virtual Private Server (VPS)
that comes preconfigured with common application stacks, SSD storage, and fixed
IP addresses for a fixed monthly fee based on the configuration of the server?

A. Amazon EC2
B. Amazon Lightsail
C. Amazon ECS
D. Amazon ECR
536 Mock Tests

51. You are planning on deploying a Docker application on AWS. You wish to deploy
your Docker image without having to manage EC2 instances such as provisioning
and scaling clusters, or patching and updating virtual servers yourself. Which
service enables you to fulfill this requirement?

A. Amazon ECS deployed using the EC2 Launch Type
B. Amazon ECS deployed using the Fargate Launch Type
C. Amazon ECS deployed using ECR
D. Amazon ECS deployed with Lambda functions to manage your servers

52. Which of the following services is part of the AWS serverless offering that allows
you to run code in response to a trigger or event?

A. Amazon ECS
B. AWS Lambda
C. Amazon EC2
D. AWS CloudFront

53. Which AWS storage option is designed to offer file sharing capabilities for
Windows-aware applications and offers options for integration with Microsoft
Active Directory?

A. AWS FSx for Lustre
B. Amazon FSx for Windows File Server
C. AWS Elastic File Syste
D. AWS instance store volumes

54. You are planning on deploying 10 EC2 instances across two Availability Zones
that will host the new line of business applications. All the servers will need to
share common files and will run the Amazon Linux 2 operating system. Which
storage architecture would you recommend to host the shared files for your
application servers?

A. Amazon Elastic File System (EFS)
B. Amazon FSx Lustre
C. Amazon S3
D. Amazon EBS
 Mock test 1 537

55. You have just launched a Windows EC2 instance. How can you obtain the Windows
local administrator password?

A. Raise a support request with Amazon to obtain the password.
B. The password is sent to you automatically via email.
C. The password is sent to you via an SMS text message to your registered mobile.
D. Use the key pair to decrypt the password.

56. Which AWS service enables you to configure a hybrid solution by extending
AWS Infrastructure so that EC2 and EBS services can be hosted in your on-premise
data center?

A. AWS RDS
B. AWS Direct Connect
C. AWS Outposts
D. AWS Route53

57. Your company provides spread betting services. You wish to run an end of day
analysis against the day's transaction costs and carry out the necessary market
analysis. Which AWS service dynamically provisions the necessary compute
services that will scale based on the volume and resource requirements of your
submitted jobs?

A. AWS Batch
B. AWS CloudFront
C. AWS Lambda
D. AWS Blockchain

58. Which AWS service can help you deploy, manage, and scale containerized
applications using Kubernetes on AWS?

A. Amazon ECS
B. Amazon EKS
C. Amazon MFA
D. Amazon EC2
538 Mock Tests

59. Which of the following statements is an example of an advantage of using Amazon
RDS over databases installed on EC2 instances?

A. Amazon RDS is a fully managed database where AWS manages the underlying
compute and storage architecture, as well as patching and updates.
B. Amazon RDS grants you access to the operating system, allowing you to
fine-tune the database for the operating system it is running.
C. Amazon RDS is faster than running the Microsoft SQL Server database on
EC2 instances.
D. Amazon RDS automatically enables encryption of the data in Amazon RDS.

60. Which feature of Amazon RDS enables you to create a standby copy of the database
and offer failover capabilities if the master copy fails?

A. Read Replicas
B. Multi-AZ
C. Failover policy
D. Snapshots

61. Your company is planning to migrate its on-premises MySQL database to Amazon
RDS. Which service will enable you to perform the migration?

A. Amazon Server Migration Service (SMS)
B. Amazon Database Migration Service (DMS)
C. Amazon VM Import Export
D. Amazon Redshift Migration Utility

62. Which feature of AWS Redshift allows you to perform SQL queries against data
stored directly on Amazon S3 buckets?

A. Redshift leader node
B. Redshift Spectrum
C. Redshift Copy
D. Redshift Streams
 Mock test 2 539

63. Which Amazon RDS engine offers high resilience with copies of the database placed
across a minimum of three Availability Zones?

A. MySQL
B. PostgreSQL
C. Microsoft SQL Server
D. Amazon Aurora

64. Which AWS-managed database service enables you to store data using complex
structures with options for nested attributes, such as a JSON-style document?

A. Amazon RDS
B. Amazon Redshift
C. Amazon DynamoDB
D. Amazon Aurora

65. Which AWS database service is designed to store sensitive data that is immutable
and where the transactional logs are cryptographically verifiable?

A. AWS QLDB
B. Amazon Neptune
C. Amazon Aurora
D. Amazon RDS

Mock test 2
1. You are currently performing a manual snapshot of your single instance MySQL
Amazon RDS database every 4 hours. Some users have complained that the
application that connects to the database experiences a brief outage when the
backup process initializes. What can you do to resolve this issue?

A. Configure your Amazon RDS database with Read Replicas.
B. Configure your Amazon RDS database with Multi-AZ.
C. Configure an AWS backup to perform the RDS database backups.
D. Use the DMS service to migrate the MySQL database to Microsoft SQL Server.
540 Mock Tests

2. Your organization is in a healthcare industry based in New York. You are planning
on using an in-memory caching engine to alleviate the load on your Amazon RDS
database for frequently used queries. Which AWS in-memory caching engine
offers Multi-AZ capabilities, encryption of data, and compliance with the Health
Insurance Portability and Accountability Act (HIPAA)?

A. Amazon Elasticache for Redis
B. Amazon Elasticache for Memcached
C. Amazon CloudFront
D. Amazon DynamoDB DAX

3. Which AWS service offers a fully managed data warehousing capability
and enables you to analyze large datasets using standard SQL and Business
Intelligence (BI) tools?

A. Amazon RDS
B. Amazon QLDB
C. Amazon Redshift
D. Amazon Aurora

4. Which of the following services further increase your EC2 instances' costs?
(Choose two)

A. Detailed monitoring
B. Use of Elastic Load Balancers
C. S3 buckets that you connect to
D. DynamoDB tables that you query
E. Setting up multiple key pairs

5. Your developer team needs to deploy an Elastic Load Balancer that will direct traffic
to your web servers based on the URL path and over the HTTPS protocol. Which
Elastic Load Balancer would you recommend?

A. Network Load Balancer
B. ALB
C. Gateway Load Balancer
D. Classic Load Balancer
 Mock test 2 541

6. Which feature of the Elastic Load Balancer service is suitable for Transmission
Control Protocol (TCP), User Datagram Protocol (UDP), and Transport
Layer Security (TLS) type traffic and operates at layer 4 of the Open Systems
Interconnection (OSI) model?

A. Network Load Balancer
B. ALB
C. Gateway Load Balancer
D. Classic Load Balancer

7. Which of the following statements is true about Elastic Load Balancers?

A. Elastic Load Balancers act as firewalls to protect the application running on
your EC2 instances.
B. Elastic Load Balancers enable you to achieve high availability across
multiple Regions by distributing incoming web traffic to targets located in
multiple Regions.
C. Elastic Load Balancers enable you to achieve high availability within a single
Region by distributing incoming web traffic to targets located in multiple
Availability Zones.
D. Elastic Load Balancers enable you to scale horizontally by provisioning or
terminating EC2 instances based on the demand of your resources.

8. Which component of an Elastic Load Balancer do you need to configure to ensure
you accept traffic on a designated port and forward that traffic on a specific port to
your EC2 instances behind the load balancer?

A. Port forwarder
B. NAT Gateway
C. Listener
D. Echo
542 Mock Tests

9. You are building a multi-tier architecture with web servers placed in the
public subnet and application servers placed in the private subnet of your VPC.
Which type of load balancer would you choose to distribute traffic to your
application servers?

A. Internet-facing
B. Internal load balancers
C. Dynamic load balancers
D. Static load balancers

10. Which configuration feature of the AWS Auto Scaling service enables you to define
a maximum number of EC2 instances that can be launched in your fleet?

A. Auto Scaling group
B. Auto Scaling Launch Configuration
C. Auto Scaling MaxFleet Size
D. Auto Scaling policy

11. Which AWS service can help you provision only the necessary number of EC2
instances required to meet application demand, thus saving on costs usually
associated with overprovisioning resources?

A. Elastic Load Balancer
B. Auto Scaling
C. Cost Explorer
D. EC2 Launcher

12. You have recently launched a new free coupon web application across a fleet of EC2
instances configured in an Auto Scaling group. Traffic has increased dramatically
before the Black Friday sale and you have noticed that your Auto Scaling service
is not launching any more EC2 instances, even though the threshold metrics have
been crossed in CloudWatch. Your colleague tells you that you may have crossed a
quota or limit on the number of EC2 instances you can launch. Which AWS service
can offer you a quick look to determine this is the case?

A. Personal Health Dashboard
B. AWS Systems Manager
C. AWS Config
D. AWS Trusted Advisor
 Mock test 2 543

13. Which firewall protection service does the ALB offer to help protect against
common web exploits such as cross-site scripting and SQL injection?

A. AWS WAF
B. AWS Shield
C. Amazon Guard Duty
D. Network Access Control Lists (NACLs)

14. Which dynamic scaling policy offered by the Amazon Auto Scaling service can
help you launch or terminate EC2 instances in the fleet based on the target value
of a specific metric?

A. Target tracking scaling policy
B. Step scaling policy
C. Simple scaling policy
D. Predictable scaling policy

15. You plan to use Amazon CloudWatch to send out alerts whenever the CPU
utilization on your production EC2 instances is more than 80% for 15 minutes.
Which AWS service can you use to send out this alert notification?

A. Amazon SES
B. Amazon SNS
C. Amazon SQS
D. Amazon MQ

16. Which feature of the Amazon SNS service enables you to push notification messages
to multiple endpoints in parallel?

A. You can use the SNS Fanout scenario to help you push notifications to
multiple endpoints.
B. You can use SNS FIFO topics to help you push notifications to multiple
endpoints.
C. You can change the timeout period to ensure that notifications are sent to
multiple endpoints.
D. To send out notifications to multiple endpoints, you will need to configure
Amazon SQS to integrate with Amazon SNS.
544 Mock Tests

17. Which AWS service enables you to design your application architecture by
decoupling its components into distributed systems and facilitating the design and
architecture of microservices?

A. Amazon SNS
B. Amazon Simple Queue Service (SQS)
C. Amazon MQ
D. Amazon Redshift

18. You plan to use Amazon SQS to help decouple your application components. Which
queue type will help you ensure that the message order from one component to
another is preserved?

A. Configure Amazon SQS with a standard queue.
B. Configure Amazon SQS with a FIFO queue.
C. Configure Amazon SQS with a LIFO queue.
D. Configure Amazon SQS with a DLQ.

19. You are planning on migrating an application to the cloud. Which message
brokering service will enable you to continue to use Apache ActiveMQ and facilitate
communications between application components?

A. Amazon SQS
B. Amazon MQ
C. Amazon SNS
D. Amazon SES

20. Which AWS service can help you trigger a Lambda function based on an event such
as an object being deleted from an Amazon S3 bucket?

A. AWS ECS
B. AWS Batch
C. AWS EventBridge
D. Amazon CloudTrail
 Mock test 2 545

21. Your application architecture for an insurance claim solution has a workflow
process that can take up to 30 days to complete and requires human intervention
in the form of manual approval processes to follow. Which AWS service would you
recommend for architecting the workflow process?

A. Amazon SQS
B. Amazon Step Functions
C. AWS CloudFormation
D. AWS Lambda

22. You plan to configure a Lambda function that will be used to automatically start and
stop EC2 instances at the start and close of the business day, respectively. How can
you automate the start and stop of EC2 instances according to a specified schedule?

A. Configure Amazon SNS to send out an alert trigger to the Lambda function.
B. Configure Amazon CloudTrail to trigger the Lambda function at the designated
schedule.
C. Configure Amazon CloudWatch Events with a rule to trigger the Lambda
function at the designated schedule.
D. Configure the Amazon Scheduler service.

23. You need to run certain SQL queries to analyze data from a streaming source and
conduct analysis. Which of the following services can you use to analyze stream
data in real time?

A. Amazon SQS
B. Amazon Kinesis Data Streams
C. Amazon Kinesis Analytics
D. Amazon Athena

24. You are required to run ad hoc test queries against weekly reports that are stored in
Amazon S3. Which AWS service can you use to query raw data in Amazon S3 using
standard SQL?

A. Amazon Athena
B. Amazon Kinesis
C. Amazon RDS
D. Amazon Redshift
546 Mock Tests

25. Which AWS service can be used to load a massive amount of streaming data into
your Redshift data warehousing solution in near real time?

A. Amazon Kinesis Data Streams
B. Amazon Kinesis Firehose
C. Amazon Kinesis Video Streams
D. Amazon Athena

26. Which AWS service can be used to create and publish interactive BI dashboards
that can be embedded into your applications, websites, and portals using Amazon-
provided APIs and SDKs?

A. Amazon Athena
B. Amazon QuickSight
C. Amazon Config
D. Amazon Glue

27. Which AWS service offers a serverless Extract, Transform, and Load (ETL)
solution that's used to discover and extract data from various sources and perform
any cleaning or normalization on data warehouses and data lakes, before loading
them into databases?

A. AWS QuickSight
B. Amazon Athena
C. Amazon Glue
D. Amazon CloudTrail

28. As part of your migration to the cloud, you need to re-host an application that uses
Apache Spark to process vast amounts of data for a big data project. Which service
on AWS can you use to help with data transformation and perform ETL jobs such as
sort, aggregate, and join on large datasets?

A. AWS QuickSight
B. Amazon EFS
C. Amazon EMR
D. Amazon S3
 Mock test 2 547

29. You need to regularly build test environments for new applications currently under
development. Which AWS service can you use to automate the infrastructure
build of your test environment and thus reduce the time taken to provision the
infrastructure required?

A. Amazon Elastic Beanstalk
B. Amazon CloudFormation
C. AWS OpsWorks
D. AWS Systems Manager

30. Which service can be used to orchestrate and configure environments to deploy
applications using the Chef and Puppet enterprise tools?

A. Amazon CloudFormation
B. AWS OpsWorks
C. Amazon Elastic Beanstalk
D. Amazon Cloud9

31. Which service enables developers to upload code to AWS and have the necessary
infrastructure provisioned and managed to support that application?

A. Amazon Elastic Beanstalk
B. Amazon CloudFormation
C. Amazon Cloud9
D. AWS OpsWorks

32. Which of the following environment tiers within the Elastic Beanstalk architecture
is designed to support backend operations?

A. Web services tier
B. Worker tier
C. Backend tier
D. Database tier
548 Mock Tests

33. Which of the following formats are CloudFormation templates written in?
(Choose two)

A. YAML
B. XML
C. CSV
D. JSON
E. JAVA

34. Which of the following is an example of a custom CloudWatch metric?

A. CPU utilization
B. Disk read in
C. Network bytes in
D. Memory

35. Which feature of CloudWatch can help send you notification alerts via Amazon SNS
whenever a particular threshold is breached for a specified period?

A. Dashboards
B. Alarms
C. Logs
D. Events

36. You plan to use CloudWatch Logs to monitor network traffic that enters the AWS
environment that's been specifically destined for an EC2 instance. You would like to
record all inbound network traffic on port 80 that was accepted. What service can
you configure to help you achieve this requirement?

A. ALB access logs
B. VPC Flow Logs
C. CloudTrail Logs
D. Config logs
 Mock test 2 549

37. Which AWS service enables you to track user activity and API usage in your AWS
account for auditing purposes?

A. AWS Config
B. AWS CloudWatch
C. AWS CloudTrail
D. AWS Trusted Advisor

38. Which AWS service can be used to see how resources are interrelated to each other,
how they were configured in the past, and view historical changes to those resources
over time?

A. AWS Trusted Advisor
B. AWS Systems Manager
C. AWS Config
D. AWS IAM

39. Which feature of the AWS System Manager service enables you to roll out security
patches across EC2 instances and on-premises servers?

A. Patch Manager
B. Microsoft WSUS
C. AWS Config
D. SCCM
550 Mock Tests

40. You are planning on deploying a three-tier application architecture that is
comprised of a database backend. Your application has been hardcoded with the
database connection strings and secrets such as username and password. The
company's security policy dictates that this approach is unacceptable and they
would like you to manage the secrets information more securely. What would
you recommend?

A. Store the configuration information in the SSM Parameter Store and reference
the parameter name from your code to dynamically retrieve the connection
information.
B. Store the configuration information in Amazon Redshift and reference the
connection details from your code to dynamically retrieve the connection
information.
C. Store the configuration information in Amazon S3 and reference the connection
details from your code dynamically.
D. Store the configuration information on an EBS volume and reference the
connection details from your code dynamically.

41. Which AWS service can be used to manage and resolve incidents that affect their
AWS-hosted applications?

A. AWS Systems Manager Incident Manager
B. AWS Systems Manager Event Manager
C. Amazon EventBridge
D. AWS Personal Health Dashboard (PHD)

42. Which AWS service can be used to identify resources that have not been configured
by following security best practices?

A. AWS CloudWatch
B. AWS Trusted Advisor
C. AWS IAM
D. AWS CloudTrail
 Mock test 2 551

43. You are trying to review the AWS Trusted Advisor service to analyze potential cost
savings opportunities for various workloads you have deployed on AWS. However,
you have noticed that the Cost Optimization category is grayed out and there are no
reports on current configuration states. What could be preventing you from viewing
the Cost Optimization report?

A. You do not have enough permissions to access the Cost Optimization category
on AWS Trusted Advisor.
B. You have not subscribed to either the business or enterprise support plans.
C. You have logged in with an IAM account and only the root user can access
pricing and cost information.
D. The AWS account does not have an active debit/credit card associated with it.

44. Which Well-Architected Framework pillar suggests that replacing failed resources
is often better than trying to figure out why the failure occurred? Identifying the
reason for failure can be done later, but focusing on replacing the failed resource
will help you get up and running quickly.

A. Cost Optimization
B. Fault Tolerance
C. Reliability
D. Performance

45. Which of the following services can help fulfill the guidelines provided in the
performance pillar concerning ensuring low latency access to video content hosted
in a single S3 bucket globally?

A. Use AWS CloudFront to cache the video content closer to end users.
B. Use AWS DynamoDB DAX to cache the video content closer to end users.
C. Use Amazon Elasticache to cache the video content closer to end users.
D. Use Amazon Kinesis to cache the video content closer to end users.
552 Mock Tests

46. Which pillar of the Well-Architected Framework refers to selecting the appropriate
pricing options that allow you to adopt a consumption model for provisioning
various resources?

A. Performance pillar
B. Reliability pillar
C. Fault Tolerance pillar
D. Cost Optimization pillar

47. Regarding the AWS Shared Responsibility Model, who is responsible for patching
Amazon RDS database instances?

A. AWS
B. Customer
C. Database engine vendor
D. Both the customer and AWS

48. Which AWS service gives customers access to various compliance reports that
confirm if the services offered by AWS meet specific requirements and regulatory
requirements?

A. AWS CloudTrail
B. AWS Acceptable Usage Policy (AUP)
C. AWS Artifacts
D. AWS Compliance Programs

49. AWS allows customers to run vulnerability scans and perform penetration testing.
However, certain types of testing are not permitted. Which of the following actions
is the customer prohibited from performing?

A. Brute-force attacks by trying to guess your Amazon RDS database passwords.
B. Running malware detection programs on your EC2 instances.
C. Attempting to perform cross-site scripting or SQL injection tests via your ALB.
D. Performing simulated Distributed Denial of Service (DDoS) attacks.
 Mock test 2 553

50. Which AWS service enables you to encrypt data stored in your Amazon S3 buckets
with a CMK and offers auditing capabilities?

A. Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)
B. Server-Side Encryption with CMKs Stored in AWS KMS (SSE-KMS)
C. Server-Side Encryption with Customer-Provided Keys (SSE-C)
D. Client-Side Encryption with Amazon-Managed Keys

51. To meet strict compliance and regulatory requirements, you are required to encrypt
the application data stored on your EC2 instances using dedicated FIPS 140-2 Level
3 validated devices. Which AWS service can you use to fulfill this requirement?

A. AWS KMS
B. AWS CloudHSM
C. AWS TPM Hardware Modules
D. AWS Certificate Manager

52. Which AWS security solution offers protection against DDoS attacks and features
an AWS Shield Response Team (SRT) 24/7 to assist you in handling such attacks?

A. AWS WAF
B. AWS X-Ray
C. AWS Detective
D. AWS Shield Advanced

53. Which type of firewall solution integrates with Amazon CloudFront and ALBs
to offer protection against common web exploits such as cross-site scripting and
SQL injection?

A. AWS WAF
B. AWS Shield
C. AWS X-Ray
D. AWS Firewall Manager
554 Mock Tests

54. You are planning lots of data on Amazon S3 and you would like to monitor how
your data is accessed, particularly highlighting any sensitive information such as
personally identifiable information (PII). Which AWS service can help you meet
this requirement?

A. Amazon Macie
B. AWS GuardDuty
C. AWS Detective
D. AWS X-Ray

55. You are building a mobile application that will be publicly accessible and you would
like to integrate a third-party identity provider for authentication purposes, such as
Facebook or Google. Which AWS service can be used to set up identity and access
control solutions for your web and mobile applications?

A. AWS Cognito
B. AWS IAM
C. Active Directory
D. AWS Certificate Manager

56. Which AWS service can help detect malicious activities by analyzing data from your
CloudTrail event logs, Amazon VPC Flow Logs, and DNS logs?

A. AWS Shield
B. AWS Detective
C. AWS GuardDuty
D. Amazon Macie

57. Which AWS service can help you determine the root cause of security issues by
extracting time-based events such as logins, network traffic from Amazon VPC
Flow Logs, and data ingested from GuardDuty findings?

A. AWS Shield
B. AWS WAF
C. AWS Detective
D. Amazon Macie
 Mock test 2 555

58. You are planning on migrating your on-premises workloads and applications to the
cloud. Which AWS service enables you to capture millions of real-time data points
related to your IT environment and review recommendations for right sizing and
appropriately costing workloads on AWS?

A. AWS Pricing Calculator
B. AWS Migration Evaluator
C. AWS Hybrid Calculator
D. AWS Cost Explorer

59. Which EC2 instance pricing model can offer up to a 90% discount off the
on-demand price and be used in scenarios where interruptions to your instances
will not impact the application workflow?

A. Reserved Instances
B. Spot Instances
C. Dedicated Instances
D. Dedicated Hosts

60. Which Amazon S3 storage class enables you to host 48 TB or 96 TB as part of the
S3 storage capacity and provides the option to create a maximum of 100 S3 buckets
on-premises?

A. Standard storage class
B. Standard One-Zone (IA)
C. Glacier
D. Amazon S3 on Outposts

61. Which type of policy can you create to grant anonymous access to the objects stored
in an S3 bucket that can be used to host website assets?

A. IAM policy
B. IAM permission boundaries
C. Resource policy
D. SNS policy
556 Mock Tests

62. Which AWS service enables you to register new domain names for your corporate
business requirements?

A. AWS DNS
B. AWS Route53
C. AWS VPC
D. Amazon Macie

63. Which AWS service offers image and video analysis that can be used to identify
objects, people, text, scenes, and other activities?

A. Amazon Rekognition
B. Amazon Kinesis Video Streams
C. Amazon Prime
D. Amazon Athena

64. Which AWS service offers text search and analytics capabilities that can store,
analyze, and perform search functions against big data volumes in near real time?

A. Amazon Redshift
B. Amazon ElastiCache
C. Amazon Elastisearch
D. Amazon Search

65. You plan to migrate your entire on-premises network to the cloud and have also
decided to move away from physical desktops and workstations to a complete VDI
solution. Which service on AWS enables you to provision virtual desktops in the
cloud, accessible via a web browser?

A. Amazon EC2
B. Amazon Lightsail
C. Amazon WorkSpaces
D. Amazon EKS
562 Answers

Chapter 14
1. A and B
2. B
3. A
4. A
5. A
6. B

Chapter 15
1. A
2. A
3. A
4. C
5. B

Chapter 16
Mock Test 1
1. C
Infrastructure as a Service (IaaS) is a cloud service model that gives you access to
virtualized infrastructure components comprising computing, network, and storage
services. This is very similar to hosting your own VMware or Hyper-V virtualized
platforms, where you deploy servers, attach storage volumes, and configure network
connectivity services. However, the primary difference is that you do not have
access to the underlying hypervisor platform with cloud-hosted IaaS solutions. IaaS
offerings give the greatest amount of control over how the virtual components of
your infrastructure are configured and also require you to take responsibility for
managing, maintaining, and enforcing security measures for those components.
 Chapter 16 563

2. C
Companies who wish to move their entire suite of applications to the cloud would
normally carry out a series of migration projects over time. During this migration
phase, connectivity between the on-premises environment and the AWS cloud
would be required to facilitate the migration. Many companies may also require a
more permanent hybrid design architecture. This could be because certain types of
applications need to be in much closer proximity to the on-premises infrastructure
where users are based, such as your corporate office network, ultimately ensuring
low-latency access, data residency requirements, or even unique local data
processing requirements. AWS offers several services to build hybrid clouds from
VPN technologies and Direct Connect services to offering on-premises services
such as AWS Storage Gateway and AWS Outposts.
3. A and B
There are several reasons why you would choose a specific AWS Region to deploy
your applications in, including the need for closer proximity to your end users and
thus to reduce latency, data residence laws, regulatory requirements, the choice of
services available, and costs.
4. C
Edge locations are AWS infrastructure facilities located across the globe that help
cache content for Amazon CloudFront. Any content that is accessed from the origin
is cached locally at one or more edge locations closer to users to access that content
for a particular time to live (TTL). This way, repeated access to the same content is
delivered over a low latency connection.
5. B
AWS Storage Gateway enables you to build hybrid cloud solutions by giving access
to the Amazon S3 and Glacier environments from your on-premises network.
You install and configure the gateway appliance at your on-premises location and
can use any one of four gateway types to access unlimited storage in the cloud.
These gateway types are Amazon S3 File Gateway, Amazon FSx File Gateway, Tape
Gateway, and Volume Gateway.
564 Answers

6. B
The Developer Support plan gives you access to technical support via email and
chats only. This support plan is cheaper than the Business and Enterprise Support
plans and is recommended for experimenting with or testing applications on AWS.
7. A and B
Several services are configured from a global perspective on AWS. For example,
with IAM, every IAM user in your AWS account is unique across the entire AWS
Global Infrastructure. The same applies to Amazon Route53, where domain names
configured in host zones have a global presence across all Regions on AWS. Another
global service on AWS is Amazon CloudFront.
8. C
One of the six advantages of cloud computing is the ability to go global in minutes.
This is made possible because, as an AWS customer, you have access to all Regions
and Availability Zones where you can provision the resources required to host your
application in a matter of minutes.
9. A
Amazon CloudWatch enables you to set up alarms that can be triggered when
a particular threshold is crossed. You can set up an alarm for billing alerts that
monitors when your total spend crosses a specified dollar amount. This alarm can
be configured to send out an alert to an email address that uses the Amazon SNS
service.
10. A
Amazon EBS is like the virtual hard disks (volumes) that you attach to EC2
instances. They need to be provisioned in the same availability where the EC2
instance has been launched to be attached to that EC2 instance. Furthermore, you
cannot attach an EBS volume to an EC2 instance in another Availability Zone.
You could take a snapshot of the EBS volume and launch a new volume in another
Availability Zone from that snapshot if required.
11. A
AWS IAM Password Policies enable you to define custom policies on your AWS
account to specify complexity requirements and mandatory rotation periods for
your IAM users' passwords. This ensures that IAM user accounts are created with
complex, hard-to-crack passwords.
 Chapter 16 565

12. A
Multi-Factor Authentication (MFA) is a recommended best practice
authentication security measure. It requires you to authenticate with a username
and password, as well as a security token generated by a physical or virtual device
you own. Used together, these factors provide increased security for your AWS
account settings and resources.
13. B
An IAM Group can be used to club users who share common job functions. You
can then assign the necessary permissions to the IAM Group, which will filter down
to the IAM users that are members of the group.
Where possible, entities that need access to services and resources on AWS ought to
be granted access via IAM roles using temporary security credentials. For example,
users who need to access resources in another AWS account can be granted
permission to assume a role rather than having to create IAM accounts for them in
the other account. This is considered best practice and AWS highly recommends
this approach.
14. C
An IAM role enables you to grant external users access to resources in your AWS
account using temporary credentials that are managed by the AWS Security Token
Service (STS). An IAM role will also have an IAM policy attached to it that specifies
the exact set of permissions the role will grant to the external user(s).
15. A
AWS Pricing Calculator can help you estimate the monthly costs of the resources
you wish to provision on AWS. In addition to specifying the expected usage for the
month, to calculate the cost of the resources, you can provide additional details such
as the amount of data transferred in and out of the AWS Region and cross-Region
to get a complete estimate.
16. A
You can use cost allocation tags to identify your resource costs on your cost
allocation report and track your AWS costs by resources and who owns them.
AWS provides two types of cost allocation tags: AWS-generated tags and
user-defined tags.
566 Answers

17. A
AWS Cost Explorer enables you to view 12 months of usage and spending data,
as well as a forecast of what your future costs will be for the next 12 months. Cost
Explorer can also provide information on how much of your RI you have utilized,
as well as the savings that have been made from using RIs over on-demand options
for EC2 Amazon Redshift, Amazon RDS, and more.
18. B
To access an AWS account as an IAM user, you need to create a set of access keys,
which is a combination of an access key ID and a secret access key. Note these keys
are considered long-term access keys. One set of keys is associated with a specific
IAM user.
19. D
You can create an IAM role with the necessary permissions to upload objects to a
specific Amazon S3 bucket. You should then deploy your EC2 instances with this
role attached (this involves creating an instance profile associated with the role).
The IAM role will enable the application running on the EC2 instance to access
the Amazon S3 bucket. Using an IAM role, the EC2 instance will obtain temporary
credentials from the Security Token Service (STS).
20. A
AWS Policy Simulator can help you identify which set of policies are allowed and
which are denied against specific identities, groups of identities, and IAM roles. You
can obtain granular visibility into specific permissions that have been allowed and
denied, helping you troubleshoot access issues.
21. A
The IAM Credentials Report enables you to review IAM user accounts created in
your AWS account. You can identify if an IAM user has been configured with a
username and password, as well as access keys. You can also identify IAM users
that may not have accessed resources in your AWS accounts recently, which may
indicate that those accounts may not be required anymore. Regularly deleting
unwanted IAM user accounts is part of the security best practice.
22. D
Permission boundaries enable you to define the maximum set of permissions that
can be granted by an identity-based policy for an IAM user or IAM role.
 Chapter 16 567

23. C
SCPs is a feature of the AWS Organization service that enables you to set the
maximum set of permissions that can be defined for member accounts. You can
also set policies to prevent the root users of member accounts from removing the
membership to an organization management account once the invitation to become
a member account has been accepted.
24. A
Amazon S3 Standard-IA can be used to store objects that you are not going to
frequently access, but at the same time, you have instant access to the data when
you need it.
25. A
You can create a resource policy with a condition statement that allows you to
restrict the application of the policy based on a predefined condition, such as the
corporate office network IP block.
26. D
Amazon S3 Intelligent Tiering is ideal if you are unsure of what your object access
patterns might be. Objects are automatically transitioned across four different tiers,
two of which are latency access tiers, which are designed to move objects between
frequently accessed and infrequently accessed tiers, while the other two are optional
archive access tiers. For the infrequent access tier, if you do not access your objects
for 30 days, then it transitions to the Amazon S3 Standard-IA storage class, which
is cheaper. If you need to access the same objects again later, they are transitioned
back to the Amazon S3 Standard storage class.
27. B
To protect against accidental deletions or overwriting, Amazon S3 Versioning can
be enabled. This service ensures that if someone tries to perform a delete request on
an object without specifying the version ID, it will not be deleted. Instead, a delete
marker will be added and the object will be hidden from view. You can then delete
this marker to reenable access to the object. You should also consider setting a
bucket policy so that not all users can perform delete requests.
568 Answers

28. A
Amazon S3 CRR is used to asynchronously copy objects across AWS buckets
in different AWS Regions. This feature can be used to fulfill compliance and
regulatory requirements, which may require you to store copies of data thousands of
kilometers away for Disaster Recovery (DR) purposes.
29. C
With SSE-KMS, you can encrypt your objects in Amazon S3. You can create and
manage your CMKs, as well as benefit from the auditing feature, which shows when
your CMK was used and by whom. This service integrates with Amazon CloudTrail
to offer full auditing features.
30. B
If you need urgent access to just a subset of your archives, you can opt for the
Expedited retrieval option. Expedited retrievals are made available within 1 to 5
minutes for archives of up to 250 megabytes (MB).
31. A
S3TA reduces this speed variability that is often experienced due to the architecture
of the public internet. S3TA routes your uploads via Amazon CloudFront's globally
distributed edge locations and AWS backbone networks. This, in turn, gives faster
speeds and consistently low latency for your data transfers.
32. B
The Amazon Snowball Edge Storage Optimized device offers a larger storage
capacity and is ideal for data migration tasks. With 80 TB of HDD and 1 TB of
serial advanced technology attachment (SATA) SDD volumes, you can start
moving large volumes of data to the cloud. The device also comes with 40 vCPUs
and 80 GB of memory.
33. B
Amazon FSx File Gateway enables you to connect your on-premises Windows
applications that need large amounts of storage to the cloud-hosted Amazon FSx
service for Windows File Server with low latency connectivity. Amazon FSx File
Gateway also supports integration with Active Directory (AD) and the ability to
configure access controls using ACLs.
 Chapter 16 569

34. B
NAT gateways help relay outbound requests to the internet on behalf of EC2
instances configured to use them. The NAT gateway replaces the source IPv4
address of your EC2 instances with the private IP address of the NAT gateway, thus
acting as a proxy. Response traffic is then redirected by the NAT gateway back to the
private IP address of the EC2 instance that made the original request.
35. B
Security groups are stateful. This means that even if you have not configured any
inbound rules, response traffic to any outbound requests will be permitted inbound
by the Security Group. Similarly, if you configured any inbound rules, outbound
response traffic to any inbound traffic is permitted, without you having to explicitly
create those outbound rules.
36. A
A VPC peering connection is a private network connection between two VPCs.
The service allows you to connect multiple VPCs so that instances in one VPC can
access resources in another VPC over a private IP address space.
37. A
The problem with VPC peering, when you're configuring multiple VPC to connect,
is that every VPC must establish a one-to-one connection with its peer. This can
quickly create complex connections that are difficult to manage. Route tables for
each VPC also need to be configured for every peering connection.
AWS Transit Gateway allows you to connect your VPCs via the gateway in a
hub-and-spoke model, greatly reducing this complexity as each VPC only needs to
connect to the Gateway to access other VPCs.
38. C
Direct Connect is a service that enables you to connect your corporate data center
to your VPC and the public services offered by AWS, such as Amazon S3, via a
dedicated private connection that bypasses the internet altogether. The service
enables you to achieve bandwidth connectivity of up to 100 Gbps.
39. B
You can set up a VPN connection between your on-premises network and your
VPC. This is a secure encrypted site-to-site tunnel that's established between two
endpoints over the public internet. It offers AES 128 or 256-bit IPsec encryption,
which means that you can transfer data between the two endpoints securely.
570 Answers

40. A
Amazon Route53 can help you create alias records so that when a user types in a
corporate domain-friendly name into the browser, it will direct the traffic to an
AWS service, such as an ALB, giving access to the web application.
41. A
Amazon Route 53 offers domain name registration. You can purchase and manage
domain names such as example.com and Amazon Route 53 will automatically
configure the DNS settings for your domains.
42. C
To offer high availability of your web application, you can host two copies of your
resources ideally across different Regions. One set of resources will be designated
as your primary resource and the other as a secondary resource. If the primary
resource is offline, then users' requests are redirected to the secondary resource.
43. C
Amazon CloudFront is a Content Delivery Network (CDN) that helps you
distribute your static and dynamic content globally over low latency connections.
The service caches content at edge locations closer to where your users are accessing
the website.
44. A
To launch an EC2 instance with a custom AMI that you have built in another
Region, you need to ensure that you copy the AMI to that Region.
45. D
Accelerated Computing EC2 instance types are designed with hardware
accelerators, or co-processors, to perform complex functions. They are best for
processing complex graphics, number crunching, and machine learning.
46. D
A Dedicated Host is a physical host dedicated for your use alone and gives you
additional control and management capability over how instances are placed on a
physical server. In addition, dedicated hosts can help address certain third-party
licensing terms that are based on a per-CPU core/socket basis.
 Chapter 16 571

47. A
On-Demand is ideal for users who need the flexibility to consume compute
resources when required and without any long-term commitment. They are ideal
for test/dev environments or for applications that have short spiky or unpredictable
workloads.
48. D
Provisioned IOPS SSDs offering high-performance EBS storage is ideal for critical,
I/O-intensive databases and application workloads.
49. D
Using an All Upfront payment option for your RIs means paying for the entire term
of the RI upfront at the beginning of the contract. You do not get a monthly/hourly
bill and you benefit from the maximum available discount. Furthermore, a 3-year
commitment will offer a bigger discount than a 1-year one.
50. B
Amazon Lightsail is a VPS solution that comes pre-configured with common
application stacks such as WordPress, Drupal, Plesk, LAMP, and your chosen
operating system. You choose the size of the server and it comes preconfigured with
SSD storage, an IP address, and more. The best part about Lightsail is that you have
a fixed monthly fee based on the instance type and the associated operating system
and applications that have been deployed.
51. B
The ECS Fargate Launch Type enables you to set up your ECS environment without
having to spin up EC2 instances, provision and scale clusters, or patch and update
virtual servers yourself. AWS will manage how the ECS tasks are placed on the
cluster, scale them as required, and fully manage the entire environment for you.
52. B
Amazon Lambda is a serverless offering from AWS that allows you to run code and
perform some tasks. Amazon Lambda is known as a Function as a Service (FaaS)
solution that can be used to build an entirely serverless architecture comprised
of storage, databases, and network capabilities where you do not manage any
underlying servers.
572 Answers

53. B
Microsoft Windows-aware applications that need to share files can easily use FSx
for Windows File Share, which offers support for the SMB protocol and Windows
NTFS, AD integration, and Distributed File System (DFS).
54. A
Amazon EFS can be used by Linux-based EC2 instances as a centralized file storage
solution. This is particularly useful when you have applications deployed across
multiple EC2 instances that need to share common files. Amazon EFS can also be
accessed from on-premises servers over a VPN or Direct Connect service.
55. D
When you launch a server (Windows or Linux), you must configure it to be
associated with a key pair. This is an encrypted key where you will be able to
use your private key to log in to Linux-based servers or decrypt the Windows
administrator password using the AWS Management Console.
56. C
AWS Outposts is ideal when you want to run AWS resources with very low latency
connections to your on-premises application or if you require local data processing
due to any compliance and regulatory requirements. You can get AWS Outposts
delivered to your local on-premises location as a 42U rack and can scale from 1 rack
to 96 racks to create pools of compute and storage capacity.
57. A
AWS Batch can be used to run thousands of batch computing jobs on AWS for
performing various types of analysis. AWS Batch will set up and provision the
necessary compute resources to fulfill your batch requests. There is no need to
deploy server clusters as AWS takes care of this for you.
58. B
Amazon EKS is designed to help you deploy, manage, and scale containerized
applications using Kubernetes on AWS.
59. A
The primary advantage of using Amazon RDS over installing databases on EC2
is the fact that AWS manages all the compute and storage provisioning, as well as
performing all management tasks on the database. This frees you up to focus on
your application and the infrastructure components that host the database.
 Chapter 16 573

60. B
Amazon RDS offers a feature known as Multi-AZ where the primary (master) copy
of your database is deployed in one Availability Zone and a secondary (standby)
copy is deployed in another Availability Zone. Data is then synchronously replicated
from the master copy to the standby copy continuously. If the master copy fails,
AWS will promote the standby copy to become the new master and perform a
failover.
61. B
Amazon offers a Database Migration Service (DMS) that can be used to migrate
the data from one database to another. This migration can be performed from your
on-premises network to the AWS cloud over a VPN connection or a Direct Connect
connection. AWS DMS offers support for both homogeneous migrations, such as
from MySQL to MySQL or Oracle to Oracle, as well as heterogenous migrations
between engines such as Oracle to Microsoft SQL Server or Amazon Aurora.
62. B
Redshift Spectrum allows you to perform SQL queries against data stored directly
on Amazon S3 Buckets. This is particularly useful if, for instance, you store
frequently accessed data in Redshift and some infrequently accessed data in
Amazon S3.
63. D
Amazon Aurora is an AWS proprietary database that maintains copies of the
database placed across a minimum of three Availability Zones. Amazon Aurora is
also five times faster than standard MySQL databases and three times faster than
standard PostgreSQL databases. It also offers self-healing storage capabilities that
can scale up to 128 TB per database instance.
64. C
DynamoDB supports both key-value and document data models such as JSON.
DynamoDB is a NoSQL database solution that offers a flexible schema and offers
single digit millisecond performance at any scale.
65. A
Amazon QLDB is a fully managed ledger database that provides a transparent,
immutable, and cryptographically verifiable transaction log owned by a central
trusted authority. Amazon QLDB can maintain a history of all data changes.
574 Answers

Mock test 2
1. B
In scenarios where you have a single RDS database instance deployed, your users
are likely to experience a brief I/O suspension when your backup process initializes.
By configuring your Amazon RDS database with Multi-AZ, the backup is taken
from the standby copy of the database instead of the master. This will ensure that
users do not experience any brief outages when trying to access the database.
2. A
Amazon Elasticache for Redis is designed for complex data types, offers Multi-AZ
capabilities, encryption of data, and compliance with FedRAMP, HIPAA, PCI-DSS,
as well as high availability and automatic failover options.
3. C
Amazon Redshift is AWS's data warehousing solution that is designed for analytics
and is optimized for scanning many rows of data for one or multiple columns.
Instead of organizing data as rows, Redshift transparently organizes data by
columns. You can use standard SQL to query the database and use it with your
existing BI tools.
4. A and B
Detailed monitoring and use of Elastic Load Balancers will increase your EC2
instances' costs. This is because Elastic Load Balancers are not part of the free
tier and you are charged based on each hour or partial hour that a load balancer
is running and the number of Load Balancer Capacity Units (LCUs) used per
hour. Furthermore, whereas basic monitoring is offered free of charge, detailed
monitoring is a chargeable service.
5. B
ALBs are designed to distribute traffic at the application layer (using HTTP and
HTTPS). Furthermore, with ALBs, you can have multiple target groups, allowing
you to define complex routing rules based on the different application components.
You can configure path-based routing, host-based routing, and much more. You can
also configure Lambda functions as targets for your load balancer.
 Chapter 16 575

6. A
Network Load Balancers are designed to operate at the fourth layer of the OSI
model and can handle millions of requests per second. Network Load Balancers are
designed for load balancing both TCP and UDP traffic and maintaining ultra-low
latencies.
7. C
Using a load balancer, you can direct incoming traffic to multiple registered EC2
instances across multiple Availability Zones within a given Region. This enables you
to offer high availability in case any of the EC2 instances fails or even if an entire
Availability Zone goes offline.
8. C
You need to configure listeners to specific ports that you will accept incoming traffic
on and the ports you will use to forward traffic to the EC2 instances.
9. B
The nodes of an internal load balancer only have private IP addresses and allow
communication between the web layer and the internal application layer. The
DNS name of an internal load balancer can be publicly resolved to the private IP
addresses of the nodes. Therefore, internal load balancers can only route requests
from clients with access to the VPC for the load balancer.
10. A
When configuring your Auto Scaling group, you can define the minimum and
maximum size of your group. You can also choose to keep the size of the group to
an initial size that does not expand the group size but ensures that you always have
the exact number of EC2 instances running.
11. B
Amazon Auto Scaling can help you provision new EC2 instances based on
CloudWatch metrics that change according to the load on your instances. Similarly,
when demand drops, you can configure Auto Scaling to terminate unwanted
resources and thus save on costs.
576 Answers

12. D
AWS Trusted Advisor is an online tool that can offer guidance on AWS
infrastructure, improve security and performance, reduce costs, and monitor
service quotas. The service quota (service limits) category of Trusted Advisor can
notify you if you use more than 80% of a service quota for a specific service. You can
then follow recommendations to delete resources or request a quota increase.
13. A
The AWS ALB service provides integration with Web Application Firewall (WAF),
which helps protect against common web exploits such as SQL injection and cross-
site scripting.
14. A
With the target tracking scaling policy, Auto Scaling will launch or terminate
EC2 instances in the fleet based on the target value of a specific metric. The target
tracking policy tracks the metric value and attempts to ensure the correct number of
EC2 instances are running to meet that target value.
15. B
Amazon Simple Notification Service (SNS) is a push-based messaging and
notification system that can be used to allow one application component to send
messages to another application component or directly to end users. So, Amazon
SNS can be used to send out alerts when a particular CloudWatch metric crosses a
threshold for a period and triggers an alarm.
16. A
The Fanout scenario enables you to publish messages to an SNS topic for parallel
asynchronous processing. You send the notifications to supported endpoints such as
Kinesis Data Firehose delivery streams, Amazon SQS queues, HTTP(S) endpoints,
and Lambda functions.
17. B
Amazon SQS is a fully managed message queuing solution that enables you to
decouple your application components into distributed systems and facilitates the
design and architecture of microservices. A queueing system such as Amazon SQS
can help different components of your application work independently. Queues can
hold messages in the form of requests/tasks until capacity is available.
 Chapter 16 577

18. B
FIFO stands for First-In-First-Out and its queues are designed to preserve the
order of your messages, as well as ensure only one-time delivery with no duplicates.
With FIFO queues, you can get a throughput at a rate of 300 transactions
per second. If you use batching, you can get up to 3,000 transactions per
second, per API method (SendMessageBatch, ReceiveMessage, or
DeleteMessageBatch).
19. B
Amazon recommends using Amazon MQ for migrating applications from existing
message brokers where compatibility with APIs such as JMS or protocols such as
AMQP 0-9-1, AMQP 1.0, MQTT, OpenWire, and STOMP are required.
20. C
Amazon EventBridge is a serverless event bus service that allows you to stream real-
time events from your applications to support targets such as Lambda functions,
which can then be triggered to take some form of action. In the preceding example,
EventBridge can trigger a Lambda function if someone tries to delete an object in
your S3 bucket and some action can be taken in response to the event.
21. B
Amazon Step Functions enables you to define these workflows as a series of state
machines that contain states that make up the workflow. These states make decisions
based on input, perform some action, and produce an output to other states. Step
Functions also allow you to integrate human interaction, particularly where manual
intervention is required, and can run for up to 1 year.
22. C
You can configure CloudWatch Events with a rule to trigger a Lambda function at
a defined schedule. You would need to create the Lambda function and then, in the
rule settings for CloudWatch events, specify the Lambda function as a target to be
triggered at the designated schedule.
23. C
Kinesis Data Analytics lets you query and analyze stream data in real time. You can
use standard programming and database query languages such as Java, Python, and
SQL to query streaming data as it is being ingested.
578 Answers

24. A
Amazon Athena is an interactive query service that can be used to analyze data
in Amazon S3 using standard SQL. To set up the service, you need to specify the
source S3 bucket and define a schema.
25. B
Amazon Kinesis Firehose is designed to capture, transform, and deliver streaming
data to several AWS services, including Amazon S3 and Redshift in near real time.
The service can also batch, compress, transform, and encrypt your data streams,
thereby reducing storage usage and increasing security.
26. B
Amazon QuickSight is a serverless Business Intelligence (BI) service that can
help you build interactive dashboards and embedded visualizations into your
applications and web portals.
27. C
AWS Glue is a fully managed ETL service that makes it easy for customers to
prepare and load their data for analytics.
28. C
Amazon EMR is a managed Hadoop framework that allows you to process vast
amounts of big data. You can use open source tools such as Apache Spark, Apache
Hive, Apache HBase, Apache Flink, Apache Hudi, and Presto.
29. B
Amazon CloudFormation is a solution that can help you design, build, and deploy
your infrastructure using code. You can create templates that use a declarative
approach to instruct CloudFormation to build a precise infrastructure repeatedly,
as required, by your testing team. CloudFormation templates can also be configured
to accept input parameters for environment-specific configurations and variations
required in the build.
30. B
AWS OpsWorks is a configuration management and orchestration service
that enables you to provision resources such as servers both in the cloud and
on-premises using Chef and Puppet. With OpsWorks, you can define service layers
for your application stack such as the database layer, load balancer layer, and more.
 Chapter 16 579

31. A
Amazon Elastic Beanstalk is a service that enables you to deploy your application
without having to manually configure the underlying infrastructure that will
support the application. You upload your code in a supported language and
environment and AWS will provision the underlying infrastructure, such as the
compute, storage, and network components, to support the application. Amazon
ElasticBeanstalk will also enable you to specify how the underlying infrastructure
components will be deployed – for example, you can specify the EC2 instance type
and size that is deployed or enforce that a set minimum number of EC2 instances
are deployed as part of an Auto Scaling group.
32. B
In a multi-tier application architecture, backend operations such as application,
middleware, or database operations are performed by the worker tier of your Elastic
Beanstalk configuration. AWS Elastic Beanstalk will also provision an Amazon SQS
queue to facilitate communication between the web services tier and the worker tier.
33. A and D
CloudFormation templates can be written in both JSON and YAML format.
These are declarative markup languages that can help CloudFormaton provision
infrastructure in your AWS account.
34. D
Memory is a custom metric because memory metrics are at the OS level and cannot
be monitored by default. To ingest custom metrics, you need to use the CloudWatch
agent or the PutMetricData API action to publish them to CloudWatch.
35. B
You can configure CloudWatch alarms to monitor a given resource metric,
such as the average CPU utilization of an EC2 instance. If the metric crosses a
specific threshold for a specified period, then the alarm can be triggered to take
a certain action. The alarm only triggers if the threshold has been breached for a
specified period.
36. B
VPC Flow Logs can capture information about the IP traffic going to and from
network interfaces in your VPC. You can configure VPC Flow Logs to capture
all traffic to the VPC, a specific subnet, or a specific network interface of an EC2
instance.
580 Answers

37. C
AWS CloudTrail stores event history from within the CloudTrail dashboard for
every activity that occurs in your AWS account. You can create trails to store specific
management events or data events and if you require more than 90 days' worth of
event history.
38. C
AWS Config is a service that allows you to gain visibility into how your AWS
resources are configured and deployed in your AWS account. This includes
configuration information, as well as changes to those configurations over time.
You can also use AWS Config to enforce specific configurations rules and ensure
that you follow internal guidelines that fulfill compliance requirements.
39. A
AWS Systems Manager's Patch Manager enables you to automatically patch your
EC2 instances that are comprised of security and application updates. Note that
updates for applications on Windows servers are limited to those released by
Microsoft.
40. A
AWS Systems Manager's Parameter Store enables you to provide sensitive
information such as passwords and database strings as parameter values. These
values can be stored or encrypted, and your application can be configured to
securely retrieve these values as they are needed from the Parameter Store.
41. A
The AWS Systems Manager Incident Manager service offers a management console
to track all your incidents and notify responders of the impact, identify data that
can help with troubleshooting, and help you get services back up and running.
42. B
AWS Trusted Advisor analyzes your resources and how they have been configured
and compares those configurations against security practices to identify
opportunities to save money, improve system availability and performance, or
address security concerns.
 Chapter 16 581

43. B
The AWS Trusted Advisor service offers different levels of checks based on the AWS
support plan that you have subscribed to. To access the full range of checks across
all categories, you must be subscribed to either the Business or Enterprise Support
plan. With either of these plans, you can also use Amazon CloudWatch Events to
monitor the status of Trusted Advisor checks.
44. C
The Reliability pillar also focuses on how quickly you can recover from failure based
on your architectural design. This is because failures are bound to happen and your
architecture must be able to recover from these failures swiftly. One key concept that
you should also consider is that replacing failed resources is often better than trying
to figure out why the failure occurred and then attempting to resolve the issue that
caused the failure.
45. A
When architecting solutions for the cloud, you must select the resource types
and sizes based on your performance needs, while monitoring your resources
consistently to ensure you maintain those levels of performance as per demand.
Amazon CloudFront can help you improve performance by reducing the latency
associated with accessing large amounts of content across the globe. It does this by
caching content locally at edge locations as they are being accessed.
46. D
The Cost Optimization pillar focuses on ensuring that you architect and build
solutions in a manner that avoids unnecessary costs. At the same time, you
want to be able to ensure that your applications are highly performant, reliable,
operationally efficient, and secure. To achieve cost optimization, you should
understand your spending patterns and analyze where the money is going.
47. A
Amazon RDS is a managed database service. The customer can provision databases
and select the instance type and size to power the database. However, the customer
cannot manage the instance itself as this is taken care of by AWS, which includes
patching and installing database updates. In contrast, patching EC2 instances is the
customer's responsibility as EC2 is not a fully managed service.
582 Answers

48. C
Compliance reports and agreements are available via a portal on AWS known
as AWS Artifact. These reports include AWS Service Organization Control
(SOC) reports, Payment Card Industry (PCI) reports, and certifications from
accreditation bodies across different Regions.
49. D
As a customer, you need to follow the service policy for penetration testing, which
includes permitted services and prohibited activities. Such prohibited activities are
Denial of Service (DoS), DDoS, simulated DoS, and simulated DDoS.
50. B
With SSE-KMS, you create and manage CMKs, and you use these keys to encrypt
data keys and your data. SS3-KMS offers additional features such as auditing
capabilities and integrates with CloudTrail.
51. B
AWS CloudHSM is a dedicated Hardware Security Module (HSM) that allows you
to generate and manage your encryption keys in the cloud. You are provided with
dedicated FIPS 140-2 Level 3 validated HSM devices, placed in your VPC, that are
fully managed for you by AWS.
52. D
AWS Shield is a fully managed service offering protection against DDoS attacks.
AWS Shield Advanced offers additional protection against attacks on your EC2
instances, ELBs, CloudFront, Global Accelerator, and Route53 resources. The
service also offers a dedicated AWS Shield Response Team (SRT) 24/7 to assist you
in handling such attacks.
53. A
AWS WAF can help protect applications at layer 7 of the OSI model, which helps
you monitor and protect traffic over HTTP and HTTPS. This allows you to protect
your content from common web exploits, such as SQL injection and cross-site
scripting.
54. A
Amazon Macie uses machine learning and pattern matching techniques to detect
and alert on any sensitive data, such as PII, stored in Amazon S3.
 Chapter 16 583

55. A
Amazon Cognito enables you to set up identity and access control solutions for
your web and mobile applications using standards such as OAuth 2.0, SAML 2.0,
and OpenID Connect. With Amazon Cognito, you can create user pools and
identity pools.
56. C
AWS GuardDuty is a threat detection service that can analyze and detect malicious
activity against your AWS accounts and application workloads. The service can
detect the use of exposed credentials, any communication with malicious IP
addresses and domains, as well as irregular activities carried out in your AWS
account.
57. C
Amazon Detective can extract time-based events such as logins, network traffic
from AWS CloudTrail and Amazon VPC Flow Logs, as well as ingest your
GuardDuty findings to determine the root cause of those security findings.
58. B
With the Migration Evaluator service, you can use the AWS Application Discovery
service, the TSO Logic agentless collector, or third-party tools to discover and
gain insights into your current compute, storage, and total cost of ownership. The
agentless collector tool can analyze any on-premises resources that just require
read-only access to your VMware, Hyper-V, Windows, Linux, Active Directory, and
SQL Server infrastructure.
59. B
Spot EC2 instances are ideal for applications that are fault-tolerant, scalable, or
flexible, and where your application can tolerate interruptions. Spot Instances can
save you up to 90% on On-Demand prices and there is no upfront commitment.
60. D
Amazon S3 on Outposts offers durability and redundancy by storing data across
multiple devices and servers hosted on your outposts. It is ideal for low-latency
access, while also enabling you to meet strict data residency requirements.
584 Answers

61. C
Resource policies are designed to enable access to resources such as objects in
an Amazon S3 bucket. This policy enables you to identify a principal that you
grant access to. With resource-based policies, you can configure the principal as a
wildcard (*), which denotes anyone, and enables you to grant anonymous access.
62. B
Amazon Route53 offers complete domain name registration services. When you
choose a name to register, you do so under a top-level domain (TLD) such as.com,.co.uk,.org, or.net. If the name of choice under a particular TLD is
not available, you could try a different TLD.
63. A
Amazon Rekognition is a service that uses machine learning to identify objects,
people, text, scenes, and activities in images and videos, as well as to detect any
inappropriate content. Amazon Rekognition can be used for various application
solutions such as identifying people, or sensitive data such as PII in images and
videos.
64. C
Elasticsearch is an open source full-text search and analytics engine that can
analyze all types of data such as textual, numerical, geospatial, structured, and
unstructured data. Amazon Elasticsearch offers integration with Kibana, which is
a data visualization tool, and Logstash, which is an open source, server-side data
processing pipeline.
65. C
Amazon WorkSpaces is an end user computing service that enables you to deploy
virtual Linux and Windows desktops in the cloud. AWS manages these virtual
desktops, including security patching and managing the operating system. With
Amazon WorkSpaces, you can consider migrating away from your on-premises
desktop infrastructure to a Virtual Desktop Infrastructure (VDI) solution.