QUESTION NO: 02

An apparel marketing firm runs large and small data analytics jobs on large petabyte scale datasets.
Most of the data is unstructured. Therefore, Amazon redshift is used for data warehousing. An
apparel company has launched a product offering IoT services. The firm is tasked with collecting,
processing and analyzing IoT telemetry data.

Which of the following Amazon product is most suitable to process and analyze IoT telemetry data?
(Select two).

1. Amazon Athena
2. Interactive analytics
3. Amazon EMR
4. Spark framework
5. Amazon Kinesis
6. Real-Time analytics

Answer: 5, 6
Explanation:
For real-time analytics, Amazon Kinesis makes it easy to collect, process and analyze streaming
data such as IoT telemetry data, application logs, and website clickstreams. This enable you to
process, and analyze data as it arrives in your data lake, and respond in real-time instead of having
to wait until all your data is collected before the processing can begin.

Amazon Athena with interactive analytics is suitable for analyzing data directly in S3 and Amazon
Glacier. Amazon EMR uses spark framework to process vast amounts of data cost effectively. They
are not suitable for IoT data.

URL: https://aws.amazon.com/big-data/datalakes-and-analytics/
Title: Data lakes and analytics on AWS
Domain: 5
Level: Associate
Difficulty: 4
Tags: Amazon kinesis, real-time analytics, IoT telemetry data.

QUESTION NO: 3
A company recently launched a website that serves insider reports on Wall Street trading. The
reports are placed in an S3 bucket with CloudFront distribution. You have configured CloudFront
signed URLs to restrict access to the files. However, the files in the bucket can be shared or
accessed through direct links. So you have decided to create origin access identity that can be
associated with the distribution. You also need to change permissions on Amazon S3 bucket to
allow origin access identity to have read permissions.

How will you create a CloudFront origin access identity using console?

1. Click access identity tab, choose Edit and click Yes for restrict bucket access
2. Click Edit, choose the origin and select distribution settings
3. Click Origins tab, choose Edit and click Yes for restrict bucket access
4. Click Origins tab, Choose use existing identity and select identity in the identities list.

Answer: 3
Explanation
If you didn't create an origin access identity when you created your distribution, do the following.

• Sign in to the AWS Management Console and open the CloudFront console at
https://console.aws.amazon.com/cloudfront/.
• Click the ID of a distribution that has an S3 origin, and then choose Distribution Settings.
• Choose the Origins tab.
• Choose an origin, and then choose Edit.
• For Restrict Bucket Access, choose Yes.

There is no access identity tab to click. The second option is wrong too because you have to select
distribution settings first and choose origin and click Edit. The existing identity settings can only be
used when you have an OAI already in use and you want to use it as a template.

URL: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-
restricting-access-to-s3.html
Title: Restricting Access to Amazon S3 Content by Using an Origin Access Identity
Domain: 3
Level: associate
Difficulty: 3
Tags: Amazon CloudFront, S3 buckets, Origin access identity.

QUESTION NO: 4
A solutions architect created an EBS volume attached to an EC2 instance. Snapshots are created for
backup to ensure disaster recovery. The company wants to encrypt snapshots. However, encryption
by default is not enabled due to company’s policy.

What should be done to encrypt a snapshot without enabling default encryption? (Choose two).

1. Create a CMK key and attach it to the snapshot

2. Encrypt the snapshot by defining default CMK
3. Issue the command Createencryption
4.Set the encrypted parameter on the resulting snapshots
5. Set the optional kmskeyId parameter on the resulting snapshot

Answer: 4, 5
Explanation:
Without encryption by default enabled, a copy of an unencrypted snapshot is unencrypted by
default. However, you can encrypt the resulting snapshot by setting the Encrypted parameter and,
optionally, the KmsKeyId parameter. If you omit KmsKeyId, the resulting snapshot is encrypted by
your default CMK. You must specify a key ID to encrypt the volume to a different CMK.

You cannot just create a CMK key and attach it to the snapshot. CMK is generated by issuing
createvolume command or by setting encrypted and kmskeyid parameters. The default CMK is
already available. There is no need to define it neither it can be used solely to encrypted a snapshot.
Similarly, there is no such command as createencryption. Createvolume is the command that can be
used to encrypt a volume.

URL: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.html
Title: Amazon EBS Encryption
Domain: 3
Level: associate
Difficulty: 2
Tags: EBS volume, encrypted snapshot, CMK

QUESTION NO: 05
As a solutions architect, your company has instructed you to secure resource access to the
applications in AWS cloud. Using secrets manager, you have created a secret keyid to access
DynamoDB database residing in a separate EC2 instance. You have created secretid using ARN.
The secret has a binary value.

What file formats are supported by AWS console to format key-value pairs?

1. Plaintext or JSON
2. Binary or string
3. YAML or Configobt
4. XML or ASCII

Answer: 1
Explanation:
The AWS console only supports string values containing plaintext or JSON formatted key-value
pairs. Binary secrets must be managed via the API.
Binary and/or string are values not file formats. YAML and configobj are not used by secrets
manager. Similarly, XML and ASCII file formats are not supported by secrets manager. The string
values that format key-value pairs support JSON or plaintext only. Secrets manager won’t be able to
understand any other format.

URL: https://medium.com/@zaccharles/store-and-rotate-api-keys-with-aws-secrets-manager-
26f7f7a6c211
Title: Store and Rotate API Keys with AWS Secrets Manager
Domain: 3
Level: associate
Difficulty: 2
Tags: JSON, string values, AWS console, secrets manager