Professional Documents
Culture Documents
Q1. You are managing a new team tasked with designing network infrastructures
for clients. You hold a training session to go over how to configure subnets. How
would you explain the rules of associating subnets with a specific network ACL?
(Choose 3 answers)
Answer: A,B,C
散
扩
Explanation: To apply the rules of a network ACL to a particular subnet, you must
禁
associate the subnet with the network ACL. You can associate a network ACL
严
with multiple subnets; however, a subnet can be associated with only one
,
network ACL. Any subnet not associated with a particular ACL is associated with
the default network ACL by default. 用
使
Reference:
人
97 oo 魔
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html#Ne
个
46 ze 算狂
tworkACL
13 k
]号
Q2. Your team has found that a client's load balancer needs to be configured with
[8 : 云计
support for SSL offload using the default security policy. When negotiating the
30 _b
SSL connections between the client and the load balancer, you want the load
仅 信 号:
balancer to determine which cipher is used for the SSL connection. Which
79 yi
Answer: A,B,D
散
instance."
扩
禁
严
,
用
使
人
97 oo 魔
个
46 ze 算狂
13 k
]号
[8 : 云计
30 _b
仅 信 号:
79 yi
微 众
Answer: C
限 号
公
Explanation: Creating a custom AMI of the instance for which you are trying to
provide HA allows you to bring the instance online quickly with no build time.
Moving the EIP from the instance you are replacing to the new instance will send
all traffic to the new instance without any change to DNS, which would take time
to propagate. Using the AutoRecover option will not replace the unhealthy or
failing instance. It will only try to restart it on another host. Creating a "Steady
State" Auto Scaling Group would also be a good solution, although using 2 as a
minimum would have a higher cost.
Reference:
http://media.amazonwebservices.com/AWS_Building_Fault_Tolerant_Application
s.pdf
Q4. You are planning to deploy storage gateway on-premises. What are the
minimum resources that has to be dedicated to the storage gateway VM?
(Choose 3 answers)
A. 80 GB of free disk space
B. 4 virtual processors
C. 100 GB of free disk space
D. 16 GB of RAM
Answer: A,B,D
Explanation: When deploying your gateway on-premises, you must make sure
that the underlying hardware on which you are deploying the gateway VM is able
to dedicate the following minimum resources:
. Four virtual processors assigned to the VM.
. 16 GB of RAM assigned to the VM
. 80 GB of disk space for installation of VM image and system data Reference:
http://docs.aws.amazon.com/storagegateway/latest/userguide/Requirements.htm
l
Q5. You are developing a new application in which you need to transfer files over
散
long distances between client-side storage and an S3 bucket. You decide to try
扩
sending data to the S3 bucket using S3 Transfer Acceleration. What must you do
禁
to achieve this? (Choose 2 answers)
严
,
A. Use the Cli S3 accelerate upload commands.
B. Use the SDK S3 accelerate upload commands. 用
使
C. Turn on S3 Transfer Acceleration for the bucket.
人
97 oo 魔
13 k
]号
Answer: C,D
[8 : 云计
30 _b
仅 信 号:
79 yi
微 众
限 号
公
Explanation: After you turn on S3 Transfer Acceleration for a bucket, two new
endpoints are created for the bucket: one for IPv4 and one for IPv6. You can use
either the accelerate endpoints or the standard endpoints if you choose not to
use the accelerate feature. Reference:
http://docs.aws.amazon.com/AmazonS3/latest/dev/transfer-acceleration.html
Q6. An instance is connected to an elastic network interface hosted on a subnet.
The elastic network interface of the instance is then changed to a different elastic
network interface hosted on a different subnet. What changes occur in regards to
the instance and the NACLs assigned at the subnet? (Choose 2 answers)
A. The instance follows the rules of the newer subnet.
B. The instance follows the rules of the original subnet.
C. The NACLs of the new subnet apply to the instance.
D. The instance follows both rules of both subnets.
Answer: A,C
Explanation: The ENI subnet location is controlled by the associated NACLs. For
example, if you're launching an instance into a subnet that has an associated
IPv6 CIDR block, you can specify IPv6 addresses for any network interfaces that
you attach. Reference:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html
Q7. The CTO of a customer has asked you to plan a move of 100s of TB of data
into AWS. You typically use Amazon Snowball for these types of requests. What
solution would provide the fastest transfer of data to Snowball?
散
扩
A. Use a server with lots of memory, CPU, and networking capacity to run the
禁
client software.
严
B. Use a client workstation with lots of memory, CPU, and networking capacity to
,
run the client software.
用
C. Use multiple workstations to run the client software.
使
D. Use a powerful EC2 instance type to run the client software.
人
97 oo 魔
个
46 ze 算狂
Answer: C
13 k
]号
[8 : 云计
application. The upload is CPU, memory, and networking intensive. If you are
仅 信 号:
uploading large amounts of data, Amazon recommends that you run the client
79 yi
software on multiple workstations to distribute the load and thereby shorten the
微 众
Reference:
http://docs.aws.amazon.com/snowball/latest/ug/transfer-petabytes.html
Q8. Your team is setting up DynamoDB for a client. You need to explain to them
how DynamoDB tables are partitioned. Which calculations are used to determine
the number of partitions that will be created? (Choose 2 answers)
Answer: C,D
Explanation: DynamoDB tables are portioned based on the following: First,
calculate total RCU/3000 + total WCU/1000. Then calculate total size/10 GB.
Then round up the higher of the two results.
Reference:
http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Guidelines
ForTables.
html
Q9. You've carefully designed your auto-scaling groups and launch
configurations for application servers based on the recommended specifications
from the developers. The applications will be launched into separate regions. In
US East there are no issues when initializing the application cluster. US West
deployments generate error messages indicating the user request of an auto
scaling group has failed. How can you attempt to solve this problem? (Choose 2
answers)
散
B. Update your auto-scaling group with a new launch configuration and new
扩
instance type.
禁
C. Ask the design team for different specifications for the application servers.
严
D. Create a new launch configuration following the recommendations listed in the
,
error message.
用
使
Answer: B,D
人
97 oo 魔
个
46 ze 算狂
times. In almost all cases, updating your Auto Scaling group with a new
[8 : 云计
Reference:
仅 信 号:
http://docs.aws.amazon.com/autoscaling/latest/userguide/CHAP_Troubleshootin
79 yi
g.html
微 众
Q10. You are designing monitoring and operation management for your
限 号
公
environment on AWS and in the process of deciding which metrics to start with
for your monitoring. Which of the following metrics should be included in your
initial monitoring plan at minimum? (Choose 3 answers)
Answer: A,B,D
散
D. Create an auto-scaling group of a minimum and maximum of one instance; set
扩
up Cloud Watch alerts to scale the auto scaling group.
禁
严
Answer: C
,
用
使
人
97 oo 魔
个
46 ze 算狂
13 k
]号
[8 : 云计
30 _b
仅 信 号:
79 yi
微 众
限 号
公
Explanation: Cloud Watch alarms are the easiest to set up for this example. You
can add the stop, terminate, reboot, or recover actions to any alarm that is set on
an Amazon EC2 per-instance metric, including basic and detailed monitoring
metrics provided by Amazon CloudWatch (in the AWS/EC2 namespace), as well
as any custom metrics that include the "InstanceId=" dimension, as long as the
InstanceId value refers to a valid running Amazon EC2 instance.
Reference:
http://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/UsingAlarmA
ctions.htm l
Q12. While designing network security for your environment on AWS you are
considering the role of Network Access Control List and how it will affect
resources. In that context you have created a custom NACL that is intended for
private subnets in your VPC. Which services and resources below are restricted
based on this NACL rules? (Choose 2 answers)
A. Customer gateway attached through VPN connection
B. EC2 instances in any subnet (public or private) that has this NACL associated
with it
C. EC2 instances in private subnets even if the NACL is not applied on it
D. RDS instances created in private subnets with this NACL associated with it
Answer: B,D
Explanation: NACLs control stateless access at the subnet level for all traffic.
These rules apply to all instances in the subnet, so you must be careful not to
make your security group rules too permissive.
Reference:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html#AC
Ls
Q13. You are working on a plan to mitigate DDoS attacks. You want to make sure
that your front-line EC2 instances can handle the larger volumes of incoming
散
traffic that would be delivered during an attack. Which EC2 instances would best
扩
provide this functionality?
禁
严
A. EC2 instances with a very limited number of ports open
,
B. EC2 instances with multiple ENIs
用
C. EC2 instances with a higher ratio of CPU to memory
使
D. EC2 instances that support "Enhanced Networking"
人
97 oo 魔
个
46 ze 算狂
Answer: D
13 k
]号
[8 : 云计
interfaces, which can handle a much higher volume of traffic into the interface.
仅 信 号:
You are not charged for inbound traffic. Having a higher CPU-to-memory ratio
79 yi
would not allow a higher volume of network traffic. Additional ENIs do not
微 众
increase network throughput. Limiting the open ports would not help as the attack
限 号
公
Answer: B,C,D
Explanation: You can reduce EC2 spend by migrating to reserved/spot instances,
eliminating/shrinking unused resources, or consolidating AWS accounts (to
qualify for volume discounts). The paying account can benefit from volume
pricing discounts gained thru aggregate account usage.
Reference: https://aws.amazon.com/ec2/pricing/
Q15. Your team is developing an application using Elastic Beanstalk and
discussing the most appropriate environment for deployment. What two types of
environments can be created when using Elastic Beanstalk? (Choose 2 answers)
Answer: A,D
散
扩
Explanation: In Elastic Beanstalk, you can create a load-balancing, autoscaling
禁
environment or a single-instance environment. The type of environment that you
严
require depends on the application that you deploy. For example, you can
,
develop and test an application in a single-instance environment to save costs
用
and then upgrade that environment to a load-balancing, autoscaling environment
使
when the application is ready for production.
人
97 oo 魔
Reference:
个
46 ze 算狂
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/using-features-managing-
13 k
]号
env-types.
[8 : 云计
html
30 _b
Q16. You have created an S3 bucket where project managers can upload their
仅 信 号:
projects' files. Project files change frequently, so retaining multiple copies of files
79 yi
each project file must be encrypted at rest when stored in S3. How could you
限 号
公
Answer: C
Answer: B,D
散
Explanation: When you send a request to initiate a multipart upload, Amazon S3
扩
returns a response with an upload ID, which is a unique identifier for your
禁
multipart upload. You must include this upload ID whenever you upload parts, list
严
the parts, complete an upload, or abort an upload. When uploading a part, in
,
addition to the upload ID, you must specify a part number that uniquely identifies
用
a part and its position in the object you are uploading. Amazon S3 returns an
使
ETag header in its response. For each part upload, you must record the part
人
97 oo 魔
number and the ETag value for use in each subsequent request. Reference:
个
46 ze 算狂
http://docs.aws.amazon.com/AmazonS3/latest/dev/mpuoverview.html
13 k
]号
Q18. A member of your network operations center team needs to find out which
[8 : 云计
AWS API services the group has utilized over the last month. What is the best
30 _b
79 yi
Answer: D
Answer: A
Explanation: The auto scaling group is where instance changes would be made.
The AWS::AutoScaling::LaunchConfiguration type creates an Auto Scaling
launch configuration that can be used by an Auto Scaling group to configure
Amazon EC2 instances in the Auto Scaling group.
Reference:
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properti
散
es-as-laun chconfig.html
扩
Q20. Jani has just joined your DevOps team. As part of her DevOps credentials
禁
she now has access to list objects in a bucket but she doesn't have access to
严
download these objects according to bucket policy. You asked Jani to generate
,
pre-signed URLs to some objects in this bucket and share them with employees.
用
Will Jani be able to generate working pre-signed URLs to these objects? (Select
使
the most accurate answer.)
人
97 oo 魔
个
46 ze 算狂
A. Jani can generate working pre-signed URLs only if bucket policy allows
13 k
]号
generate-url action
[8 : 云计
B. No, Jani cannot generate working pre-signed URLs because the bucket is
30 _b
C. Yes, Jani has access to list objects in this bucket and this inherently grants her
79 yi
D. No, Jani will not be able to generate working signed URLs as she doesn't
限 号
公
Answer: D
Explanation: All objects by default are private. Only the object owner has
permission to access these objects. However, the object owner can optionally
share objects with others by creating a pre-signed URL, using their own security
credentials, to grant time-limited permission to download the objects.
Reference:
http://docs.aws.amazon.com/AmazonS3/latest/dev/ShareObjectPreSignedURL.h
tml
Q21. Your organization is migrating applications to AWS. Your new security policy
mandates that all user accounts be created and managed through IAM. Currently
your corporation is using Active Directory as their on-premise LDAP service.
Once applications go live at AWS, all users must utilize applications using
temporary access credentials, and all IAM users must have passwords that are
rotated on a set schedule. Which of the following actions will allow you to enforce
this security policy? (Choose 3 answers)
Answer: A,B,D
Explanation: STS is the "glue" that supports temporary access credentials for
federation. If you are running code, AWS CLI, or Tools for Windows PowerShell
commands inside an EC2 instance, you can take advantage of roles for Amazon
EC2. Otherwise, you can call an AWS STS API to get the temporary credentials,
and then use them explicitly to make calls to AWS services.
散
Reference:
扩
http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_use-res
禁
ources.html
严
Q22. Your developers have reported that when they launch their Elastic
,
Beanstalk environments, they are receiving command timeout errors. You review
用
the commands listed in their configuration file and make suggestions to remove
使
the timeout errors. What steps should you advise the developers to take?
人
97 oo 魔
(Choose 3 answers)
个
46 ze 算狂
13 k
]号
Answer: A,B,D
限 号
公
Answer: B,D
散
concern over the growing S3 budget. They have asked you to identify strategies
扩
to reduce the S3 spend by at least 25% before the next monthly billing cycle.
禁
How could you accomplish this? (Choose 2 answers)
严
,
A. Utilize Infrequent Access storage for objects that are not requested so
frequently 用
使
B. Use Snowball for large data objects to avoid data transfer rates
人
97 oo 魔
Answer: A,C
30 _b
仅 信 号:
Explanation: You can use the infrequent access to reduce the cost of certain
79 yi
much lower cost. Note that data transfer into S3 is always free. So if you want to
限 号
公
reduce your cost, using Snowball might speed up moving large data sets
however it will not reduce your cost Reference:
https://aws.amazon.com/s3/pricing/
Q25. You've deployed an application in a custom AMI image into the Amazon
cloud. It is deployed in a separate VPC. You would like to take advantage of
being able to failover to another instance without having to reconfigure the
application. Which of these solutions could be utilized? (Choose 2 answers)
A. Add a secondary private IP address to the primary network interface that could
then be used to move to a failover instance.
B. Utilize Cloud Watch health checks for failover.
C. Use load balancing to balance traffic to additional instances.
D. Use an additional elastic network interface for failover to another instance.
Answer: A,C
Explanation: The ENI can only be attached to an instance hosted in a VPC.
When you move a network interface from one instance to another, network traffic
is redirected to the new instance. Some network and security appliances, such
as load balancers, network address translation (NAT) servers, and proxy servers
prefer to be configured with multiple network interfaces. You can create and
attach secondary network interfaces to instances in a VPC that are running these
types of applications and configure the additional interfaces with their own public
and private IP addresses, security groups, and source/destination checking.
Reference:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html
Q26. Your organization is thinking of running parts of their workload on AWS
while keeping the critical and sensitive servers on-premises with continuous
connectivity between instances in AWS and corporate data center. In such a
hybrid cloud environment what are the minimum requirements to maintain a
resilient continuous connectivity between AWS and corporate data center?
散
(choose one)
扩
禁
A. A primary and a backup direct connect line and at least two routers in the
严
corporate data center
,
B. A primary direct connect line connected to at least two routers in the corporate
data center 用
使
C. A primary and a backup direct connect line connected to the primary router in
人
97 oo 魔
D. A primary direct connect line and a VPN connection for backup connected to
13 k
]号
30 _b
Answer: A
仅 信 号:
79 yi
Explanation: If a single table has only a very small number of partition key values,
consider distributing your write operations across more distinct partition key
values such as a user ID in an application with many users or a device ID where
access is spread relatively uniformly across devices.. In other words, structure
the primary key elements to avoid one "hot" (heavily requested) partition key
value that slows overall performance.
Reference:
http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Guidelines
ForTables.
html
Q28. You are a DBA setting up a fault-tolerant AWS RDS. You need to recognize
the events that will cause a failover. Which situation will cause a failover to the
standby? (Choose 2 answers)
散
A. A web server health check has failed.
扩
B. The operating system of the DB instance is undergoing software patching.
禁
C. The secondary DB instance fails.
严
D. An AZ outage occurs.
,
Answer: B,D 用
使
人
97 oo 魔
occurs, the primary DB instance fails, the DB instance's server type is changed,
13 k
]号
Reference:
仅 信 号:
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.MultiAZ.ht
79 yi
ml
微 众
A. Database backups
B. Security patching
C. Enabling additional read replicas
D. Adding availability zones
Answer: B
Answer: C
散
during the migration will help increase the speed of the initial migration load.
扩
Reference:
禁
http://docs.aws.amazon.com/dms/latest/userguide/CHAP_Troubleshooting.html
严
Q31. After reviewing the reports from AWS Trusted Advisor, your company has
,
decided to enable multi-factor authentication for IAM users and the root account.
用
Which of the following MFA options can be utilized for both account types?
使
(Choose 2 answers)
人
97 oo 魔
个
46 ze 算狂
79 yi
Answer: A,D
微 众
限 号
公
A. Asynchronous replication
B. Data Guard
C. TDE
D. Mirroring
Answer: D
散
B. HTTP or HTTPS POST notifications
扩
C. Invoking of a Lambda function
禁
D. Email using SMTP or plain text
严
,
Answer: B,C,D
用
使
Explanation: Amazon SNS can deliver notifications as HTTP or HTTPS POST,
人
97 oo 魔
Amazon SQS queue. If you prefer, you can use Amazon CloudWatch Events to
13 k
]号
configure a target to invoke a Lambda function when your Auto Scaling group
[8 : 云计
Reference:
仅 信 号:
http://docs.aws.amazon.com/autoscaling/latest/userguide/ASGettingNotifications.
79 yi
html
微 众
Q34. You are in the process of planning your backup strategy between
限 号
公
on-premises data center and AWS cloud, You are considering Storage Gateways
technology for backup and restore in your hybrid environment. What are the
primary factors that affect Backup and Recovery times when using Storage
Gateways? (Choose 2 answers)
A. Amount of data required for backup each day after data deduplication and
compression
B. Net available bandwidth between on premises and AWS over public internet or
Direct Connect line
C. Compute power of on-premises instances that need to be backed up
D. Amount of data required for backup each day before data deduplication and
compression
Answer: A,B
Explanation: Storage gateways interact with AWS over the public Internet or
direct connect. You will need to know the amount of data per day that needs to
be transferred to AWS S3 and the net available bandwidth of your network
connection. Storage Gateway is capable of running data compression and
comparison so only changed data is being backed up.
Reference:
https://d0.awsstatic.com/whitepapers/best-practices-for-backup-and-recovery-on-
prem-to-a ws.pdf
Q35. Your team is developing an Elastic Beanstalk application and discussing
how to design the most appropriate environment. When deploying your Elastic
Beanstalk environment, which of the following must you create? (Choose 2
answers)
散
D. Service role
扩
禁
Answer: B,D
严
,
Explanation: When you create an environment, AWS Elastic Beanstalk prompts
用
you to provide two AWS Identity and Access Management (IAM) roles, a service
使
role and an instance profile. The service role is assumed by Elastic Beanstalk to
人
97 oo 魔
use other AWS services on your behalf. The instance profile is applied to the
个
46 ze 算狂
instances in your environment and allows them to upload logs to Amazon S3 and
13 k
]号
perform other tasks that vary depending on the environment type and platform.
[8 : 云计
Reference:
30 _b
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/concepts-roles.html
仅 信 号:
Q36. Exchange Server 2013 is the dominant application used within your
79 yi
company. Due to cost constraints, AWS has been chosen to host your exchange
微 众
servers. You need to test out the environment quickly to understand the cloud in
限 号
公
Answer: A
Answer: A,D
Explanation: By tagging all resources with the business unit and enabling
detailed billing reports, you would enable the finance team to run cost reports by
business unit.
散
Reference:
扩
http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/billing-reports.html
禁
Q38. Your company is planning to deploy a hybrid environment linking their
严
on-premise database to an application hosted at AWS. What are the concerns
,
with this design when considering performance between AWS and the on-site
database? (Choose 2 answers) 用
使
人
97 oo 魔
A. Security of data
个
46 ze 算狂
B. Network latency
13 k
]号
D. Network bandwidth
30 _b
仅 信 号:
Answer: B,D
79 yi
微 众
Explanation: Since the database is not located in the same location as the
限 号
公
A. NAT Gateway
B. Cloud Formation
C. Third-party AMI NAT solutions
D. Quick Start
Answer: B,D
Explanation: Quick Start is a new solution that is worth checking out. You can use
IAM with AWS CloudFormation to control what users can do with AWS
CloudFormation. Amazon provides Amazon Linux AMIs that are configured to run
as NAT instances. Elastic Beanstalk is primarily for web applications only.
Reference: https://aws.amazon.com/quickstart/architecture/linux-bastion/
Q40. Your company is migrating their environment to AWS. The legacy
environment relied on Chef for automation, and your engineers are comfortable
with that solution. In addition, your compliance officer has indicated that the new
environment needs centralized, auditable configuration management for
regulatory reasons. Which of the following AWS automation tools is most
appropriate for this scenario?
散
D. OpsWorks stacks
扩
禁
Answer: A
严
,
Explanation: OpsWorks stacks will let you utilize your existing Chef recipes, but
用
only OpsWorks for Chef Automate will provide you with centralized, continuous
使
configuration management.
人
97 oo 魔
Reference: https://aws.amazon.com/opsworks/
个
46 ze 算狂
their application. To change your instance count for Elastic Beanstalk, select the
30 _b
79 yi
Answer: A,B,D
Answer: B,C,D
Explanation: There are three steps to backing up an AWS EFS file system. You
will need to download the AWS Data Pipeline template for backups, as EFS
backups leverage AWS Data Pipeline. Once the template has been downloaded,
create a data pipeline, which will back up the EFS file system on the schedule
you define. Once the backup has run, you will be able to access your EFS
backups.
散
Reference:
扩
http://docs.aws.amazon.com/efs/latest/ug/efs-backup.html#backup-steps
禁
Q43. Your company is migrating its infrastructure to AWS. When considering the
严
migration level effort required, you determine there are a select number of VMs
,
that fall under the "very low, to low" category. After considering third-party
用
migration options, you decide to utilize available AWS tools. What tools are
使
available for migrating VMs to the AWS cloud? (Choose 2 answers)
人
97 oo 魔
个
46 ze 算狂
B. AWS Snowmobile
[8 : 云计
C. AWS Snowball
30 _b
D. AWS VM Import
仅 信 号:
79 yi
Answer: C,D
微 众
限 号
公
Answer: A,C
散
http://docs.aws.amazon.com/IAM/latest/UserGuide/access_permissions.html
扩
Q45. You are planning to set up an on-premises backup solution to the cloud.
禁
The solution must compress and deduplicate the data prior to sending it over
严
your WAN to storage in S3. You are researching AWS Storage Gateway. Which
,
features are supported by AWS Storage Gateway? (Choose 2 answers)
用
使
A. AES 256 Encryption of data at rest
人
97 oo 魔
30 _b
Answer: A,D
仅 信 号:
79 yi
using SSL and AES-256 encryption of data at rest, presents data using industry
限 号
公
standard formats such as iSCSI or VTLs, and uploads only changed data, which
is compressed prior to upload or download.
Reference:
https://d0.awsstatic.com/whitepapers/best-practices-for-backup-and-recovery-on-
prem-to-a ws.pdf
Q46. Due to compliance rules and regulations, your company's workload has to
run on dedicated instances. How can you make sure that all EC2 instances
created for your workload now and in the future are dedicated instances?
(choose two answers)
A. Create a golden AMI of dedicated instance and enforce this AMI as the base
for any new instance in your environment. This guarantees that all instances
created based on the AMI will be dedicated
B. Create a dedicated Placement Group and associate all new instances with this
placement group at launch time. All instances launched in dedicated placement
group will be dedicated
C. Create your VPCs with instance tenancy of dedicated. This will ensure that all
instances launched in VPC are dedicated
D. Create CloudFormation template for EC2 instances that has Tenancy attribute
as dedicated and always use it to launch any new instance
Answer: C,D
散
Q47. Your company is considering migrating to AWS, but they are concerned
扩
about the initial and mid- to short-term costs due to the complexity of the
禁
migration cycle. To effectively calculate the total cost of ownership, certain costs
严
must be understood and planned for. What costs should be primary
,
considerations? (Choose 3 answers)
用
使
A. The cost of running migration tools
人
97 oo 魔
30 _b
Answer: A,C,D
仅 信 号:
79 yi
during the migration process is a recipe for disaster. To build a migration model
限 号
公
Answer: A,D
Explanation: Recovery takes IOPS; therefore, insufficient IOPS will slow down
failover time. Database recovery relies on transactions; therefore, smaller
transactions will shorten failover time.
Reference:
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/CHAP_BestPractice
s.html
Q49. You wish to perform detailed monitoring on servers that are marked as
unhealthy before they are terminated. After researching the issue, you find that
lifecycle hooks can be deployed as necessary. Which strategies could you use to
perform detailed monitoring? (Choose 2 answers)
散
D. Query 160.254.169.254 when instances are first marked as unhealthy.
扩
禁
Answer: A,B
严
,
Explanation: Lifecycle hooks allow customization of existing auto-scaling groups.
Reference: 用
使
http://docs.aws.amazon.com/autoscaling/latest/userguide/lifecycle-hooks.html
人
97 oo 魔
Q50. Your storage team is preparing to move a large amount of the company's
个
46 ze 算狂
on-premises data to AWS. They decide to use Snowball. What solutions are
13 k
]号
available for moving the data to the Snowball Appliance? (Choose 2 answers)
[8 : 云计
30 _b
Answer: A,B
Explanation: Amazon provides the Amazon Snowball Client, and the Amazon S3
Adapter for Snowball for data transfer between on-premises data center and
Snowball appliance. The Amazon S3 Adapter for Snowball is a programmatic tool
that you can use to transfer data between your on-premises data center and a
Snowball. It replaces the functionality of the Snowball client.
Reference: http://docs.aws.amazon.com/snowball/latest/ug/using-appliance.html
Q51. Your developers have created a sales application that works in tandem with
the no SQL database. To ensure the fastest response for the application in
production, the developers wish to remove the need to wait for
acknowledgements from the database to the application after data have been
sent. The acknowledgements can be stored and accessed asynchronously.
Which managed application would be the best choice for their design?
A. AWS config
B. Cloud Watch with notifications
C. Simple workflow service
D. Simple queue service
Answer: D
Explanation: SQS allows you to quickly build hosted and scalable message
queuing applications that can run on any computer. SQS stores messages in
transit between diverse, distributed application components without losing
messages and without requiring each component to be always available.
Reference: https://aws.amazon.com/sqs/details/
Q52. You are a DBA setting up a fault-tolerant AWS RDS. You need to recognize
the events that will cause a failover. Which events will cause a failover to the
standby? (Choose 2 answers)
散
扩
A. A change in the DB instance's Server type
禁
B. Failure of the secondary DB instance
严
C. Failure of a Automated Backups
,
D. Failure of the primary DB instance
用
使
Answer: A,D
人
97 oo 魔
个
46 ze 算狂
Explanation: The events that trigger a DB failover are an Availability Zone outage,
13 k
]号
ongoing software patching for the operating system of the DB instance, and a
30 _b
Reference:
79 yi
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.MultiAZ.ht
微 众
ml
限 号
公
Q53. You are an administrator managing Windows File Servers in Amazon Web
Services. You need to set up a fault-tolerant system to protect your shared files.
You decide to use DFS Namespaces and DFS Replication. Which of the
following are prerequisites? (Choose 2 answers)
Answer: A,B
Explanation: The technical requirements are file servers running Windows Server
2012 R2 and an Active Directory Schema of at least Server 2008 R2.
Reference:
https://d0.awsstatic.com/whitepapers/implementing-windows-file-server-disaster-r
ecovery.pd f
Q54. You are developing a static website using S3 for your company's clients.
Your team is configuring the site, and has made the files world readable. What
other steps must they take? (Choose 2 answers)
Answer: B,D
Explanation: To configure a bucket for static website hosting, you add a website
configuration to your bucket. The configuration includes an index document, error
documents, redirects of all requests that are intended for the index page, and any
散
conditional redirects. Amazon S3 does not support server-side scripting.
扩
Reference:
禁
http://docs.aws.amazon.com/AmazonS3/latest/dev/HowDoIWebsiteConfiguration
严
.html
,
Q55. The developers on your project team would like to use Elastic Beanstalk to
用
deploy web tier applications at AWS without worrying about the underlying
使
infrastructure. When launching their Elastic Beanstalk environment, which
人
97 oo 魔
13 k
]号
A. Application tier
[8 : 云计
B. Worker tier
30 _b
Answer: C
限 号
公
Explanation: The environment tier that you choose determines whether Elastic
Beanstalk provisions resources to support a web application that handles
HTTP(S) requests or a web application that handles background-processing
tasks. An environment tier whose web application processes web requests is
known as a web server tier. An environment tier whose web application runs
background jobs is known as a worker tier.
Reference:
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/concepts.concepts.archite
cture.html
Q56. After your online sales application is monitored for the last two weeks of
holiday sales, it is apparent that your database tier's current architectural design
is not sufficient. The decision is made to scale your instance to a greater size
based on database recommendations from the vendor. Your current database
storage type is magnetic and, currently, storage usage is at 70%. What
modifications should you consider for improving the performance of your
database? (Choose 3 answers)
Answer: A,B,D
Explanation: When scaling a database, you can increase the storage capacity of
a DB Instance up to a maximum of 4-6 terabyte (TB). Please note that scaling
the storage allocation with Amazon RDS does not incur a database outage.
Performance.will be increased as well. Reference:
https://forums.aws.amazon.com/thread.jspa?messageID=203052
Q57. Due to a recent threat, your company has asked you to implement an
散
architecture that will minimize the effect of DDoS attacks. Which AWS service or
扩
feature will you need to utilize in your architecture to minimize the effect of layer 6
禁
SSL attacks and layer 4 SYN flood attacks?
严
,
A. EC2 Security Groups
B. Firewall on Operating System Level 用
使
C. Elastic Load Balancing with Auto Scaling
人
97 oo 魔
13 k
]号
Answer: C
[8 : 云计
30 _b
and 6. Larger DDoS attacks can exceed the size of a single Amazon EC2
79 yi
instance. With Elastic Load Balancing (ELB), you can reduce the risk of
微 众
instances. ELB can scale automatically, and accepts only well-formed TCP
connections. This means that many common DDoS attacks, like SYN floods or
UDP reflection attacks will not be accepted by ELB and will not be passed to your
application. Reference:
https://d0.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf
Q58. A customer requires failover from an application server hosted on a
dedicated subnet to another application server on another dedicated subnet. In
order to test the failover scenario, an additional network interface must also be
added to each instance. What approaches can be applied to this scenario?
(Choose 2 answers)
Answer: B,D
Explanation: You can attach a network interface to an instance when it's running
(hot attach), when it's stopped (warm attach), or when the instance is being
launched (cold attach). You can attach a network interface in one subnet to an
instance in another subnet in the same VPC; however, both the network interface
and the instance must reside in the same Availability Zone.
Reference:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.html#best-pra
ctices-for-c onfiguring-network-interfaces
Q59. Your company wants to migrate an on-premises SQL Server DB to AWS
RDS SQL Server. As the DBA, you have determined that your database can be
offline while the backup is created, copied, and restored. You decide to use
散
native backup and restore. Which steps are required during setup? (Choose 3
扩
answers)
禁
严
A. Turn on compression for your backup files by running "exec
,
rdsadmin..rds_set_configuration `S3 backup compression', `true'."
用
B. Create an AWS IAM role for access to the S3 bucket.
使
C. Add the SQLSERVER_BACKUP_RESTORE option to an option group on
人
97 oo 魔
your DB instance.
个
46 ze 算狂
Answer: B,C,D
30 _b
仅 信 号:
Explanation: There are three components you'll need to set up for native backup
79 yi
and restore: an Amazon S3 bucket to store your backup files; an AWS Identity
微 众
and Access Management (IAM) role to access the bucket; and the
限 号
公
A. JSON
B. YAML
C. PS1
D. XML
Answer: A,B
散
From time to time the instances within the auto-scaling group are marked as
扩
unhealthy as expected, but the unhealthy instances are not terminated. What
禁
must you change to ensure that instances marked as unhealthy will be
严
terminated?
,
A. Add an additional availability zone for failover.用
使
B. Configure the auto-scaling group to use both instance status checks and load
人
97 oo 魔
30 _b
Answer: B
仅 信 号:
79 yi
Explanation: Both instance status checks and health checks must be enabled
微 众
before unhealthy instances will be terminated. It is critical that you test not only
限 号
公
the saturation and breaking points but also the "normal" traffic profile you expect.
Reference: https://aws.amazon.com/articles/1636185810492479
Q62. You have received a call from a client who attempted to set up a static
website on S3 by himself. He thinks the website is configured properly but is
unable to view any content. You see that the bucket has the same domain name
as the website and also that index and error docs have been created. What could
be missing?
Answer: B
Explanation: When you configure a bucket as a website, you must make the
objects that you want to serve publicly readable. To do so, you write a bucket
policy that grants everyone
s3:GetObject permission. On the website endpoint, if a user requests an object
that does not exist, Amazon S3 returns HTTP response code 404 (Not Found). If
the object exists but you have not granted read permission on the object, the
website endpoint returns HTTP response code 403 (Access Denied).
Reference:
http://docs.aws.amazon.com/AmazonS3/latest/dev/HowDoIWebsiteConfiguration
.html
Q63. Your web-based application has been launched publicly. Your design has
implemented auto scaling and classic load balancing and your design is
responding to the changes in demand as expected. Over the next few months,
during the holiday season, demand is expected to be quite robust. You estimate
that 100 EC2 instances will be required to meet your customers' demand. How
should you plan properly for growth? (Choose 2 answers)
散
扩
A. Use AWS Trusted Advisor to analyze your workload requirements.
禁
B. Change your auto scaling configuration, setting a desired maximum capacity
严
of 100 instances.
,
Verify your limits allow for this capacity
用
C. Contact Amazon to pre-warm your elastic load balancer to match the expected
使
demands.
人
97 oo 魔
13 k
]号
Answer: B,C
[8 : 云计
30 _b
case where a load test cannot be configured to gradually increase traffic, AWS
79 yi
recommends that you have your load balancer "pre-warmed". They will configure
微 众
the load balancer to have the appropriate level of capacity based on the traffic
限 号
公
that you expect. They also need to know the start and end dates of your tests or
expected flash traffic, the expected request rate per second and the total size of
the typical request/response that you will be testing.. Reference:
https://aws.amazon.com/articles/1636185810492479#pre-warming
Q64. Your company has begun deploying corporate resources to AWS. They
want to ensure AWS compliance levels match their corporate requirements.
Which actions reflect best practices for carrying out a security assessment of
your environment on the cloud? (Choose 2 answers)
A. Request AWS to run a penetration test against your environment and generate
assessment report with critical findings and best practices to resolve them
B. Request approval to perform relevant network scans and penetration tests of
your system on AWS.
C. Review applicable third-party AWS compliance reports and attestations and
conduct gap analysis to find missing controls
D. Carry out a detailed audit and inventory of on-premise resources and
operations.
Answer: B,C
散
access to their instances on a public subnet. They wish to provide access to port
扩
80 and port 443 but deny access to specific IP addresses. How should they
禁
proceed when creating their security rules?
严
,
A. Create an IAM role-based policy for all security rules.
用
B. Create NACLs to control port access and security groups to deny access from
使
specific IP addresses.
人
97 oo 魔
C. Create security groups to control port access, and deny access from specific
个
46 ze 算狂
IP addresses.
13 k
]号
D. Create security groups to control port access and NACLs to deny access from
[8 : 云计
specific IP addresses.
30 _b
仅 信 号:
Answer: D
79 yi
微 众
permissive only.
Reference:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.h
tml
Q66. You've designed a public portal (with a MySQL database) featuring popular
scientific journals. Due to its popularity, users are complaining it takes much
longer to review selected journals than in the past. In addition, the popularity of
your site is worldwide. What are the first steps that you should take to resolve
your performance issues? (Choose 2 answers)
Explanation: Read replicas synchronized with the master database allow you to
increase performance. Placing your read replicas in different AWS regions closer
to your users will maximize performance and increase the availability of your
database.
Reference:
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.MultiAZ.ht
ml
Q67. Your on-premise bare-metal servers are over five years old. You're
considering moving to AWS. The offerings of virtual instances far surpass what
you can access on-premises. Before you choose your test instance at AWS, what
questions should you ask? (Choose 3 answers)
散
C. When peak load occurs, how much over provisioning is required?
扩
D. How much network bandwidth do you need?
禁
严
Answer: A,B,C
,
用
Explanation: On-premises data centers have costs associated with the servers,
使
storage, networking, power, cooling, physical space, and IT labor required to
人
97 oo 魔
servers, these questions are most applicable: What is your average server
13 k
]号
utilization? How much do you overprovision for peak load? What is the cost of
[8 : 云计
over-provisioning?
30 _b
Reference:
仅 信 号:
https://d0.awsstatic.com/whitepapers/the-path-to-the-cloud-dec2015.pdf
79 yi
Q68. Your developers have been working on a VPC configuration and run across
微 众
some connectivity issues. They ask you if they can attach an additional network
限 号
公
interface for additional private network connections within their VPC on select
EC2 instances, and if so, how to go about it. What type of network component
should they add to complete this task?
A. Network ACL
B. Elastic network interface
C. Elastic IP address
D. Multi-homed instance
Answer: B
A. Auto scaling
B. Vertical scaling to vendor recommendations
C. Horizontal scaling
D. Storage resizing
Answer: B
散
Explanation: Vertical scaling will help address applications that use the same
扩
number of reads and writes. To handle a higher load in your database, you can
禁
vertically scale up your master database by modifying the size of the instance in
严
the settings pane. Reference:
,
https://aws.amazon.com/blogs/database/category/rds-mysql/
用
Q70. You are an AWS Solutions Architect helping a client plan a migration to the
使
AWS cloud. The client is very cost-conscious and needs to understand the
人
97 oo 魔
budget implications of any design decisions prior to signing off. Now that you've
个
46 ze 算狂
identified the resources that must be created in the AWS environment to support
13 k
]号
the migration, what tool could you use to help project future costs given this
[8 : 云计
information?
30 _b
仅 信 号:
C. Cost Explorer
限 号
公
D. TCO Calculator
Answer: B
A. S3 Bucket policy
B. IAM resource policy
C. IAM ID policy
D. S3 User policy
Answer: A
散
versions of this application citing an error related to versions limit. What
扩
recommendations can you make to help solve this problem now and in the future?
禁
(choose one).
严
,
A. Application version limit will increase automatically when limit is reached.
用
B. Apply an application version lifecycle policy to your applications.
使
C. From the management console, delete all versions no longer required.
人
97 oo 魔
13 k
]号
Answer: B
[8 : 云计
30 _b
application versions when the total number of versions for an application exceeds
限 号
公
Answer: A
Explanation: Privacy laws in foreign countries will dictate the compliance rules
and regulations. AWS customers remain responsible for complying with
applicable compliance laws and regulations.
Reference:
https://aws.amazon.com/compliance/pci-data-privacy-protection-hipaa-soc-fedra
mp-faqs/
Q74. Your organization is launching a new portal that will be hosted in one of the
US regions but available world-wide. As part of this global portal, clients will be
transferring large files to the primary S3 bucket in the primary region. There is a
concern about delay of file transfer for clients from other continents because of
散
the distance. Which service or feature could help you with this scenario while
扩
keeping your operation cost at the minimum? (Choose 2 answers).
禁
严
A. Use Amazon S3 Transfer Accelerator on the primary bucket in primary region
,
B. Enable S3 cross-region replication for the primary bucket
用
C. Utilize CloudFront to allow customers to upload to their closest edge location
使
D. Deploy your portal in multiple regions and use geo-location routing features of
人
97 oo 魔
13 k
]号
Answer: A,C
[8 : 云计
30 _b
transfers of files over long distances between your client and an S3 bucket.
79 yi
distributed edge locations. As the data arrives at an edge location, data is routed
限 号
公
to Amazon S3 over an optimized network path. The first option is also valid
however it incurs a lot of additional cost and would have a maintenance
overhead.
Reference:
http://docs.aws.amazon.com/AmazonS3/latest/dev/transfer-acceleration.html
Q75. Due to recent threats, your team has been asked to focus on the prevention
of DDoS attacks in web applications using CloudFront and Route 53. Which AWS
infrastructure feature helps protect your web application from direct attacks?
Answer: B
Explanation: Services that are available in AWS edge locations, like Amazon
CloudFront, AWS WAF, Amazon Route 53, and Amazon API Gateway, allow you
to take advantage of a global network of edge locations that can provide your
application with greater fault tolerance and increased scale for managing larger
volumes of traffic. Reference:
https://d0.awsstatic.com/whitepapers/Security/DDoS_White_Paper.pdf
Q76. You are responsible for a web application where the Web server instances
are hosted in auto-scaling group. Monitoring the load of the application over a
period of 12 months reveals that nine servers are required to handle the
minimum load. During a 24-hour period, an average of 14 servers are needed.
Three weeks out of the year, the number of servers needed might increase to 16.
What recommendations would you make to minimize operating costs while
providing the required availability?
散
medium utilization, and the rest covered by on-demand instances
扩
B. Nine reserved instances with heavy utilization, 5 on-demand instances, and
禁
the rest covered by on-demand instances
严
C. Nine reserved instances with heavy utilization, 5 reserved instances with
,
medium utilization, and the rest covered by spot instances
用
D. Nine reserved instances with heavy utilization, 5 spot instances, and the rest
使
covered by on-demand instances
人
97 oo 魔
个
46 ze 算狂
Answer: D
13 k
]号
[8 : 云计
options as applicable for each requirement. The purchasing option that you
仅 信 号:
choose affects the lifecycle of the instance. An on-demand instance runs when
79 yi
you launch it and ends when you terminate it. A spot instance runs as long as its
微 众
capacity is available and your bid price is higher than the spot price. Reserved
限 号
公
Answer: A,B,C
Explanation: Hardware VPN provides dual redundant paths and BGP support by
establishing a hardware VPN connection from your network equipment on a
remote network to AWS-managed network equipment attached to your Amazon
VPC. This allows reuse of existing VPN equipment and processes, reuse of
existing Internet connections, AWS-managed endpoints with multidata center
redundancy and automated failover, and support of static routes or dynamic
Border Gateway Protocol (BGP) peering and routing policies.
Reference:
http://media.amazonwebservices.com/AWS_Amazon_VPC_Connectivity_Option
s.pdf
Q78. You are migrating your Oracle database using the AWS database migration
散
service. Due to the large amount of data being replicated, you need the
扩
replication process to be continuous. What must be changed on your replication
禁
instance to use ongoing replication?
严
,
A. Enable the Multi-AZ option on the replication instance.
用
B. Increase the number of tables that are cached in RAM.
使
C. Increase the amount of data written to your database change log.
人
97 oo 魔
13 k
]号
Answer: A
[8 : 云计
30 _b
Explanation: Enabling the Multi-AZ option provides high availability and failover
仅 信 号:
Reference:
微 众
http://docs.aws.amazon.com/dms/latest/userguide/CHAP_BestPractices.html#C
限 号
公
HAP_BestPr actices.OnGoingReplication
Q79. Due to compliance regulations, network technicians are instructed to begin
logging IP traffic going to and from specific network interfaces on the private
network. They are directed to use flow logs to capture this information. The
network design is a mixture of newer VPCs and older EC2-Classic networks.
What IP traffic information will not be captured by the flow logs? (Choose 2
answers)
Answer: A,B
Explanation: Flow logs are not supported for EC2-Classic and have limitations for
all networks. For example, if your network interface has multiple IPv4 addresses
and traffic is sent to a secondary private IPv4 address, the flow log displays the
primary private IPv4 address in the destination IP address field. You also cannot
enable flow logs for VPCs that are peered with your VPC unless the peer VPC is
in your account.
Reference:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html#flow-l
ogs-limitati ons
Q80. While monitoring your application servers that are hosted behind an elastic
load balancer, you discover that the servers always operate at between 75 and
80% of their capacity after five minutes of operation. In addition, there is a
constant number of servers being marked as unhealthy very early in their initial
lifecycle. Upon further analysis, you also discover that your servers are taking
between three and four minutes to become operational after launch. What two
tasks should you complete as soon as possible? (Choose 2 answers)
散
扩
A. Enable detailed CloudWatch monitoring.
禁
B. Increase the length of your grace period.
严
C. Increase the maximum number of instances in your auto-scaling group.
,
D. Decrease the length your grace period.
用
使
Answer: B,C
人
97 oo 魔
个
46 ze 算狂
Explanation: A longer grace period and larger instances will solve these issues.
13 k
]号
You can use scaling policies to increase or decrease the number of running EC2
[8 : 云计
scaling policy is in effect, the Auto Scaling group adjusts the desired capacity of
仅 信 号:
the group and launches or terminates the instances as needed. If you manually
79 yi
scale or scale on a schedule, you must adjust the desired capacity of the group
微 众
Reference:
http://docs.aws.amazon.com/autoscaling/latest/userguide/AutoScalingGroup.html
Q81. A backup administrator is designing an offsite backup solution using AWS
Storage Gateway. Which factors below should be evaluated for performance?
(Choose 2 answers)
Answer: B,D
Explanation: There are two primary performance factors to consider when
evaluating a storage gateway solution: throughput and volume of data transfer
between the backup server and the storage gateway and the ratio of data
transfer volume to Internet bandwidth between the storage gateway and Amazon
S3.
Reference:
https://d0.awsstatic.com/whitepapers/best-practices-for-backup-and-recovery-on-
prem-to-a ws.pdf
Q82. A MySQL database currently contains 2 million records. Approximately 2000
new records are added every day, with an average of 80 queries per second. The
database is running on a 4 core, 4 GB dedicated system in the local data center.
Once a week, on average, the system has issues and resets. It is next on the list
to be moved to the cloud. What step should be taken first before it is migrated?
散
C. Use the AWS server migration service to migrate existing records.
扩
D. Fix all MySQL issues in the local data center.
禁
严
Answer: D
,
用
Explanation: Issues that are not first solved locally will not be solved by moving to
使
the cloud. Moving to the cloud is not a silver bullet. If there are inherent problems
人
97 oo 魔
moving to the cloud. Try to resolve any issues locally before migrating your
13 k
]号
http://docs.aws.amazon.com/dms/latest/userguide/CHAP_Troubleshooting.html
30 _b
Q83. Your team has just launched an application using Elastic Beanstalk and is
仅 信 号:
in the process of verifying that traffic is being directed correctly. What type of
79 yi
DNS record will be used to direct the associated Load Balancer to your hosted
微 众
environment?
限 号
公
A. CNAME record
B. AAAA record
C. A record
D. MX record
Answer: A
Answer: C
Explanation: To delete the parts of a failed multipart upload so that you do not get
charged for storage of those parts, you must use the command "Abort Multipart
散
Upload" and provide the upload ID of upload you wish to abort. After aborting a
扩
multipart upload, you cannot upload any part using that upload ID again. All
禁
storage that any parts from the aborted multipart upload consumed is then freed.
严
Reference: http://docs.aws.amazon.com/AmazonS3/latest/dev/mpuoverview.html
,
Q85. You are responsible for maintaining RDS database deployed in a Multi-AZ
用
deployment architecture. What would be the downtime and/or failover cycle
使
associated with maintenance events on your database? (Choose 2 answers)
人
97 oo 魔
个
46 ze 算狂
79 yi
Answer: B,C
微 众
限 号
公
A. display-multipart-uploads
B. get-multipart-uploads
C. list-multipart-uploads
D. enumerate-multipart-uploads
Answer: C
Explanation: You can list the parts of a specific multipart upload or all in-progress
multipart uploads. The list parts operation returns the parts information that you
have uploaded for a specific multipart upload. For each list parts request,
Amazon S3 returns the parts information for the specified multipart upload, up to
a maximum of 1,000 parts. If there are more than 1,000 parts in the multipart
upload, you must send a series of list part requests to retrieve all the parts. Note
that the returned list of parts doesn't include parts that haven't completed
uploading. Reference:
http://docs.aws.amazon.com/AmazonS3/latest/dev/mpuoverview.html
Q87. You have created a VPC with both public and private subnets. The VPC has
a CIDR notation of 10.0.0.0/16. The private subnet uses CIDR 10.0.1.0/24 and
散
the public subnet uses 10.0.0.0/24. Web servers serving traffic on ports 80 & 443
扩
and NAT device will be hosted in the public subnet. The database server will be
禁
hosted in the private subnet and will require internet connectivity for patching and
严
updates. NAT Device security group controls inbound and outbound traffic
,
to/from internet for private instances. Which of the entries below are NOT
用
required when creating the NAT security group? (Choose 2 answers)
使
人
97 oo 魔
Answer: B,C
79 yi
微 众
private subnet CIDR has to be allowed inbound on both port 80, 443. Public
subnet with CIDR block 10.0.0.0/24 already has internet access and doesn't
need to use the NAT device, so this range doesn't need to be opened on security
group. NAT Device will initiate outbound traffic to the internet, usually of port 80
and 443 for regular patches and updates, for that outbound traffic on these ports
has to be open for all destinations.
Reference:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.
html
Q88. You are planning to implement a system to mitigate DDoS attacks for a
client in light of some recent suspected threats. You are aware that some DDoS
attacks are more common than others, so your priority is to make sure that your
first action provides protection for the most common attacks. Which of these
architecture layers are more vulnerable to DDoS attacks? (Choose 2 answers)
A. Data layer is vulnerable because DDoS attacks cause data leakage
B. Infrastructure layer is vulnerable because DDoS attacks over-utilize
infrastructure resources
C. Network layer is vulnerable because DDoS attacks aim to break network
backbone and cause a global application outage
D. Application layer is vulnerable because DDoS attacks flood application
services with overwhelming load which causes application to become less
responsive or break completely
Answer: B,D
散
will cause application to break even if there is enough capacity in infrastructure to
扩
handle the load.
禁
DDoS mitigation has to be implemented in both layers to ensure elastic capacity
严
growth and application protection against layer 7 attacks
,
Reference:
用
https://d0.awsstatic.com/whitepapers/DDoS_White_Paper_June2015.pdf
使
Q89. Your client wants to implement scalable but cost-effective storage while
人
97 oo 魔
maintaining data security. You recommend using AWS Storage Gateway and set
个
46 ze 算狂
realize that you need to access the storage on the gateway. Which method would
[8 : 云计
you use?
30 _b
仅 信 号:
A. NFS
79 yi
B. Fibre
微 众
C. iSCSI
限 号
公
D. CIFS
Answer: C
Explanation: AWS Storage Gateway enables applications that are clustered using
Windows Server Failover Clustering (WSFC) to use the iSCSI initiator to access
a gateway's volumes. However, connecting multiple hosts to the same iSCSI
target is not supported. When using Red Hat Enterprise Linux (RHEL), you use
the iscsi-initiator-utils RPM package to connect to your gateway iSCSI targets
(volumes or VTL devices).
Reference:
http://docs.aws.amazon.com/storagegateway/latest/userguide/GettingStarted-use
-volumes.h tml
Q90. A legacy application in your company has been deployed in a single
availability zone. It is used only sporadically but must be available nevertheless.
Due to your heavy administrative workload, you wish to automate a process that
will rebuild the application automatically if it fails. What action should you take?
A. Configure the server in an auto scaling group with a minimum and maximum
size of one.
B. Add an additional availability zone and a load balancer.
C. Monitor the server availability using Cloud Watch metrics to receive alerts of
health check failures.
D. Perform snapshots of EBS volumes on a set schedule.
Answer: A
Explanation: Auto scaling provides redundancy for a single server with the option
of launching a configuration using the attributes from a running instance. When
you use this option, auto scaling copies the attributes from the specified instance
into a template from which you can launch one or more auto scaling groups.
散
Note that if the specified instance has properties that are not currently supported
扩
by auto scaling, instances launched by auto scaling using the launch
禁
configuration created from the identified instance might not be identical to the
严
identified instance.
,
Reference:
用
http://docs.aws.amazon.com/autoscaling/latest/userguide/LaunchConfiguration.ht
使
ml
人
97 oo 魔
Q91. You are an AWS Solutions Architect helping a client plan a migration to the
个
46 ze 算狂
AWS Cloud. The client has provided you with a detailed inventory of their current
13 k
]号
bandwidth. What tool would you use to estimate the amount of money they will
30 _b
79 yi
A. TCO Calculator
微 众
B. Trusted Advisor
限 号
公
Answer: A
Answer: A,B,C
散
shoes, monitoring the number of steps taken every day. ExamKiller is expecting
扩
thousands of sensors reporting in every minute and hopes to scale to millions by
禁
the end of the year. A requirement for the project is it needs to be able to accept
严
the data, run it through ETL to store in warehouse and archive it on Amazon
,
Glacier, with room for a real-time dashboard for the sensor data to be added at a
later date. 用
使
What is the best method for architecting this application given the requirements?
人
97 oo 魔
13 k
]号
A. Use Amazon Cognito to accept the data when the user pairs the sensor to the
[8 : 云计
phone, and then have Cognito send the data to Dynamodb. Use Data Pipeline to
30 _b
create a job that takes the DynamoDB table and sends it to an EMR cluster for
仅 信 号:
ETL, then outputs to Redshift and S3 while, using S3 lifecycle policies to archive
79 yi
on Glacier.
微 众
pipeline that starts an EMR cluster using data from DynamoDB and sends the
data to S3 and Redshift.
C. Write the sensor data directly to Amazon Kinesis and output the data into
Amazon S3 creating a lifecycle policy for Glacier archiving. Also, have a parallel
processing application that runs the data through EMR and sends to a Redshift
data warehouse.
D. Write the sensor data to Amazon S3 with a lifecycle policy for Glacier, create
an EMR cluster that uses the bucket data and runs it through ETL. It then outputs
that data into Redshift data warehouse.
Answer: C
Explanation: Amazon Kinesis is used for accepting real-time data, and can have
parallel applications reading the raw data for different purposes, including
building a custom real-time dashboard to read shared output data.
Q94. ExamKiller has a library of on-demand MP4 files needing to be streamed
publicly on their new video webinar website. The video files are archived and are
expected to be streamed globally, primarily on mobile devices.
Given the requirements what would be the best architecture for ExamKiller to
design? Choose the correct answer:
A. Upload the MP4 files to S3 and create an Elastic Transcoder job that
transcodes the MP4 source into HLS chunks. Store the HLS output in S3 and
create a media streaming CloudFront distribution to serve the HLS files to end
users.
B. Upload the MP4 files to S3 and create an Elastic Transcoder job that
transcodes the MP4 source into HLS chunks. Store the HLS output in S3 and
create a CloudFront download distribution to serve the HLS files to end users.
C. Provision WOWZA streaming EC2 instances which use S3 as the source for
the HLS on-demand transcoding on the WOWZA servers. Provision a new
CloudFront download distribution with the WOWZA streaming server as the
散
origin.
扩
D. Provision WOWZA streaming EC2 instances which use S3 as the source for
禁
the HLS on-demand transcoding on the WOWZA servers. Provision a new
严
CloudFront streaming distribution with the WOWZA streaming server as the
,
origin.
用
使
Answer: B
人
97 oo 魔
个
46 ze 算狂
of the HLS chunks to be an S3 bucket and using the S3 bucket as the origin for
30 _b
streaming would be the most scalable way to solve the criteria. There is not a
仅 信 号:
Q95. You have a legacy application running that uses an m4.large instance size
微 众
and cannot scale with Auto Scaling, but only has peak performance 5% of the
限 号
公
time. This is a huge waste of resources and money so your Senior Technical
Manager has set you the task of trying to reduce costs while still keeping the
legacy application running as it should. Which of the following would best
accomplish the task your manager has set you?
Choose the correct answer:
Answer: B
A. Enable Multi-AZ failover on the RDS RAC cluster to reduce the RPO and RTO
in the event of disaster or failure.
B. Create a script that runs snapshots against the EBS volumes to create
backups and durability.
C. Enable automated backups on the RDS RAC cluster; enable auto snapshot
copy to a backup region to reduce RPO and RTO.
D. Create manual snapshots of the RDS backup and write a script that runs the
manual snapshot.
Answer: B
Explanation: RAC is not supported by RDS but can be run on EC2. To backup
EC2 instances, you can suspend IO for a moment to start the snapshot creation
散
time. Data Guard on Oracle is also an acceptable solution to extend high
扩
availability to a RAC cluster running on EC2.
禁
Q97. ExamKiller has a Redshift cluster for petabyte-scale data warehousing. The
严
data within the cluster is easily reproducible from additional data stored on
,
Amazon S3. ExamKiller wants to reduce the overall total cost of running this
用
Redshift cluster. Which scenario would best meet the needs of the running
使
cluster, while still reducing total overall ownership of the cluster? Choose the
人
97 oo 魔
correct answer:
个
46 ze 算狂
13 k
]号
B. Implement daily backups, but do not enable multi-region copy to save data
30 _b
transfer costs.
仅 信 号:
C. Instead of implementing automatic daily backups, write a Cli script that creates
79 yi
manual snapshots every few days. Copy the manual snapshot to a secondary
微 众
D. Enable automated snapshots but set the retention period to a lower number to
reduce storage costs
Answer: A
Explanation: The cluster data is easily populated from Amazon S3. The best
overall method for this node would be not to enable backups at all to reduce
storage costs on the cluster. The assumption is the data already exists in S3.
Keep in mind this is not a likely production setup scenario, but is meant to test on
understanding where the costs are incurred in a Redshift environment.
Q98. Your CIO has become very paranoid recently after a series of security
breaches and wants you to start providing additional layers of security to all your
company's AWS resources. First up he wants you to provide additional layers of
protection to all your EC2 resources. Which of the following would be a way of
providing that additional layer of protection to all your EC2 resources?
Choose the correct answer:
A. Ensure that the proper tagging strategies have been implemented to identify
all of your EC2 resources.
B. All actions listed here would provide additional layers of protection.
C. Add an IP address condition to policies that specify that requests to EC2
instances should come from a specific IP address or CIDR block range.
D. Add policies which have deny and/or allow permissions on tagged resources
Answer: B
散
posts?
扩
Choose the correct answer:
禁
严
A. Create an ElastiCache cluster and use write through caching strategies to
,
quickly update the content when blog posts require it.
用
B. Use a CloudFront CDN and configure 0 TTL and enable URL parameter
使
forwarding to the origin.
人
97 oo 魔
C. Use CloudFront CDN and configure a lower TTY using CloudFront invalidation
个
46 ze 算狂
D. Create an ElastiCache cluster and use lazy loading for the caching strategies.
[8 : 云计
30 _b
Answer: B
仅 信 号:
79 yi
Explanation: While ElastiCache with write through would technically work, since
微 众
90% of the requests occur in the first 24 hours, using write through will hog a lot
限 号
公
A. Create two separate workload management groups and assign them to the
respective groups.
B. Start another Redshift cluster from a snapshot for the second team if the
current Redshift cluster is busy processing long queries.
C. Create a read replica of Redshift and run the second team's queries on the
read replica.
D. Pause the long queries when necessary and resume them when there are no
queries happening.
Answer: A
Q101. ExamKiller has two batch processing applications that consume financial
data about the day's stock transactions. Each transaction needs to be stored
durably and guarantee that a record of each application is delivered so the audit
and billing batch processing applications can process the data. However, the two
applications run separately and several hours apart and need access to the same
transaction information. After reviewing the transaction information for the day,
the information no longer needs to be stored.
散
What is the best way to architect this application?
扩
Choose the correct answer:
禁
严
A. Use SQS for storing the transaction messages; when the billing batch process
,
performs first and consumes the message, write the code in a way that does not
用
remove the message after consumed, so it is available for the audit application
使
several hours later. The audit application can consume the SQS message and
人
97 oo 魔
can read the rows while the audit application will read the rows them remove the
[8 : 云计
data.
30 _b
C. Use SQS for storing the transaction messages. When the billing batch
仅 信 号:
message and place it in a different SQS for the audit application to use several
微 众
hours later.
限 号
公
D. Use Kinesis to store the transaction information. The billing application will
consume data from the stream, the audit application can consume the same data
several hours later.
Answer: D
Explanation: Kinesis streams store a rolling "buffer" of data. That data is only
removed after the timeout on the Kinesis stream (now customizable). This is ideal
because no additional costs or management is required to make the data
available and remove the data after the last application consumes it.
Q102. You have just set up your first AWS Data Pipeline. AWS Data Pipeline is a
web service that you can use to automate the movement and transformation of
data. With AWS Data Pipeline, you can define data-driven workflows, so that
tasks can be dependent on the successful completion of previous tasks. You are
pretty excited that it is about to run; however, when it finally kicks off, you receive
a "400 Error Code: PipelineNotFoundException." Which of the following
explanations is the most accurate in describing what this error probably means?
Choose the correct answer:
A. This error means that your IAM default roles might not have the required
permissions necessary for AWS Data Pipeline to function correctly.
B. This error means that the security token included in the request is invalid.
C. This error means that you have not set a valid value for either the runsOn or
workerGroup fields for those tasks.
D. This error means that you need to increase your AWS Data Pipeline system
limits.
Answer: A
Q103. You work for a large university whose AWS infrastructure has grown
significantly over the last year and consequently the IT department has hired four
散
new AWS System Administrators who will each manage a different Availability
扩
Zone in your infrastructure. You have 4 AZs. You have been given the task of
禁
giving these new staff access to be able to launch and manage instances in their
严
zone only and should not be able to modify any of the other administrators' zones.
,
Which of the following options is the best solution to accomplish your task?
Choose the correct answer: 用
使
人
97 oo 魔
A. Create four AWS accounts and give each user access to a separate account.
个
46 ze 算狂
B. Create a VPC with four subnets and allow access to each subnet for the
13 k
]号
C. Create four IAM users and four VPCs and allow each IAM user to have
30 _b
Answer: B
Q104. A few weeks into your dream job with the large scientific institution, a
group of EC2 instances that you set up in a Placement Group doesn't seem to
run as efficiently as you expected it to and seems to be suffering from low
performance of packets, high latency and lots of jitter. Consequently, you have
started to look at ways to fix this. Which of the following solutions would create
enhanced networking capabilities on instances that would result in higher
instances of packets per second, lower latency, and reduced jitter? Choose the
correct answer:
A. Adding more instances to the Placement Group. Making sure you stop and
restart all the other instances at the same time.
B. Using Single Root I/O Virtualization (SR-IOV) on all the instances.
C. Increasing the size of all the instances.
D. Splitting the instances across two Placement Groups in the same Availability
Zone.
Answer: B
散
VPC.
扩
C. Configure an IPS/IDS in promiscuous mode, which will listen to all packet
禁
traffic and API changes.
严
D. Configure an IPS/IDS to listen and block all suspected bad traffic coming into
,
and out of the VPC. Configure CloudTrail with CloudWatch Logs to monitor all
changes within an environment. 用
使
人
97 oo 魔
Answer: A,D
个
46 ze 算狂
13 k
]号
permissions for each user to communicate and store data in DynamoDB tables.
30 _b
What is the best method for granting each mobile device that installs your
仅 信 号:
A. During the install and game configuration process, have each user create an
IAM credential and assign the IAM user to a group with proper permissions to
communicate with DynamoDB.
B. Create an IAM group that only gives access to your application and to the
DynamoDB tables.
Then, when writing to DynamoDB, simply include the unique device ID to
associate the data with that specific user.
C. Create an Active Directory server and an AD user for each mobile application
user. When the user signs in to the AD sign-on, allow the AD server to federate
using SAML 2.0 to IAM and assign a role to the AD user which is the assumed
with AssumeRoleWithSAML.
D. Create an IAM role with the proper permission policy to communicate with the
DynamoDB table. Use web identity federation, which assumes the IAM role using
AssumeRoleWithWebIdentity, when the user signs in, granting temporary
security credentials using STS.
Answer: D
Answer: C
散
扩
Q108. A third party auditor is being brought in to review security processes and
禁
configurations for all of ExamKiller's AWS accounts. Currently, ExamKiller does
严
not use any on-premise identity provider. Instead, they rely on IAM accounts in
,
each of their AWS accounts. The auditor needs read-only access to all AWS
用
resources for each AWS account. Given the requirements, what is the best
使
security method for architecting access for the security auditor?
人
97 oo 魔
13 k
]号
A. Create an IAM role with read-only permissions to all AWS services in each
[8 : 云计
AWS account.
30 _b
Create one auditor IAM account and add a permissions policy that allows the
仅 信 号:
auditor to assume the ARN role for each AWS account that has an assigned role.
79 yi
C. Create a custom identity broker application that allows the auditor to use
existing Amazon credentials to log into the AWS environments.
D. Create an IAM user for each AWS account with read-only permission policies
for the auditor, and disable each account when the audit is complete.
Answer: A
Q109. ExamKiller has hired a third-party security auditor, and the auditor needs
read-only access to all AWS resources and logs of all VPC records and events
that have occurred on AWS. How can ExamKiller meet the auditor's requirements
without comprising security in the AWS environment?
Choose the correct answer:
A. Create a role that has the required permissions for the auditor.
B. Create an SNS notification that sends the CloudTrail log files to the auditor's
email when CloudTrail delivers the logs to S3, but do not allow the auditor access
to the AWS environment.
C. ExamKiller should contact AWS as part of the shared responsibility model, and
AWS will grant required access to the third-party auditor.
D. Enable CloudTrail logging and create an IAM user who has read-only
permissions to the required AWS resources, including the bucket containing the
CloudTrail logs.
Answer: D
Q110. Your company has just set up a new document server on it's AWS VPC,
and it has four very important clients that it wants to give access to. These clients
also have VPCs on AWS and it is through these VPCs that they will be given
accessibility to the document server. In addition, each of the clients should not
have access to any of the other clients' VPCs.
散
Choose the correct answer:
扩
禁
A. Set up VPC peering between your company's VPC and each of the clients'
严
VPCs.
,
B. Set up all the VPCs with the same CIDR but have your company's VPC as a
centralized VPC. 用
使
C. Set up VPC peering between your company's VPC and each of the clients'
人
97 oo 魔
VPCs, but block the IPs from CIDR of the clients' VPCs to deny them access to
个
46 ze 算狂
each other.
13 k
]号
D. Set up VPC peering between your company's VPC and each of the clients'
[8 : 云计
VPC. Each client should have VPC peering set up between each other to speed
30 _b
up access time.
仅 信 号:
79 yi
Answer: A
微 众
限 号
公
Q111. You've been tasked with creating file level restore on your EC2 instances.
You need to be able to restore an individual lost file on an EC2 instance within 15
minutes of a reported loss of information. The acceptable RPO is several hours.
How would you perform this on an EC2 instance?
Choose the correct answer:
Answer: B
Explanation: The question asks how you restore a "single" file. Restoring a whole
volume would actually cause data loss if those other files were being updated.
Q112. Your job at a large scientific institution is moving along nicely. It is at the
forefront of the latest research on nano-technology, of which you have become
very passionate. You have been put in charge of scaling up some existing
infrastructure which currently has 9 EC2 instances running in a Placement Group.
All these 9 instances were initially launched at the same time and seem to be
performing as expected. You decide that you need to add 2 new instances to the
group; however, when you attempt to do this you receive a 'capacity error'. Which
散
of the following actions will most likely fix this problem?
扩
Choose the correct answer:
禁
严
A. Stop and restart the instances in the Placement Group and then try the launch
,
again.
用
B. Request a capacity increase from AWS as you are initially limited to 10
使
instances per Placement Group.
人
97 oo 魔
C. Make sure all the instances are the same size and then try the launch again.
个
46 ze 算狂
D. Make a new Placement Group and launch the new instances in the new group.
13 k
]号
30 _b
Answer: A
仅 信 号:
79 yi
Q113. ExamKiller has placed a set of on-premise resources with an AWS Direct
微 众
Connect provider. After establishing connections to a local AWS region in the US,
限 号
公
A. Add a BGP route as part of the on-premise router; this will route S3 related
traffic to the public S3 endpoint to dedicated AWS region.
B. Configure a private virtual interface to connect to the public S3 endpoint via
the Direct Connect connection.
C. Configure a public virtual interface to connect to a public S3 endpoint
resource.
D. Establish a VPN connection from the VPC to the public S3 endpoint.
Answer: C
Q114. Due to cost-cutting measurements being implemented by your
organization, you have been told that you need to migrate some of your existing
resources to another region. The first task you have been given is to copy all of
your Amazon Machine Images from Asia Pacific (Sydney) to US West (Oregon).
One of the things that you are unsure of is how the PEM keys on your Amazon
Machine Images need to be migrated. Which of the following best describes how
your PEM keys are affected when AMIs are migrated between regions? Choose
the correct answer:
A. The PEM keys will also be copied across so you don't need to do anything
except launch the new instance.
B. The PEM keys will also be copied across; however, they will only work for
users who have already accessed them in the old region. If you need new users
to access the instances then new keys will need to be generated.
C. Neither the PEM key nor the authorized key is copied and consequently you
散
need to create new keys when you launch the new instance.
扩
D. The PEM keys will not be copied to the new region but the authorization keys
禁
will still be in the operating system of the AMI. You need to ensure when the new
严
AMI is launched that it is launched with the same PEM key name.
,
Answer: D 用
使
人
97 oo 魔
Q115. After having created a VPC with CIDR block 10.0.0.0/24 and launching it
个
46 ze 算狂
as a working network you decide a few weeks later that it is too small and you
13 k
]号
wish to make it larger. Which of the below options would accomplish this
[8 : 云计
successfully?
30 _b
79 yi
Answer: D
Q116. One of your work colleagues has just left and you have been handed
some of the infrastructure he set up. In one of the setups you start looking at, he
has created multiple components of a single application and all the components
are hosted on a single EC2 instance (without an ELB) in a VPC. You have been
told that this needs to be set up with two separate SSLs for each component.
Which of the following would best achieve the setting up off the two separate
SSLs while still only using one EC2 instance?
Choose the correct answer:
A. Create an EC2 instance which has multiple subnets attached to it and each
will have a separate IP address.
B. Create an EC2 instance with a NAT address.
C. Create an EC2 instance which has multiple network interfaces with multiple
elastic IP addresses.
D. Create an EC2 instance which has both an ACL and the security group
attached to it and have separate rules for each IP address.
Answer: C
A. Configure the RDS instance as the master and enable replication over the
散
open internet using a secure SSL endpoint to the on-premise server.
扩
B. Create a Data Pipeline that exports the MySQL data each night and securely
禁
downloads the data from an S3 HTTPS endpoint.
严
C. RDS cannot replicate to an on-premise database server. Instead, first
,
configure the RDS instance to replicate to an EC2 instance with core MySQL,
用
and then configure replication over a secure VPN/VPG connection.
使
D. Create an secure VPN connection using either OpenVPN or VPN/VGW
人
97 oo 魔
13 k
]号
Answer: D
[8 : 云计
30 _b
best practice to first create a dump of the database and copy it down, then
79 yi
enable replication, since this uses the MySQL asynchronous replication feature.
微 众
A. Tag the instance with a production-identifying tag and modify the employees
group to allow only start, stop, and reboot api calls and not the terminate instance
call.
B. Modify the IAM policy on the user to require MFA before deleting EC2
instances
C. Tag the instance with a production-identifying tag and add resource-level
permissions to the employee user with an explicit deny on the terminate API call
to instances with the production tag.
D. Modify the IAM policy on the user to require MFA before deleting EC2
instances and disable MFA access to the employee
Answer: A,C
Explanation: The best method is to add resource level tags to the production EC2
instances and either grant or deny the allowed actions in an IAM policy. An
explicit deny will always override an allow. A and C either deny or allow and
unless explicitly allowed, it is denied, which is why both are correct.
Q119. You are building a large-scale confidential documentation web server on
AWS and all of the documentation for it will be stored on S3. One of the
requirements is that it cannot be publicly accessible from S3 directly, and you will
need to use CloudFront to accomplish this. Which of the methods listed below
would satisfy the requirements as outlined? Choose the correct answer:
A. Create individual policies for each bucket the documents are stored in and in
散
that policy grant access to only CloudFront.
扩
B. Create an S3 bucket policy that lists the CloudFront distribution ID as the
禁
Principal and the target bucket as the Amazon Resource Name (ARN).
严
C. Create an Origin Access Identity (OAI) for CloudFront and grant access to the
,
objects in your S3 bucket to that OAI.
用
D. Create an Identity and Access Management (IAM) user for CloudFront and
使
grant access to the objects in your S3 bucket to that IAM User.
人
97 oo 魔
个
46 ze 算狂
Answer: C
13 k
]号
[8 : 云计
Q120. You have been given a new brief from your supervisor for a client who
30 _b
needs a web application set up on AWS. The most important requirement is that
仅 信 号:
MySQL must be used as the database, and this database must not be hosted in
79 yi
the public cloud, but rather at the client's data center due to security risks. Which
微 众
of the following solutions would be the best to assure that the client's
限 号
公
A. Use the public subnet for the application server and use RDS with a storage
gateway to access and synchronize the data securely from the local data center.
B. Build the application server on a public subnet and build the database in a
private subnet with a secure ssh connection to the private subnet from the client's
data center.
C. Build the application server on a public subnet and the database at the client's
data center.
Connect them with a VPN connection which uses IPsec.
D. Build the application server on a public subnet and the database on a private
subnet with a NAT instance between them.
Answer: C
Q121. Once again your security officer is on your case and this time is asking
you to make sure the AWS Key Management Service (AWS KMS) is working as it
is supposed to. You are initially not too sure how KMS even works, however after
some intense late night reading you think you have come up with a reasonable
definition. Which of the following best describes how the AWS Key Management
Service works?
Choose the correct answer:
A. AWS KMS supports two kinds of keys -- master keys and data keys. Master
keys can be used to directly encrypt and decrypt up to 4 kilobytes of data and
can also be used to protect data keys. The data keys are then used to decrypt
the customer data, and the master keys are used to encrypt the customer data.
B. AWS KMS supports two kinds of keys -- master keys and data keys. Master
keys can be used to directly encrypt and decrypt up to 4 kilobytes of data and
can also be used to protect data keys. The data keys are then used to encrypt
散
the customer data and the master keys are used to decrypt the customer data.
扩
C. AWS KMS supports two kinds of keys -- master keys and data keys. Master
禁
keys can be used to directly encrypt and decrypt up to 4 kilobytes of data and
严
can also be used to protect data keys. The master keys are then used to encrypt
,
and decrypt customer data.
用
D. AWS KMS supports two kinds of keys -- master keys and data keys. Master
使
keys can be used to directly encrypt and decrypt up to 4 kilobytes of data and
人
97 oo 魔
can also be used to protect data keys. The data keys are then used to encrypt
个
46 ze 算狂
Answer: D
30 _b
仅 信 号:
Q122. The Dynamic Host Configuration Protocol (DHCP) provides a standard for
79 yi
multiple sets of DHCP options, but you can associate only one set of DHCP
限 号
公
options with a VPC at a time. You have just created your first set of DHCP
options, associated it with your VPC but now realize that you have made an error
in setting them up and you need to change the options. Which of the following
options do you need to take to achieve this?
Choose the correct answer:
A. You must create a new set of DHCP options and associate them with your
VPC.
B. You can modify the options from the console or the CLI.
C. You need to stop all the instances in the VPC. You can then change the
options, and they will take effect when you start the instances.
D. You can modify the options from the CLI only, not from the console.
Answer: A
Q123. An auditor needs access to logs that record all API events on AWS. The
auditor only needs read-only access to the log files and does not need access to
each AWS account. ExamKiller has multiple AWS accounts, and the auditor
needs access to all the logs for all the accounts. What is the best way to
configure access for the auditor to view event logs from all accounts? Given the
current requirements, assume the method of "least privilege" security design and
only allow the auditor access to the minimum amount of AWS resources as
possible.
Choose the correct answer:
散
扩
禁
严
,
用
A. Configure the CloudTrail service in the primary AWS account and configure
使
consolidated billing for all the secondary accounts. Then grant the auditor access
人
97 oo 魔
C. Configure the CloudTrail service in each AWS account, and have the logs
30 _b
permissions to the bucket via roles in the secondary accounts and a single
79 yi
primary IAM account that can assume a read-only role in the secondary AWS
微 众
accounts.
限 号
公
D. Configure the CloudTrail service in each AWS account and have the logs
delivered to a single AWS bucket in the primary account and grant the auditor
access to that single bucket in the primary account.
Answer: D
Answer: C
散
durable and consistent traffic. Direct Connect meets this requirement. In the
扩
event of a failover, a slower, less consistent private connection is acceptable. A
禁
VPN connection meets this requirement.
严
Q125. Your company has just purchased some very expensive software which
,
also involved the addition of a unique license for it. You have been told to set this
用
up on an AWS EC2 instance; however, one of the problems is that the software
使
license has to be tied to a specific MAC address and from your experience with
人
97 oo 魔
AWS you know that every time an instance is restarted it will almost certainly lose
个
46 ze 算狂
it's MAC address. What would be a possible solution to this given the options
13 k
]号
below?
[8 : 云计
A. Use a VPC with a private subnet and configure the MAC address to be tied to
79 yi
that subnet.
微 众
B. Use a VPC with an elastic network interface that has a fixed MAC Address.
限 号
公
C. Make sure any EC2 Instance that you deploy has a static IP address that is
mapped to the MAC address.
D. Use a VPC with a private subnet for the license and a public subnet for the
EC2.
Answer: B
Q126. You have just developed a new mobile application that handles analytics
workloads on large scale datasets that are stored on Amazon Redshift.
Consequently, the application needs to access Amazon Redshift tables. Which of
the below methods would be the best, both practically and security-wise, to
access the tables?
Choose the correct answer:
A. Make a new user and generate encryption keys for that user. Create a policy
for RedShift read-only access. Embed the keys in the application.
B. Use roles that allow a web identity federated user to assume a role that allows
access to the RedShift table by providing temporary credentials.
C. Create a HSM client certificate in Redshift and authenticate using this
certificate.
D. Create a RedShift read-only access policy in IAM and embed those
credentials in the application.
Answer: B
Q127. You've been working on a CloudFront whole site CDN for ExamKiller client.
After configuring the whole site CDN with a custom CNAME and supported
HTTPS custom domain (i.e., https://example.com) you open example.com and
are receiving the following error: CloudFront wasn't able to connect to the origin.
What might be the most likely cause of this error and how would you fix it?
散
Choose the correct answer:
扩
禁
A. The HTTPS certificate is expired or missing a third party signer. To resolve this
严
purchase and add a new SSL certificate.
,
B. The Origin Protocol Policy is set to Match Viewer and HTTPS isn't configured
on the origin. 用
使
C. TCP HTTPS isn't configured on the CloudFront distribution but is configured
人
97 oo 魔
Answer: B
30 _b
仅 信 号:
Q128. You have been given the task of designing a backup strategy for your
79 yi
organization's AWS resources with the only caveat being that you must use the
微 众
AWS Storage Gateway. Which of the following is the most correct statement
限 号
公
A. You should use Gateway-Cached Volumes. You will have quicker access to
the data, and it is a more preferred backup solution than Gateway-Stored
Volumes.
B. You should use the Gateway-Virtual Tape Library (VTL) as Gateway-Cached
Volumes and Gateway-Stored Volumes cannot be used for backups.
C. It doesn't matter whether you use Gateway-Cached Volumes or
Gateway-Stored Volumes as long as you also combine either of these solutions
with the Gateway-Virtual Tape Library (VTL).
D. You should use Gateway-Stored Volumes as it is preferable to
Gateway-Cached Volumes as a backup storage medium.
Answer: D
Q129. You're running a financial application on an EC2 instance. Data being
stored in the instance is critical and in the event of a failure of an EBS volume the
RTO and RPO are less than 1 minute. How would you architect this application
given the RTO and RPO requirements? Choose the correct answer:
A. Stripe multiple EBS volumes together with RAID 1, which provides fault
tolerance on EBS volumes.
B. Nothing is required since EBS volumes are durability backed up to additional
hardware in the same availability zone.
C. Write a script to create automated snapshots of the EBS volumes every
minute. In the event of failure have an automated script that detects failure and
launches a new volume from the most recent snapshot.
D. Stripe multiple EBS volumes together with RAID 0, which provides fault
tolerance on EBS volumes.
散
Answer: A
扩
禁
Explanation: Raid 1 provides additional fault tolerance but not increase in
严
performance. When requiring higher availability and fault tolerance in the event of
,
volume failure, Raid 1 accomplishes this as the EBS drive is already running and
has the most recent data available. 用
使
Q130. An online gaming server in which you have recently increased it's IOPS
人
97 oo 魔
would be the best solution for this to increase throughput? Choose the correct
[8 : 云计
answer:
30 _b
仅 信 号:
B. Use instance store backed instances and stripe the attached ephemeral
微 众
Answer: B
Answer: D
Q132. Due to a lot of your EC2 services going off line at least once a week for no
散
apparent reason your security officer has told you that you need to tighten up the
扩
logging of all events that occur on your AWS account. He wants to be able to
禁
access all events that occur on the account across all regions quickly and in the
严
simplest way possible. He also wants to make sure he is the only person that has
,
access to these events in the most secure way possible. Which of the following
用
would be the best solution to assure his requirements are met? Choose the
使
correct answer:
人
97 oo 魔
个
46 ze 算狂
A. Use CloudTrail to send all API calls to CloudWatch and send an email to the
13 k
]号
security officer every time an API call is made. Make sure the emails are
[8 : 云计
encrypted.
30 _b
B. Use CloudTrail to log all events to an Amazon Glacier Vault. Make sure the
仅 信 号:
vault access policy only grants access to the security officer's IP address.
79 yi
C. Use CloudTrail to log all events to one S3 bucket. Make this S3 bucket only
微 众
accessible by your security officer with a bucket policy that restricts access to his
限 号
公
user only and also add MFA to the policy for a further level of security.
D. Use CloudTrail to log all events to a separate S3 bucket in each region as
CloudTrail cannot write to a bucket in a different region. Use MFA and bucket
policies on all the different buckets.
Answer: C
Q133. You are setting up a VPN for a customer to connect his remote network to
his Amazon VPC environment. There are a number of ways to accomplish this
and to help you decide you have been given a list of the things that the customer
has specified that the network needs to be able to do. They are as follows:
- Predictable network performance
- Support for BGP peering and routing policies
- A secure IPsec VPN connection but not over the Internet Which of the following
VPN options would best satisfy the customer's requirements? Choose the correct
answer:
A. AWS Direct Connect and IPsec Hardware VPN connection over private lines
B. Software appliance-based VPN connection with IPsec
C. AWS Direct Connect with AWS VPN CloudHub
D. AWS VPN CloudHub
Answer: A
Q134. When you create a subnet, you specify the CIDR block for the subnet. The
CIDR block of a subnet can be the same as the CIDR block for the VPC (for a
single subnet in the VPC), or a subset (to enable multiple subnets). The allowed
block size is between a /28 netmask and /16 netmask. You decide to you create
a VPC with CIDR block 10.0.0.0/24. Therefore what is the maximum allowed
散
number of IP addresses and the minimum allowed number of IP addresses
扩
according to AWS and what is the number of IP addresses supported by the VPC
禁
you created? Choose the correct answer:
严
,
A. Maximum is 256 and the minimum is 16 and the one created supports 24 IP
addresses 用
使
B. Maximum is 65,536 and the minimum is 16 and the one created supports 256
人
97 oo 魔
IP addresses
个
46 ze 算狂
addresses
[8 : 云计
D. Maximum is 65,536 and the minimum is 24 and the one created supports 28
30 _b
IP addresses
仅 信 号:
79 yi
Answer: B
微 众
限 号
公
Q135. You've created a mobile application that serves data stored in an Amazon
DynamoDB table. Your primary concern is scalability of the application and being
able to handle millions of visitors and data requests. As part of your application,
the customer needs access to the data located in the DynamoDB table. Given
the application requirements, what would be the best method for designing the
application?
Choose the correct answer:
A. Let the users sign in to the app using a third party identity provider such as
Amazon, Google, or Facebook. Use the AssumeRoleWithWebIdentity API call to
assume the role containing the proper permissions to communicate with the
DynamoDB table. Write the application in JavaScript and host the JavaScript
interface in an S3 bucket.
B. Let the users sign into the app using a third party identity provider such as
Amazon, Google, or Facebook. Use the AssumeRoleWithWebIdentity API call to
assume the role containing the proper permissions to communicate with the
DynamoDB table. Write the application in a server-side language using the AWS
SDK and host the application in an S3 bucket for scalability.
C. Let the users sign into the app using a third party identity provider such as
Amazon, Google, or Facebook. Use the AssumeRoleWith API call to assume the
role containing the proper permissions to communicate with the DynamoDB table.
Write the application in JavaScript and host the JavaScript interface in an S3
bucket.
D. Configure an on-premise AD server utilizing SAML 2.0 to manage the
application users inside of the on-premise AD server and write code that
authenticates against the LD serves. Grant a role assigned to the STS token to
allow the end-user to access the required data in the DynamoDB table.
Answer: A
散
integrate into AWS services such as STS and DynamoDB. Since it is a client-side
扩
programming language, using this and hosting it in an S3 bucket, allows the web
禁
application to scale. Using a web identity provider, you will not have to manage
严
any user accounts or user databases.
,
Q136. A large multi-national corporation has come to you and asked if you can
用
provide a high availability and disaster recovery plan for their organization. Their
使
primary concern is not to lose any data so they are fine if there is a longer
人
97 oo 魔
recovery time as it will presumably save on cost. Which of the following options
个
46 ze 算狂
would be the best one for this corporation, given the concerns that they have
13 k
]号
IP and Route 53 to quickly switch over to your new infrastructure if there are any
微 众
B. Set up a number of smaller instances in a different region, which all have Auto
Scaling and Elastic Load Balancing enabled. If there is a network outage, then
these instances will auto scale up. As long as spot instances are used and the
instances are small this should remain a cost effective solution.
C. Make sure you have RDS set up as an asynchronous Multi-AZ deployment,
which automatically provisions and maintains an asynchronous "standby" replica
in a different Availability Zone.
D. Backup and restoring with S3 should be considered due to the low cost of S3
storage. Backup up frequently and the data can be sent to S3 using either Direct
Connect or Storage Gateway, or over the Internet.
Answer: D
Q137. You are excited to have just been employed by a large scientific institution
that is at the cutting edge of high-performance computing. Your first job is to
launch 10 Large EC2 instances which will all be used to crunch huge amounts of
data and will also need to pass this data back and forth between each other.
Which of the following would be the most efficient setup to achieve this?
Choose the correct answer:
A. Use Placement Groups and launch the 10 instances at the same time.
B. Use Placement Groups. Make sure the 10 Instances are spread evenly across
Availability Zones.
C. Use the largest EC2 instances currently available on AWS, but make sure they
are all in the same Availability Zone
D. Use the largest EC2 instances currently available on AWS, but make sure they
are all in the same region.
Answer: A
散
single MAC address. Since an EC2 instance can receive a new MAC address
扩
when launching new instances, how can you ensure that your EC2 instance can
禁
maintain a single MAC address for licensing? Choose the correct answer:
严
,
A. Private subnets have static MAC addresses. Launch the EC2 instance in a
用
private subnet and, if required, use a NAT to serve data over the internet.
使
B. Configure a manual MAC address for each EC2 instance and report that to the
人
97 oo 魔
licensing company.
个
46 ze 算狂
C. AWS cannot have a fixed MAC address; the best solution is to create a
13 k
]号
D. Create an ENI and assign it to the EC2 instance. The ENI will have a static
30 _b
MAC address and can be detached and reattached to a new instance if the
仅 信 号:
Answer: D
限 号
公
Explanation: MAC addresses are assigned to an ENI. EC2 allows the creation of
an ENI that will maintain state for as long as allowed in the EC2 instance; this
works exactly like an Elastic IP address.
Q139. You are setting up a video streaming service with the main components of
the set up being S3, CloudFront and Transcoder. Your video content will be
stored on AWS S3, and your first job is to upload 10 videos to S3 and make sure
they are secure before you even begin to start thinking of streaming the videos.
The 10 videos have just finished uploading to S3, so you now need to secure
them with encryption at rest. Which of the following would be the best way to do
this? Choose the correct answer:
A. Set an API flag, or check a box in the AWS Management Console, to have
data encrypted in Amazon S3.
B. Encrypt your data using AES-256. After the object is encrypted, the encryption
key you used needs to be stored on AWS CloudFront.
C. Use AWS CloudHSM appliance with both physical and logical tamper
detection and response mechanisms that trigger zeroization of the appliance.
D. Use KMS to decrypt source data and encrypt resulting output. Also, use Origin
Access Identity on your CloudFront distribution, so content is only able to be
served via CloudFront, not S3 URLs.
Answer: D
散
check to register as healthy.
扩
How might the issue be resolved?
禁
Choose the correct answer:
严
,
A. Change the ELB listener port from HTTP port 80 toTCP port 80 for the
instance to register as healthy 用
使
B. Change the ELB listener port from HTTP port 80 to HTTPS port 80 for the
人
97 oo 魔
C. Change the ELB listener port from ping port 80 to HTTPS port 80 for the
13 k
]号
D. Change the ELB listener port from HTTP port 80 to TCP port 443 for the
30 _b
79 yi
Answer: A
微 众
限 号
公
Q141. Your final task that will complete a cloud migration for a customer is to set
up an Active Directory service for him so that he can use Microsoft Active
Directory with the newly-deployed AWS services. After reading the AWS
documentation for this, you discover there are 3 options available to set up the
AWS Directory Service. You call the customer for more information about his
requirements, and he tells you he has 5,000 users on his AD service and wants
to be able to use his existing on-premises directory with AWS services. Which of
the following options for setting up the AWS Directory Service would be the most
appropriate for your customer? Choose the correct answer:
Explanation: AD Connector is your best choice when you want to use your
existing on-premises directory with AWS services. A large AD Connector can
support up to 5,000 users.
Q142. ExamKiller is running a production load Redshift cluster for a client. The
client has an RTO objective of one hour and an RPO of one day. While
configuring the initial cluster what configuration would best meet the recovery
needs of the client for this specific Redshift cluster configuration?
Choose the correct answer:
A. Enable automatic snapshots and configure automatic snapshot copy from the
current production cluster to the disaster recovery region.
B. Create the cluster configuration and enable Redshift replication from the
cluster running in the primary region to the cluster running in the secondary
散
region. In the event of a disaster, change the DNS endpoint to the secondary
扩
cluster's leader node.
禁
C. Enable automatic snapshots on a Redshift cluster. In the event of a disaster, a
严
failover to the backup region is needed. Manually copy the snapshot from the
,
primary region to the secondary region.
用
D. Enable automatic snapshots on the cluster in the production region FROM the
使
disaster recovery region so snapshots are available in the disaster recovery
人
97 oo 魔
13 k
]号
Answer: A
[8 : 云计
30 _b
Explanation: Copying a snapshot from the current region to the disaster region
仅 信 号:
after a disaster occurs isn't possible. One assumes the region or AZ will be
79 yi
and automatic snapshot copy ensures that daily snapshots meeting your RPO
限 号
公
are available in the disaster recovery region. If the snapshots are available in the
event of disaster, the RTO will be less than one hour or equal to the amount of
time it takes for AWS to launch the cluster and copy the data from the snapshot
to the cluster.
Q143. You have acquired a new contract from a client to move all of his existing
infrastructure onto AWS. You notice that he is running some of his applications
using multicast, and he needs to keep it running as such when it is migrated to
AWS. You discover that multicast is not available on AWS, as you cannot
manage multiple subnets on a single interface on AWS and a subnet can only
belong to one availability zone. Which of the following would enable you to
deploy legacy applications on AWS that require multicast?
Choose the correct answer:
A. Create all the subnets on a different VPC and use VPC peering between them.
B. Create a virtual overlay network that runs on the OS level of the instance.
C. Provide Elastic Network Interfaces between the subnets.
D. All of the answers listed will help in deploying applications that require
multicast on AWS.
Answer: B
Q144. You are designing multi-region architecture and you want to send users to
a geographic location based on latency- based routing, which seems simple
enough; however, you also want to use weighted-based routing among resources
within that region. Which of the below setups would best accomplish this?
Choose the correct answer:
A. You will need to use AAAA - IPv6 addresses when you define your weighted
based record sets.
B. You will need to use complex routing (nested record sets) and ensure that you
define the latency based records first
散
C. This cannot be done. You can't use different routing records together.
扩
D. You will need to use complex routing (nested record sets) and ensure that you
禁
define the weighted resource record sets first.
严
,
Answer: D
用
使
Q145. ExamKiller is consulting for a company that runs their current application
人
97 oo 魔
entirely all on-premise. However, they are expecting a big boost in traffic
个
46 ze 算狂
tomorrow and need to figure out a way to decrease the load to handle the scale.
13 k
]号
Unfortunately, they cannot migrate their application to AWS in the period required.
[8 : 云计
What could they do with their current on-premise application to help offload some
30 _b
Answer: B
Explanation: The company cannot send or migrate any data to AWS. However,
DNS changes and a CloudFront distribution can be provisioned in enough time to
help offload some of the demand onto AWS edge locations by creating a whole
site CDN.
Q146. ExamKiller is hosting an Nginx web application. They want to use EMR to
create EMR jobs that shift through all of the web server logs and error logs to pull
statistics on click stream and errors based off of client IP address.
Given the requirements what would be the best method for collecting the log data
and analyzing it automatically?
Choose the correct answer:
A. Configure ELB access logs then create a Data Pipeline job which imports the
logs from an S3 bucket into EMR for analyzing and output the EMR data into a
new S3 bucket.
B. If the application is using HTTP, configure proxy protocol to pass the client IP
address in a new HTTP header. If the application is using TCP, modify the
application code to pull the client IP into the x-forward-for header so the web
servers can parse it.
散
C. If the application is using TCP, configure proxy protocol to pass the client IP
扩
address in a new TCP header. If the application is using, HTTP modify the
禁
application code to pull the client IP into the x-forward-for header so the web
严
servers can parse it.
,
D. Configure ELB error logs then create a Data Pipeline job which imports the
用
logs from an S3 bucket into EMR for analyzing and outputs the EMR data into a
使
new S3 bucket.
人
97 oo 魔
个
46 ze 算狂
Answer: C
13 k
]号
[8 : 云计
Q147. ExamKiller is running a web application that has a high amount of dynamic
30 _b
solution that will help reduce load times for clients requesting the application.
79 yi
What is the best possible solution and why? Choose the correct answer:
微 众
限 号
公
A. Create a CloudFront distribution, enable query string forwarding, set the TTL
to 0: This will keep TCP connections open from CloudFront to origin, reducing the
time it takes for TCP handshake to occur.
B. Create an ElastiCache cluster, write code that caches the correct dynamic
content and places it in front of the RDS dynamic content. This will reduce the
amount of time it takes to request the dynamic content since it is cached.
C. Offload the DNS to Route 53; Route 53 has DNS servers all around the world
and routes the request to the closest region which reduces DNS latency.
D. Create a CloudFront distribution; disable query string forwarding, set the TTL
to 0. This will keep TCP connections open from CloudFront to origin, reducing the
time it takes for TCP handshake to occur
Answer: A
Explanation: CloudFront uses KeepAlive features to keep TCP connections open
from the edge location to the CloudFront origin. This reduces the time it takes for
the TCP handshake to occur. Only the initial requests have to perform the full
TCP handshake. This will substantially reduce load time for thousands of
requests per minute or greater.
Q148. You have created a VPC with CIDR block 10.0.0.0/24, which supports 256
IP addresses. You want to now split this into two subnets, each supporting 128 IP
addresses and allowing for 123 hosts addresses. Can this be done and if so how
will the allocation of IP addresses be configured? Choose the correct answer:
A. One subnet will use CIDR block 10.0.0.0/127 (for addresses 10.0.0.0 -
10.0.0.127) and the other will use CIDR block 10.0.0.128/255 (for addresses
10.0.0.128 - 10.0.0.255).
B. One subnet will use CIDR block 10.0.0.0/25 (for addresses 10.0.0.0 -
10.0.0.127) and the other will use CIDR block 10.0.0.128/25 (for addresses
10.0.0.128 - 10.0.0.255).
散
C. No. This can't be done.
扩
D. One subnet will use CIDR block 10.0.0.0/25 (for addresses 10.0.0.0 -
禁
10.0.0.127) and the other will use CIDR block 10.0.1.0/25 (for addresses 10.0.1.0
严
- 10.0.1.127).
,
Answer: B 用
使
人
97 oo 魔
Q149. A new client may use your company to move all their existing Data Center
个
46 ze 算狂
your company, and you have been handed the entire contract and need to
[8 : 云计
provide an initial scope to this possible new client. One of the things you notice
30 _b
applications that you are almost certain will not work on AWS. Which of the
79 yi
following would be the best strategy to employ regarding the migration of these
微 众
A. Move the legacy applications onto AWS first, before you build any
infrastructure. There is sure to be an AWS Machine Image that can run this
legacy application.
B. Convince the client to look for another solution by de-commissioning these
applications and seeking out new ones that will run on AWS.
C. Create a hybrid cloud by configuring a VPN tunnel to the on-premises location
of the Data Center.
D. Create two VPCs. One containing all the legacy applications and the other
containing all the other applications. Make a connection between them with VPC
peering.
Answer: C
Q150. You have been told by your security officer that you need to give a
presentation on encryption on data at rest on AWS to 50 of your co-workers. You
feel like you understand this extremely well regarding data stored on AWS S3 so
you aren't too concerned, but you begin to panic a little when you realize you also
probably need to talk about encryption on data stored on your databases, namely
Amazon RDS. Regarding Amazon RDS encryption, which of the following
statements is the truest?
Choose the correct answer:
散
C. Encryption cannot be enabled on RDS instances unless the keys are not
扩
managed by KMS.
禁
D. Encryption can be enabled on RDS instances to encrypt the underlying
严
storage, but you cannot encrypt snapshots as they are created.
,
Answer: B 用
使
人
97 oo 魔
AWS with an initial deployment of 100 EC2 Instances. Your CIO has given you
13 k
]号
- You need to use Elastic Beanstalk to deploy this infrastructure. Which of the
仅 信 号:
A. You should create routing rules which will route all outbound traffic from the
EC2 instances through NAT.
B. All of the listed criteria is needed to ensure the scope is followed.
C. You should create a public and private subnet for VPC in each Availability
Zone.
D. You should route all outbound traffic from EC2 instances through NAT.
Answer: B
Q152. After the Government organization you work for suffers it's 3rd DDOS
attack of the year you have been handed one part of a strategy to try and stop
this from happening again. You have been told that your job is to minimize the
attack surface area. You do have a vague idea of some of the things you need to
put in place to achieve this. Which of the following is NOT one of the ways to
minimize the attack surface area as a DDOS minimization strategy? Choose the
correct answer:
Answer: A
Q153. ExamKiller has three consolidated billing accounts; dev, staging, and
production. The dev account has purchased two reserved instances with instance
type of m4.large in Availability Zone 1a. However, no instances are running on
the dev account, but a m4.large is running in the staging account inside of
availability zone 1a. Who can receive the pricing? Choose the correct answer:
散
扩
A. No account will receive the reservation pricing because the reservation was
禁
purchased on the dev account and no instances that match the reservation are
严
running in the dev account.
,
B. The reserved instance pricing will still be applied because the staging account
is running an instance that matches the reservation.用
使
C. All accounts running the m4.large will receive the pricing even if there is only
人
97 oo 魔
D. Only the primary account (the consolidated billing primary account) will
13 k
]号
receive discounted pricing if the instance is running in the primary billing account.
[8 : 云计
30 _b
Answer: B
仅 信 号:
79 yi
Explanation: Like volume discounts, reserved instances will work across all
微 众
accounts that are connected to consolidated billing. Since billing is at the payee
限 号
公
level, consolidated billing does not care which account purchases or uses a
reserved instance. This is a consideration if BCJC wants to host customer
accounts as part of their consolidated billing.
Q154. You are the administrator for a new startup company which has a
production account and a development account on AWS. Up until this point, no
one has had access to the production account except yourself. There are 20
people on the development account who now need various levels of access
provided to them on the production account. 10 of them need read-only access to
all resources on the production account, 5 of them need read/write access to
EC2 resources, and the remaining 5 only need read-only access to S3 buckets.
Which of the following options would be the best way, both practically and
security-wise, to accomplish this task? Choose the correct answer:
A. Create encryption keys for each of the resources that need access and
provide those keys to each user depending on the access required.
B. Copy the 20 users IAM accounts from the development account to the
production account.
Then change the access levels for each user on the production account.
C. Create 3 new users on the production account with the various levels of
permissions needed.
Give each of the 20 users the login for whichever one of the 3 accounts they
need depending on the level of access required.
D. Create 3 roles in the production account with a different policy for each of the
access levels needed. Add permissions to each IAM user on the developer
account.
Answer: D
Q155. You're consulting for company that is migrating it's legacy application to
the AWS cloud. In order to apply high availability, you've decided to implement
Elastic Load Balancer and Auto Scaling services to serve traffic to this legacy
散
application. The legacy application is not a standard HTTP web application but is
扩
a custom application with custom codes that is run internally for the employees of
禁
the company you are consulting. The ports required to be open are port 80 and
严
port 8080. What listener configuration would you create?
,
Choose the correct answer:
用
使
A. Configure the load balancer with the following ports: HTTP:80 and HTTP:8080
人
97 oo 魔
B. Configure the load balancer with the following ports: HTTP:80 and HTTP:8080
13 k
]号
C. Configure the load balancer with the following ports: HTTP:80 and HTTP:8080
30 _b
D. Configure the load balancer with the following ports: TCP:80 and TCP:8080
79 yi
Answer: D
Explanation: The ELB will not work correctly if using Layer 7 HTTP and the
application does not respond back with standard HTTP response codes. To
support this type of application TCP ports are required.
Q156. ExamKiller has many employees who need to run internal applications
that access the company's AWS resources. These employees already have user
credentials in the company's current identity authentication system, which does
not support SAML 2.0. The company does not want to create a separate IAM
user for each company employee.
How should the SSO setup be designed?
Choose the 2 correct answers:
A. Create a custom identity broker application which authenticates the
employees using the existing system, uses the GetFederationToken API call and
passes a permission policy to gain temporary access credentials from STS.
B. Create a custom identity broker application which authenticates employees
using the existing system and uses the AssumeRole API call to gain temporary,
role-based access to AWS.
C. Create an IAM user to share based off of employee roles in the company.
D. Configure an AD server which synchronizes from the company's current
Identity Provide and configures SAML-based single sign-on which will then use
the AssumeRoleWithSAML API calls to generate credentials for the employees.
Answer: A,B
Q157. After configuring a whole site CDN on CloudFront you receive the
following error: This distribution is not configured to allow the HTTP request
method that was used for this request.
散
The distribution supports only cachable requests.
扩
What is the most likely cause of this?
禁
Choose the correct answer:
严
,
A. Allowed HTTP methods on that specific origin is only accepting GET, HEAD
用
B. The CloudFront distribution is configured to the wrong origin
使
C. Allowed HTTP methods on that specific origin is only accepting GET, HEAD,
人
97 oo 魔
OPTIONS
个
46 ze 算狂
D. Allowed HTTP methods on that specific origin is only accepting GET, HEAD,
13 k
]号
30 _b
Answer: A
仅 信 号:
79 yi
requests. Responses to other requests which use other methods are not cached
by CloudFront.
Q158. ExamKiller is running data application on-premise that requires large
amounts of data to be transferred to a VPC containing EC2 instances in an AWS
region. ExamKiller is concerned about the total overall transfer costs required for
this application and is potentially not going deploy a hybrid environment for the
customer-facing part of the application to run in a VPC. Given that the data
transferred to AWS is new data every time, what suggestions could you make to
ExamKiller to help reduce the overall cost of data transfer to AWS? Choose the
correct answer:
Answer: A
Q159. You are running an online gaming server, with one of its requirements
being a need for 100,000 IOPS of write performance on its EBS volumes. Given
the fact that EBS volumes can only provision a maximum of up to 20,000 IOPS
which of the following would be a reasonable solution if instance bandwidth is not
an issue?
Choose the correct answer:
散
C. Use Auto Scaling to use spot instances when required to increase the IOPS
扩
write performance when required.
禁
D. Create a RAID 0 configuration for five 20,000 IOPS EBS volumes.
严
,
Answer: D
用
使
Q160. DDoS attacks that happen at the application layer commonly target web
人
97 oo 魔
mitigate these types of attacks, you should probably want to include a WAF (Web
13 k
]号
WAFs sit in-line with your application traffic. Unfortunately, this creates a scenario
30 _b
where WAFs can become a point of failure or bottleneck. To mitigate this problem,
仅 信 号:
you need the ability to run multiple WAFs on demand during traffic spikes. This
79 yi
type of scaling for WAF is done via a "WAF sandwich." Which of the following
微 众
A. The EC2 instance running your WAF software is placed between your public
subnets and your private subnets.
B. The EC2 instance running your WAF software is included in an Auto Scaling
group and placed in between two Elastic load balancers.
C. The EC2 instance running your WAF software is placed between your public
subnets and your Internet Gateway.
D. The EC2 instance running your WAF software is placed between your private
subnets and any NATed connections to the Internet.
Answer: B
Q161. In an attempt to cut costs your accounts manager has come to you and
tells you that he thinks that if the company starts to use consolidated billing that it
will save some money. He also wants the billing set up in such a way that it is
relatively simple, and it gives insights into the environment regarding utilization of
resources. Which of the following consolidated billing setups would satisfy your
account manager's needs?
Choose the 2 correct answers:
Answer: A,D
散
table, which contains the results of an online polling system. Given this
扩
information, what would be the best and most cost-saving method for architecting
禁
and developing this application? Choose the correct answer:
严
,
A. Create a CloudFront distribution that serves the HTML web page, but send the
用
visitors to an Auto Scaling ELB application pointing to EC2 instances.
使
B. Deploy an Auto Scaling application with Elastic Load Balancer pointing to EC2
人
97 oo 魔
instances that use a server-side SDK to communicate with the DynamoDB table.
个
46 ze 算狂
C. Use the JavaScript SDK and build a static HTML page, hosted inside of an
13 k
]号
Amazon S3 bucket; use CloudFront and Route 53 to serve the website, which
[8 : 云计
D. Create a Lamba script, which pulls the most recent DynamoDB polling results
微 众
and creates a custom HTML page, inside of Amazon S3 and use CloudFront and
限 号
公
Answer: C
A. Set up the database in a local data center and use a private gateway to
connect the application to the database.
B. Set up the public website on a public subnet and set up the database in a
private subnet which connects to the Internet via a NAT instance.
C. Set up the database in a private subnet with a security group which only
allows outbound traffic.
D. Set up the database in a public subnet with a security group which only allows
inbound traffic.
Answer: B
散
Q164. ExamKiller needs to configure a NAT gateway for its internal AWS
扩
applications to be able to download patches and package software. Currently,
禁
they are running a NAT instance that is using the floating IP scripting
严
configuration to create fault tolerance for the NAT. The NAT gateway needs to be
,
built with fault tolerance in mind to meet the needs of ExamKiller. What is the
用
best way to configure the NAT gateway with fault tolerance? Choose the correct
使
answer:
人
97 oo 魔
个
46 ze 算狂
A. Create one NAT gateway in a public subnet; create a route from the public
13 k
]号
B. Create two NAT gateways in a public subnet; create a route from the private
30 _b
C. Create two NAT gateways in a public subnet; create a route from the private
79 yi
D. Create one NAT gateway in a public subnet; create a route from the private
限 号
公
Answer: D
Explanation: NAT Gateways already have built-in fault tolerance. From the docs:
"Each NAT gateway is created in a specific Availability Zone and implemented
with redundancy in that zone." Granted, fault tolerance != redundancy, but in this
case the redundancy is a building block for creating a fault tolerant gateway. So
creating multiple NAT gateways in the same subnet doesn't make sense. Instead,
you might argue that you need to create multiple gateways in different AZs, so
that if one AZ goes down, you have a backup - but none of the possible answers
provide this solution so you need to pick the best answer out of the available
options.
Q165. You're working as a consultant for a company that has a three tier
application. The application layer of this architecture sends over 20Gbps of data
per seconds during peak hours to and from Amazon S3. Currently, you're running
two NAT gateways in two subnets to transfer the data from your private
application layer to Amazon S3. You will also need to ensure that the instances
receive software patches from a third party repository.
What architecture changes should be made, if any?
Choose the correct answer:
A. Remove the NAT gateway and create a VPC S3 endpoint which allows for
higher bandwidth throughput as well as tighter security.
B. Keep the NAT gateway and create a VPC S3 endpoint which allows for higher
bandwidth throughput as well as tighter security.
C. NAT gateways support 10Gbps and two are running: No changes are required
to improve this architecture .
D. NAT gateways support 10Gbps and two are running: Add a third to a third
subnet to allow for any increase in demand.
散
Answer: B
扩
禁
Explanation: S3 endpoints use the private AWS network for data transfer. These
严
endpoints do not have the same bandwidth limitations as NAT gateways since it
,
is all done through the internal network. This is also an additional layer of security.
用
In order to ensure that the instances can reach a third party repo a NAT gateway
使
is still required for communication over the internet.
人
97 oo 魔
Q166. The company you work for has a huge amount of infrastructure built on
个
46 ze 算狂
AWS. However there has been some concerns recently about the security of this
13 k
]号
infrastructure, and an external auditor has been given the task of running a
[8 : 云计
thorough check of all of your company's AWS assets. The auditor will be in the
30 _b
USA while your company's infrastructure resides in the Asia Pacific (Sydney)
仅 信 号:
region on AWS. Initially, he needs to check all of your VPC assets, specifically,
79 yi
security groups and NACLs You have been assigned the task of providing the
微 众
auditor with a login to be able to do this. Which of the following would be the best
限 号
公
and most secure solution to provide the auditor with so he can begin his initial
investigations? Choose the correct answer:
A. Create an IAM user who will have read-only access to your AWS VPC
infrastructure and provide the auditor with those credentials.
B. Create an IAM user tied to an administrator role. Also provide an additional
level of security with MFA.
C. Create an IAM user with full VPC access but set a condition that will not allow
him to modify anything if the request is from any IP other than his own.
D. Give him root access to your AWS Infrastructure, because he is an auditor he
will need access to every service.
Answer: A
Q167. You've configured an AWS VPC and several EC2 instances running
MongoDB with an internal IP address of 10.0.2.1. To simplify failover and
connectivity to the instance, you create an internal Route 53 A record called
mongodb.example.com. You have a VPN connection from on-premise to your
VPC and are attempting to connect an on-premise VMWare instance to
mongodb.example.com, but the DNS will not resolve.
Given the current design, why is the internal DNS record not resolving
on-premise? Choose the correct answer:
A. Route 53 internal DNS records only work if the DNS request originates from
within the VPC.
B. The on-premise VM instance needs to have an /etc/resolv.conf record pointing
to the Route53 internal DNS server.
C. A public Route 53 resource record was created using the private IP address
instead of an internal DNS record.
D. The VPN is not configured to use BGP dynamic routing and a static route is
散
not configured from the on-premise subnet to the VPC subnet with the MongoDB
扩
server.
禁
严
Answer: A
,
用
Explanation: Internal Route 53 resource record sets only work if the originating
使
request is made from within the VPC. Internal Route 53 record sets cannot be
人
97 oo 魔
13 k
]号
Q168. You are setting up a website for a small startup company. You have built
[8 : 云计
them what you believe to be a great solution on AWS for the money they wanted
30 _b
to spend. It is a very image intensive site, so you have utilized CloudFront to help
仅 信 号:
with the serving of images. The client complains to you, however, that he requires
79 yi
a custom domain name when serving up this content that should work with https
微 众
A. You must provision and configure your own SSL certificate in IAM and
associate it to your CloudFront distribution.
B. You must provision and configure an ALIAS in Route 53 and associate it to
your CloudFront distribution
C. You must provision and configure your own SSL certificate in Route 53 and
associate it to your CloudFront distribution.
D. You must create an Origin Access Identity (OAI) for CloudFront and grant
access to the objects in your S3 bucket where the images are stored.
Answer: A
Explanation: A Virtual Private Cloud (VPC) is a virtual network dedicated to the
user's AWS account. It enables the user to launch AWS resources into a virtual
network that the user has defined. AWS provides two features that the user can
use to increase security in VPC: security groups and network ACLs. Security
group works at the instance level while ACL works at the subnet level. ACL allows
both allow and deny rules. Thus, when the user wants to reject traffic from the
selected IPs it is recommended to use ACL with subnets. Reference:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html
散
扩
禁
严
,
用
使
人
97 oo 魔
个
46 ze 算狂
13 k
]号
[8 : 云计
Explanation: A user can increase the desired capacity of the Auto Scaling group
30 _b
and Auto Scaling will launch a new instance as per the new capacity. The newly
仅 信 号:
launched instances will be registered with ELB if Auto Scaling group is configured
79 yi
with ELB. If the user decreases the minimum size the instances will be removed
微 众
from Auto Scaling. Increasing the maximum size will not add instances but only
限 号
公
Q505. You have been charged with investigating cloud security options for your
company in light of recent suspected threats. You are aware that certain AWS
services can help mitigate DDoS attacks, and you are specifically looking for a
service that provides protection from counterfeit requests (Layer 7) or SYN floods
(Layer 3). Which services provide this protection? (Choose 2 answers)
散
Reference:
扩
http://docs.aws.amazon.com/waf/latest/developerguide/ddos-overview.html
禁
Q506. You are utilizing the AWS CLI to link a CloudWatch event to an auto
严
scaling policy. The command you are using is mon-put-metric-alarm. You wish to
,
monitor average CPU utilization for a period of 60 seconds with an evaluation
用
period of 3 intervals, for an event of 80% or greater level. What is the proper
使
syntax for your command? (Fill in the blank) put-metric-alarm --alarm-name
人
97 oo 魔
13 k
]号
Answer: D
限 号
公
Answer: B,C,D
散
扩
禁
严
,
用
使
人
97 oo 魔
updates.
13 k
]号
desired configuration.
79 yi
. From the new environment's dashboard, choose Actions and then choose Swap
Environment URLs.
Reference:
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/using-features.CNAMESw
ap.html
Q508. You are designing a new VPC for the HR team in your company to run
their workload. This VPC should be able to host around 200 EC2 instances, and
the workload is not expected to exceed 240 EC2 instances at any time. As the
HR team is broken into 8 smaller sub-groups, you would like to create a private
subnet for each group, in addition to one public subnet for any public-facing
requirements. This VPC will be peered with your account management VPC with
the address block of 172.27.1.0/24 for common or shared resources. Which
CIDR combination is valid given these requirements?
A. Use 172.27.0.0/24 for the VPC and /28 netmask for all subnets in the VPC.
B. Use 172.27.0.0/24 for the VPC and /27 netmask for all subnets in the VPC.
C. Use 172.27.0.0/23 for the VPC and /27 netmask for all subnets in the VPC.
D. Use 172.27.0.0/16 for the VPC and /24 netmask for all subnets in the VPC.
Answer: A
Explanation: Given the requirements you need to create 9 subnets in this VPC .
Using 172.27.0.0/24 for the VPC and /27 netmask for all subnets in the VPC is
incorrect to use a /27 netmask because it would reserve 32 addresses and you
will not be able to create 9 subnets in your 256 VPC.
. Using a 172.27.0.0/24 for the VPC and /28 netmask for all subnets in the VPC
is correct, although it doesn't consume all of the 256 addresses in your VPC. .
Using 172.27.0.0/16 for the VPC and /24 netmask for all subnets in the VPC is
incorrect because you need to pair the VPC with the Management VPC and the
/16 range will create conflict.
. Using 172.27.0.0/23 for the VPC and /27 netmask for all subnets in the VPC is
incorrect because it will conflict with the Management VPC range. Reference:
散
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html
扩
Q509. An international web journal hosted at AWS handles requests for technical
禁
publications. The front-end tier is hosted in a VPC with multiple availability zones,
严
auto-scaling groups, and cross zone load-balancing. RDS hosts the application
,
database responsible for indexing and searching the content and technical
用
journals are served from S3 buckets. At certain times, specific technical journals
使
became quite popular, causing viewing delays. What additional components
人
97 oo 魔
answers)
13 k
]号
[8 : 云计
indexes
79 yi
Answer: B,D
Explanation: Lazy loading keeps the cache up to date based only on requests.
This avoids filling up the cache needlessly, but if data is only written to the cache
when there is a cache miss, data in the cache can become stale since there are
no updates to the cache when data is changed in the database. This issue is
addressed by using lazy loading in conjunction with write through, which adds
data or updates data in the cache whenever data is written to the database. You
may also use CloudFront to optimize your caching. By default, CloudFront
doesn't consider headers when caching your objects in edge locations. If your
origin returns two objects and they differ only by the values in the request
headers, CloudFront caches only one version of the object.
Reference:
http://docs.aws.amazon.com/AmazonElastiCache/latest/UserGuide/Strategies.ht
ml
Q510. You are running a group of Web Servers behind Load Balancer in a VPC,
the Health Check configurations of your target hosts is defined as below:
Healthy threshold 2
Unhealthy threshold 2
Timeout 25
Interval 30
Success codes 200
With this configuration, what is the minimum time taken by the load balancer to
mark a failed instance (not responding) as OutOfService and stop sending traffic
to it?
A. 55 seconds minimum
B. 110 seconds minimum
散
C. 50 seconds minimum
扩
D. 60 seconds mimimum
禁
严
Answer: A
,
用
Explanation: The load balancer sends a request to each registered instance at
使
the ping port and ping path every Interval seconds. An instance is considered
人
97 oo 魔
healthy if it returns a 200 response code within the health check interval. If the
个
46 ze 算狂
health checks exceed the threshold for consecutive failed responses, the load
13 k
]号
balancer takes the instance out of service. In this example, the load balancer
[8 : 云计
sends health check request every 30 seconds and the timeout is 25 seconds. So
30 _b
for the failed instance it will take 25 seconds to fail the first health check and the
仅 信 号:
load balancer will send another request after 30 seconds from the previous
79 yi
attempt, for the second attempt after 25 seconds the attempt will be marked
微 众
failed and the instance will be taken out of service. so the correct answer for this
限 号
公
question is 55 seconds at minimum. it could definitely take more than that for
example if the instance has failed in the middle or the beginning of health check
interval.
Reference:
http://docs.aws.amazon.com/elasticloadbalancing/2012-06-01/APIReference/API
_HealthChe ck.html
Q511. You are creating a custom Virtual Private Cloud (VPC) which will host a
mix of public and private instances. An EC2 instance has been deployed to one
of the public subnets in this VPC. What are the configurations that have to be
implemented to make this instance accessible from the internet? (Choose 3
answers)
A. Create new record set and custom domain name for the new instance in
Route 53
B. Make sure the instance has a public IP address
C. Edit security group to allow traffic to and from the internet on required ports
D. Attach an Internet gateway to the VPC and add default route to the IGW in
public subnet's route table
Answer: B,C,D
Explanation: Public and private subnets, with the exception of the default VPC,
do not automatically have Internet access enabled. To enable access to or from
the Internet for instances in a VPC subnet, you must do the following:
. Attach an Internet gateway to your VPC.
. Ensure that your subnet's route table points to the Internet gateway. . Ensure
that instances in your subnet have a globally unique IP address (public IPv4
address, Elastic IP address, or IPv6 address).
. Ensure that your network access control and security group rules allow the
relevant traffic to flow to and from your instance.
Reference:
散
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Internet_Gate
扩
way.html
禁
Q512. You are architecting for a hybrid cloud solution that will require continuous
严
connectivity between on-premises servers and instances on AWS. You found that
,
the connectivity between on-premises and AWS does NOT require high
用
bandwidth for now so you decided to go with resilient VPN connectivity. Which of
使
the following services are part of establishing resilient VPN connection between
人
97 oo 魔
13 k
]号
B. Customer gateway
30 _b
C. VPN connection
仅 信 号:
D. Direct connect
79 yi
微 众
Answer: A,B,C
限 号
公
Answer: A,B,C
Explanation: A host manager (HM) runs on each Amazon EC2 server instance.
The host manager is responsible for:
. Deploying the application
. Aggregating events and metrics for retrieval via the console, the API, or the
command line . Generating instance-level events
散
. Monitoring the application log files for critical errors . Monitoring the application
扩
server
禁
. Patching instance components
严
. Rotating your application's log files and publishing them to Amazon S3 The host
,
manager reports metrics, errors and events, and server instance status, which
用
are available via the AWS Management Console, APIs, and CLIs.
使
Reference:
人
97 oo 魔
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/concepts.concepts.archite
个
46 ze 算狂
cture.html
13 k
]号
Q514. You're migrating an existing application to the AWS cloud. The application
[8 : 云计
will be primarily using EC2 instances. This application needs to be built with the
30 _b
migrated the application and configured the multi-tiers using the internal Elastic
微 众
Load Balancer for serving the traffic. The load balancer hostname is
限 号
公
A. Add a cname record to the existing on-premise DNS server with a value of
example-app.us-east-1.elb.amazonaws.com. Create a public resource record set
using Route 53 with a hostname of applayer.example.com and an alias record to
example-app.us-east-1.elb.amazonaws.com.
B. Create a public resource record set using Route 53 with a hostname of
applayer.example.com and an alias record to
example-app.us-east-1.elb.amazonaws.com
C. Create a private resource record set using Route 53 with a hostname of
applayer.example.com and an alias record to
example-app.us-east-1.elb.amazonaws.com
D. Create an environment variable passed to the EC2 instances using user-data
with the ELB hostname, example-app.us-east-1.elb.amazonaws.com.
Answer: C
Explanation: Route 53 is highly available by design and serves DNS results from
the closest region within AWS. If the application is moved entirely to AWS, then
requests are originated from within the VPC for the application and Route 53 will
be able to serve the internal DNS. A public resource record set is not needed
because in this architecture there is no reason to send the traffic out to the
internet and back in, leaving security holes open.
Q515. Big Brother Bank has been acquiring smaller banks. BBB has a security
requirement that all bank employees are required to log into a central identity
散
solution, so that when they log on they gain access to central bank resources.
扩
Given that each bank has their own AWS account, and existing application
禁
instances with which to run their bank software, how would BBB connect each
严
bank's AWS networks to the central VPC, as to allow each bank to use the
,
central identity solution?
用
Each bank runs their VPC in the US-West-1 region, requires a high availability
使
solution, and regulation does not allow each bank access to the others' resources.
人
97 oo 魔
A. Create a Direct Connect connection from each VPC endpoint to the main BBB
30 _b
VPC.
仅 信 号:
between VPCs.
微 众
C. Create a VPC peering connection with BBB's VPC peered to each branch's
限 号
公
AWS account, ensuring that the peered subnets do not have an overlapping
CIDR block range.
D. Migrate the acquired banks' AWS accounts to the main BBB account using
migration tools such as Import/Export, Snapshot, AMI Copy, and S3 sharing.
Answer: C
Q516. You've created a temporary application that accepts image uploads, stores
them in S3, and records information about the image in RDS. After building this
architecture and accepting images for the duration required, it's time to delete the
CloudFormation template. However, your manager has informed you that for
archival reasons the RDS data needs to be stored and the S3 bucket with the
images needs to remain. Your manager has also instructed you to ensure that
the application can be restored by a CloudFormation template and run next year
during the same period.
Knowing that when a CloudFormation template is deleted, it will remove the
resources it created, what is the best method for achieving the desired goals?
Choose the correct answer:
Answer: A
散
Explanation: Setting the DeletionPolicy on the S3 bucket will ensure the S3
扩
bucket is not removed. Keeping the S3 bucket and the name of the S3 bucket
禁
ensures it is easy to relaunch the application later with a template. Setting the
严
RDS DeletionPolicy to snapshot ensures the data can be restored when the
,
application needs to be run again later. Setting the DeletionPolicy on RDS to
用
retain would leave the RDS instance running when it would not be used, thus
使
increasing costs when not required.
人
97 oo 魔
Q517. You are excited that your company has just purchased a Direct Connect
个
46 ze 算狂
link from AWS as everything you now do on AWS should be much faster and
13 k
]号
more reliable. Your company is based in Sydney, Australia so obviously the Direct
[8 : 云计
Connect Link to AWS will go into the Asia Pacific (Sydney) region. Your first job
30 _b
after the new link purchase is to create a multi-region design across the Asia
仅 信 号:
Pacific(Sydney) region and the US West (N. California) region. You soon discover
79 yi
that all the infrastructure you deploy in the Asia Pacific(Sydney) region is
微 众
extremely fast and reliable, however the infrastructure you deploy in the US
限 号
公
West(N. California) region is much slower and unreliable. Which of the following
would be the best option to make the US West(N.
California) region a more reliable connection?
Choose the correct answer:
A. Create a private virtual interface to the US West region's public end points and
use VPN over the public virtual interface to protect the data.
B. Create a private virtual interface to the Asia Pacific region's public end points
and use VPN over the public virtual interface to protect the data.
C. Create a public virtual interface to the Asia Pacific region's public end points
and use VPN over the public virtual interface to protect the data.
D. Create a public virtual interface to the US West region's public end points and
use VPN over the public virtual interface to protect the data.
Answer: D
Q518. ExamKiller is managing a customer's application which currently includes
a three-tier application configuration. The first tier manages the web instances
and is configured in a public subnet. The second layer is the application layer. As
part of the application code, the application instances upload large amounts of
data to Amazon S3. Currently, the private subnets that the application instances
are running on have a route to a single NAT t2.micro NAT instance. The
application, during peak loads, becomes slow and customer uploads from the
application to S3 are not completing and taking a long time.
Which steps might you take to solve the issue using the most cost efficient
method? Choose the correct answer:
散
load
扩
D. Launch an additional NAT instance in another subnet and replace one of the
禁
routes in a subnet to the new instance
严
,
Answer: B
用
使
人
97 oo 魔
个
46 ze 算狂
13 k
]号
[8 : 云计
30 _b
仅 信 号:
79 yi
微 众
限 号
公
Explanation: Creating a VPC endpoint will reduce the need for the S3 uploads to
be sent through a NAT instance. It is the most cost efficient method and the most
scalable method as well. The following answers will also get the job done but at
additional costs. NAT instances cannot be autoscaled since the traffic is sent
through the route table: "Increase the NAT instance size; network throughput
increases with an increase in instance size" and "launch an additional NAT
instance in another subnet and replace one of the routes in a subnet to the new
instance."
Q519. You're consulting for a new customer, who is attempting to create a hybrid
network between AWS and their on-premise data centers. Currently, they have
internal databases running on-premise that, due to licensing reasons, cannot be
migrated to AWS. The front end of the application has been migrated to AWS and
uses the DB hostname "db.internalapp.local" to communicate with the
on-premise database servers. Hostnames provide an easy method for updating
IP addresses in event of failover instead of having to update the IP address in the
code. Given the current architecture what is the best way to configure internal
DNS for this hybrid application? (Choose Two)
Choose the 2 correct answers:
A. Create an EC2 instance DNS server to configure hostnames for internal DNS
records, Create a new Amazon VPC DHCP option set with the internal DNS
server's IP address.
B. Configure the database to have a public-facing IP address and use Route 53
to create a domain name
C. Use an existing on-premise DNS server to configure hostnames for internal
DNS records.
Create a new Amazon VPC DHCP Option Set with the internal DNS server's IP
address.
D. Use an existing on-premise DNS server to configure hostnames for internal
DNS records.
散
Create a new Amazon VPC route table with the internal DNS server's IP address
扩
禁
Answer: A,C
严
,
Explanation: The application is an internal application. Using a public IP address
用
would cause the application to route externally, which is not part of the desired
使
architecture. Internal Route 53 record sets would not work since Route 53
人
97 oo 魔
internal resource record sets only work for requests originating from within the
个
46 ze 算狂
Q520. ExamKiller is running an Amazon Redshift cluster with four nodes running
30 _b
24/7/365 and expects, potentially, to add one on-demand node for one to two
仅 信 号:
days once during the year. Which architecture would have the lowest possible
79 yi
A. Purchase 4 reserved nodes and bid on spot instances for the extra node
usage required
B. Purchase 4 reserved nodes and rely on on-demand instances for the fifth node,
if required
C. Purchase 5 reserved nodes to cover all possible node usage during the year
D. Purchase 2 reserved nodes and utilize 3 on-demand nodes only for peak
usage times
Answer: B
Explanation: The fifth node is expected to run, at most, one day. In this situation,
purchasing four nodes will reduce overall costs since four nodes will run
continuously. Relying on on-demand instances for the fifth node is the best
possible cost option in relationship to reserved instances. The problem with spot
instances, is that they have no guarantee to run. The question is saying that on a
few days per year, demand might increase to the point that another node is
needed. The only time you can guarantee that the other node would be launched
is if it is on-demand. Remember, with spot instances you "bid" on unused
capacity. Only if your bid is greater than the other bids does it launch and if your
bid is less than another bid, then AWS will actually take the instance away. Spot
instances are not great for work loads that cannot be interrupted. Using spot
instances versus on-demand will usually lead to cost savings, but we also have
to take into account the scenario outlined in the question. This scenario can't use
spot instances.
散
"Statement": [
扩
{
禁
"Action": [
严
"ec2:StartInstances",
,
"ec2:StopInstances",
"ec2:RebootInstances", 用
使
"ec2:TerminateInstances"
人
97 oo 魔
],
个
46 ze 算狂
"Condition": {
13 k
]号
"StringEquals": {
[8 : 云计
"ec2:ResourceTag/env":"production"
30 _b
}
仅 信 号:
},
79 yi
"Resource": [
微 众
"arn:aws:ec2:us-east-1:account-id:instance/*"
限 号
公
],
"Effect": "Deny"
}
]
}
Choose the correct answer:
Explanation: Resource tagging will apply to the instances that have the
associated tag values. Resource tagging can help prevent instances from being
terminated on accident as well.
散
扩
禁
严
,
用
使
人
97 oo 魔
个
46 ze 算狂
13 k
]号
[8 : 云计
30 _b
仅 信 号:
79 yi
微 众
限 号
公