AWS INTERVIEW QUESTIONS

A single account is normally limited to how many EC2 instances?

Overall, you are limited to running a total of 20 On-Demand or Reserved Instances and
requesting 20 Spot Instances per region. Certain instance types are further limited per region. If
you need more instances, complete the Amazon EC2 instance request form with your use case
and your instance increase will be considered. Limit increases are tied to the region they were
requested for.

A user has launched a large EBS backed EC2 instance in the US-East-1a region. The user
wants to achieve Disaster Recovery (DR) for that instance by creating another small
instance in Europe. How can the user achieve DR?

To launch an EC2 instance it is required to have an AMI in that region. If the AMI is not available
in that region, then create a new AMI or use the copy command to copy the AMI from one
region to the other region.

Identify a payment option in which the remaining balance will be due in monthly
increments over the term.

You can choose between 3 payment options: All Upfront, Partial Upfront, and No Upfront. If you
choose the Partial or No Upfront payment option, the remaining balance will be due in monthly
increments over the term.

Is there any web-based user interface to access and manage Amazon Web Services?

You can access and manage Amazon Web Services through a simple and intuitive web-based
user interface known as the AWS Management Console.

Identify a true statement about the security group rules for EC2-Classic.

The following are the characteristics of security group rules: By default, security groups allow all
outbound traffic. Security group rules are always permissive; you can't create rules that deny
access. You can add and remove rules at any time. You can't change the outbound rules for
EC2-Classic. If you're using the Amazon EC2 console, you can modify existing rules, and you can
copy the rules from an existing security group to a new security group. When you add or
remove rules, your changes are automatically applied to the instances associated with the
security group after a short period, depending on the connection tracking for the traffic.
Security groups are stateful ù if you send a request from your instance, the response traffic for
that request is allowed to flow in regardless of inbound security group rules. For VPC security
groups, this also means that responses to allowed inbound traffic are allowed to flow out,
regardless of outbound rules.

pg. 1
What is the time period with which metric data is sent to CloudWatch when detailed
monitoring is enabled on an Amazon EC2 instance?

By default, Amazon EC2 metric data is automatically sent to CloudWatch in 5-minute periods.
However, you can, enable detailed monitoring on an Amazon EC2 instance, which sends data to
CloudWatch in 1-minute periods

Is it possible to authorize access from an instance in an EC2 Security Group, to an instance

in a DB Security Group?

You can use both the Management Console and the CLI tools in order to allow access from EC2
instances that belong to a particular EC2 Security Group to DB instances that belong to a
specific DB Security Group.

Which of the following services is used to send an alert from CloudWatch?

AWS Auto Scaling and Simple Notification Service (SNS) work in conjunction with CloudWatch.
You use Amazon SNS with CloudWatch to send messages when an alarm threshold has been
reached.

Which of the following processors are the Compute-optimized C3 instances based on?

Amazon EC2 provides a wide selection of instance types optimized to fit different use cases. C3
instances are used for high performance front-end fleets, web-servers, batch processing,
distributed analytics, high performance science and engineering applications, ad serving, MMO
gaming, and video-encoding. These instances are based on high frequency Intel Xeon E5-2680
v2 (Ivy Bridge) processors.

Which of the following Amazon EC2 resources support tagging?

A tag allows you to categorize AWS resources, and you can do that by purpose, owner, or
environment. You can use tags to categorize Amazon EBS Snapshots.

Which of the following is NOT a characteristic of Amazon Elastic Compute Cloud

(Amazon EC2)?

Amazon Elastic Compute Cloud (Amazon EC2) provides scalable computing capacity in the
Amazon Web Services (AWS) cloud. Using Amazon EC2 eliminates your need to invest in
hardware up front, so you can develop and deploy applications faster. You can use Amazon EC2
to launch as many or as few virtual servers as you need, configure security and networking, and
manage storage. Amazon EC2 enables you to scale up or down to handle changes in
requirements or spikes in popularity, reducing your need to forecast traffic.

When sending custom data to the CloudWatch metrics, can you send your own metric
name?

pg. 2
A user can send custom metrics using SDK, CLI, or APIs. The user can send his or her own metric
name instead of the standard CloudWatch metric. CloudWatch provides a default title for any
graph that is created. The user can edit the title and change it if he or she wants.

Which of the following is the most accurate definition of the Amazon Machine Images
(AMIs)?

One of the main features of Amazon EC2 is Amazon Machine Images (AMIs), which is a template
that contains a software configuration (for example, an operating system, an application server,
and applications). AMIs contain common software configurations for public use.

Moreover, users can create their custom AMI or AMIs. This ability helps users to quickly and
easily start new instances that have everything they need.

Which of the below mentioned functionalities cannot be performed with the CloudWatch
metrics?

The user cannot delete a metric as CloudWatch automatically deletes the metrics after 14 days.

In a VPC, ______ controls which destinations the instances associated with a specific
security group can send traffic to.

To enhance the security and control the ways in which the instances within your VPC can be
reached and interact with the outside world, you can define security groups with inbound rules
to control the incoming traffic that reaches your instances as well as outbound rules that
constraint the destination of the outgoing traffic generated by your instances.

Which of the following does Amazon S3 provide?

Amazon S3 provides Scalable Storage in the Cloud.

Identify a feature of Amazon Simple Storage Service (Amazon S3).

Reduced Redundancy Storage (RRS) is a feature of Amazon S3. Customers can store their data
using the Amazon S3 RRS option.

Can a bucket owner disable a lifecycle rule of an S3 bucket using S3 API?

By default, a bucket owner has permission to disable a lifecycle rule of an S3 bucket using S3
API. The bucket owner can also grant this permission to others. The bucket owner can disable
the lifecycle rule of the S3 bucket from the S3 console or the AWS SDK.

Select a true statement about versioning objects.

You must explicitly enable versioning on your bucket. By default, versioning is disabled.
Regardless of whether you have enabled versioning or not, each object in your bucket has a
version ID. If you have not enabled versioning, then Amazon S3 sets the version ID value to null.
If you have enabled versioning, Amazon S3 assigns a unique version ID value for the object.

pg. 3
Which of the following Amazon Simple Storage Service (Amazon S3) concepts organize
the Amazon S3 namespace at the highest level?

Buckets serve several purposes: they organize the Amazon S3 namespace at the highest level,
they identify the account responsible for storage and data transfer charges, they play a role in
access control, and they serve as the unit of aggregation for usage reporting.

Which one of the following can't be used as an origin server with Amazon CloudFront?

Amazon CloudFront is designed to work with Amazon S3 as your origin server, customers can
also use Amazon CloudFront with origin servers running on Amazon EC2 instances or with any
other custom origin.

Amazon S3 cannot be used for which of the options given below?

Amazon S3 is used for static file storage. It does not provide any computing or processing
capability like EC2. As an Object Storage service it allows to store static files, but cannot host or
operate database or application's file.

In Amazon CloudFront, if you have chosen On for Logging, the access logs are stored in:

In Amazon CloudFront, if you chose On for Logging, the logs store in the Amazon S3 bucket
that you want CloudFront to store access logs in. For example:

myawslogbucket.s3.amazonaws.com

If you enable logging, CloudFront records information about each end-user request for an
object and stores the files in the specified Amazon S3 bucket.

What is the maximum size of an object in Amazon S3?

5Tb is the maximum size of an object in Amazon S3.

Where is an object stored in Amazon S3?

Every object in Amazon S3 is stored in a bucket. Before you can store data in Amazon S3, you
must create a bucket.

Just when you thought you knew every possible storage option on AWS you hear
someone mention Reduced Redundancy Storage (RRS) within Amazon S3. What is the
ideal scenario to use Reduced Redundancy Storage (RRS)?

Reduced Redundancy Storage (RRS) is a new storage option within Amazon S3 that enables
customers to reduce their costs by storing non-critical, reproducible data at lower levels of
redundancy than Amazon S3’s standard storage. RRS provides a lower cost, less durable, highly
available storage option that is designed to sustain the loss of data in a single facility.
RRS is ideal for non-critical or reproducible data.

pg. 4
For example, RRS is a cost-effective solution for sharing media content that is durably stored
elsewhere. RRS also makes sense if you are storing thumbnails and other resized images that
can be easily reproduced from an original image.

What is a "Key" for an Amazon S3 object?

An object is a fundamental entity of the AWS S3. An object has metadata in addition to the data
of the file. Each object inside the bucket has exactly one key, which is a unique identifier of the
object. An object is uniquely identified with the bucket, key, and version ID.

Which of the following statements is true?

A user can configure the AWS S3 bucket to host a static website. AWS S3 is only for static
content and cannot be used for any dynamic content hosting.

What does AWS S3 offer as a business service?

Amazon S3 has a simple web services interface that you can use to store and retrieve any
amount of data, at any time, from anywhere on the web.

What does Amazon S3 stand for?

Amazon Simple Storage Service (Amazon S3) is storage for the Internet. It provides a simple
interface to manage scalable, reliable, and low latency data storage service over the Internet.

A user has created a snapshot of an EBS volume. Which of the below mentioned
usage cases is not possible with respect to a snapshot?

The EBS snapshots are a point in time backup of the volume. It is helpful to move the volume
from one AZ to another or launch a new instance. The user can increase the size of the volume
but cannot decrease it less than the original snapshot size.

Which service runs under the Local System user account and is started when the instance
is booted?

The EC2Config service is started when the instance is booted. It performs tasks during initial
instance startup and each time you stop and start the instance.

An organization wants to move to Cloud. They are looking for a secure encrypted
database storage option. Which of the below mentioned AWS functionalities helps them
to achieve this?

AWS EBS supports encryption of the volume while creating new volumes. It also supports
creating volumes from existing snapshots provided the snapshots are created from encrypted
volumes. The data at rest, the I/O as well as all the snapshots of EBS will be encrypted. The
encryption occurs on the servers that host the EC2 instances, providing encryption of data as it
moves between the EC2 instances and EBS storage. EBS encryption is based on the AES-256
cryptographic algorithm, which is the industry standard.

pg. 5
A user is creating a snapshot of an EBS volume. Which of the below statements
is incorrect in relation to the creation of an EBS snapshot?

The EBS snapshots are a point in time backup of the EBS volume. It is an incremental snapshot,
but is always specific to the region and never specific to a single AZ.
Hence the statement "It is stored in the same AZ as the volume" is incorrect.

By default, when an EBS volume is attached to a Windows instance, it may show up as any
drive letter on the instance. You can change the settings of the _____ to set the drive
letters of the EBS volumes as per your specifications.

You can change the Ec2Config service to set the drive letters used to represent the EBS volumes
attached to your Windows instances.

When attaching an EBS volume to a Windows instance, the root drive is initialized and
mounted as ______.

When attaching an EBS volume to a Windows instance, the root drive is initialized and mounted
as c:\.

In the 'Detailed' monitoring data available for your Amazon EBS volumes, Provisioned
IOPS volumes automatically send _____ minute metrics to Amazon CloudWatch.

In the 'Detailed' monitoring data available for your Amazon EBS volumes, Provisioned IOPS
volumes automatically send 1 minute metrics to Amazon CloudWatch.

In Amazon EC2, which of the following is the type of monitoring data for Amazon EBS
volumes that is available automatically in 5-minute periods at no charge?

Basic is the type of monitoring data (for Amazon EBS volumes) which is available automatically
in 5-minute periods at no charge called.

When a user is accessing an EBS for the first time there can be a huge reduction in the
I/O. How can the user avoid this?

There is a 5 to 50 percent reduction in IOPS when the user first accesses each block of data on a
newly created or restored EBS volume. The user can avoid this performance hit by accessing
each block in advance or pre-warm the Amazon EBS volumes.

Before a user deletes an EBS volume, what can be done if he wants to recreate the volume
later?

Before you delete an EBS volume, you can store a snapshot of the volume to recreate it later.

What's the command-line instruction to shut down an EC2 instance?

ec2-terminate-instances shuts down one or more instances. This operation is idempotent; if you
terminate an instance more than once, each call succeeds. Terminated instances remain visible
after termination (approximately one hour). By default, Amazon EC2 deletes all Amazon EBS

pg. 6
volumes that were attached when the instance launched. Volumes attached after instance
launch persist.

Upon completing some major infrastructure for a website, you now need to start thinking
about the best option for the content delivery. The site will have frequently accessed
static content that may benefit from edge delivery—like popular website images, videos,
media files or software downloads. What do you think would be the best option for this
type of content?

Amazon CloudFront is a web service that gives businesses and web application developers an
easy and cost effective way to distribute content with low latency and high data transfer speeds.

Amazon CloudFront is a good choice for distribution of frequently accessed static content that
benefits from edge delivery—like popular website images, videos, media files, or software
downloads. Amazon S3 will continue to be the solution of choice for delivering content where
individual files are only accessed infrequently, as you will save the costs of copying less popular
files from Amazon S3 to the edge locations used by Amazon CloudFront.

A user has attached an EBS volume created from an existing snapshot to a running
instance. The volume is not mounted on the instance yet. If the user takes a snapshot of
the attached volume, what will happen?

When a user creates an EBS volume from a snapshot it will have all the contents of the original
volume. When the volume is attached but not mounted the user cannot write on that volume. In
this case when the user takes a snapshot it will succeed, but will have only the original contents
of the volume since the data may not have been modified.

True or False: In the Gateway-cached volume restoration, you can restore an Amazon EBS
snapshot to a gateway storage volume if you need to recover a backup of your data.

In AWS Storage Gateway, you can restore an Amazon EBS snapshot to a gateway storage
volume if you need to recover a backup of your data. Alternatively, for snapshots up to 16 TiB in
size, you can use the snapshot as a starting point for a new Amazon EBS volume. You can then
attach this new Amazon EBS volume to an Amazon EC2 instance.

By default, what happens to an EBS volume that is attached to a running instance when
the instance is terminated?

By default, EBS volumes that are attached to a running instance automatically detach from the
instance with their data intact when that instance is terminated.

A user has launched 5 instances in EC2-CLASSIC and attached 5 elastic IPs to the five
different instances in the US East region. The user is creating a VPC in the same region.
The user wants to assign an elastic IP to the VPC instance. How can the user achieve this?

A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. A user
can create a subnet with VPC and launch instances inside that subnet. A user can have 5 IP

pg. 7
addresses per region with EC2 Classic. The user can have 5 separate IPs with VPC in the same
region as it has a separate limit than EC2 Classic.

A user has created a VPC with CIDR 20.0.0.0/16 using the wizard. The user has created a
public subnet CIDR (20.0.0.0/24) and VPN only subnets CIDR (20.0.1.0/24) along with the
VPN gateway (vgw-12345) to connect to the user’s data centre. The user’s data centre has
CIDR 172.28.0.0/12. The user has also setup a NAT instance (i-123456) to allow traffic to
the internet from the VPN subnet. Which of the below mentioned options is not a valid
entry for the main route table in this scenario?

The user can create subnets as per the requirement within a VPC. If the user wants to connect
VPC from his own data centre, he can setup a public and VPN only subnet which uses hardware
VPN access to connect with his data centre. When the user has configured this setup with
Wizard, it will create a virtual private gateway to route all traffic of the VPN subnet. If the user
has setup a NAT instance to route all the internet requests then all requests to the internet
should be routed to it. All requests to the organization’s DC will be routed to the VPN gateway.
Here are the valid entries for the main route table in this scenario:

 Destination: 0.0.0.0/0 & Target: i-12345 (To route all internet traffic to the NAT Instance)

 Destination: 172.28.0.0/12 & Target: vgw-12345 (To route all the organization’s data
centre traffic to the VPN gateway)

 Destination: 20.0.0.0/16 & Target: local (To allow local routing in VPC)

An organization is planning to host an application on the AWS VPC. The organization

wants dedicated instances. However, an AWS consultant advised the organization not to
use dedicated instances with VPC as the design has a few limitations. Which of the below
mentioned statements is not a limitation of dedicated instances with VPC?

The Amazon Virtual Private Cloud (Amazon VPC) allows the user to define a virtual networking
environment in a private, isolated section of the Amazon Web Services (AWS) cloud. The user
has complete control over the virtual networking environment. Dedicated instances are Amazon
EC2 instances that run in a Virtual Private Cloud (VPC) on hardware that is dedicated to a single
customer. The client’s dedicated instances are physically isolated at the host hardware level
from instances that are not dedicated instances as well as from instances that belong to other
AWS accounts.

All instances launched with the dedicated tenancy model of VPC will always be dedicated
instances. Dedicated tenancy has a limitation that it may not support a few services, such as
RDS. Even the EBS will not be on dedicated hardware. However the user can save some cost as
well as reserve some capacity by using a Reserved Instance model with dedicated tenancy.

With respect to a VPC security group, select the correct statement.

Every VPC comes with a default security group to which newly launched instances are associated
to, in case no other security group had been specified for them. Such default security group

pg. 8
allows no inbound traffic (except for that produced by other instances in the same security
group) and all outgoing traffic.

When attaching an ENI to an instance, what does "cold attach" refer to?

When attaching an ENI to an instance, "cold attach" refers to attaching an ENI to an instance
during the launch process.

A user has setup a VPC with CIDR 20.0.0.0/16. The VPC has a private subnet (20.0.1.0/24)
and a public subnet (20.0.0.0/24). The user’s data centre has CIDR of 20.0.54.0/24 and
20.1.0.0/24. If the private subnet wants to communicate with the data centre, what will
happen?

VPC allows the user to set up a connection between his VPC and corporate or home network
data centre. If the user has an IP address prefix in the VPC that overlaps with one of the
networks' prefixes, any traffic to the network's prefix is dropped. In this case CIDR 20.0.54.0/24
falls in the VPC’s CIDR range of 20.0.0.0/16. Thus, it will not allow traffic on that IP. In the case
of 20.1.0.0/24, it does not fall in the VPC’s CIDR range. Thus, traffic will be allowed on it.

In the context of adding a hardware virtual private gateway to your VPC, identify a true
statement.

By default, instances that you launch into a virtual private cloud (VPC) can't communicate with
your own network.

The MySecureData Company has five branches across the globe. They want to expand
their data centers such that their web server will be in the AWS and each branch would
have their own database in the local data center. Based on the user login, the company
wants to connect to the data center. How can MySecureData Company implement this
scenario with the AWS VPC?

A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. The user
can create subnets as per the requirement within a VPC. If the user wants to connect VPC from
his own data centre, he can setup a public and VPN only subnet which uses hardware VPN
access to connect with his data centre. If the organization has multiple VPN connections, he can
provide secure communication between sites using the AWS VPN CloudHub.

The VPN CloudHub operates on a simple hub-and-spoke model that the user can use with or
without a VPC. This design is suitable for customers with multiple branch offices and existing
internet connections who would like to implement a convenient, potentially low-cost hub-and-
spoke model for primary or backup connectivity between remote offices.

An organization has hosted a web application which allows traffic on port 80 from all the
IPs. The organization has attached the same security group to multiple instances (almost
50) running in the same VPC but different subnets. The organization is planning to use
one of these 50 instances for testing an application running on port 8080. How can the
organization setup this case so that it does not affect the security of all the instances?

pg. 9
A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. It enables
the user to launch AWS resources into a virtual network that the user has defined. An Elastic
Network Interface (ENI) is a virtual network interface that the user can attach to an instance in a
VPC.

Unlike EC2-CLASSIC, the ENI allows the user to change the security group of a running instance.
Thus, in the present scenario when the organization wants to have a separate security group for
one of the instances, it should change the security group of that ENI.

In Amazon VPC, what is the expiry time for an unaccepted VPC peering connection
request?

In Amazon VPC, expiry time for an unaccepted VPC peering connection request is 1 week (168
hours). This limit can be increased via special request to AWS Developer Support.

If you want to use two VPN tunnels for your VPN connection to connect your network to
a VPC, how should it be configured?

If you want to use two VPN tunnels for your VPN connection to connect your network to a VPC,
each tunnel should use a unique virtual private gateway public IP address.

A user has created a VPC with public and private subnets using the VPC wizard. Which of
the below mentioned statements is true in this scenario?

A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. A user
can create a subnet with VPC and launch instances inside that subnet. If the user has created a
public private subnet, the instances in the public subnet can receive inbound traffic directly from
the internet, whereas the instances in the private subnet cannot. If these subnets are created
with Wizard, AWS will create a NAT instance of a smaller or higher size, respectively. The VPC
has an implied router and the VPC wizard updates the main route table used with the private
subnet, creates a custom route table and associates it with the public subnet.

By default, all AWS accounts are limited to ____ EIPs, because public (IPv4) Internet
addresses are a scarce public resource.

An Elastic IP address (EIP) is a static IP address designed for dynamic cloud computing. With an
EIP, you can mask the failure of an instance by rapidly remapping the address to another
instance. By default, all AWS accounts are limited to 5 EIPs, because public (IPv4) Internet
addresses are a scarce public resource.

While networking in VPC, how many additional DHCP options sets can be created?

You can create as many additional DHCP options sets as you want.

A user has created a VPC with the public and private subnets using the VPC wizard. The
VPC has CIDR 20.0.0.0/16. The public subnet uses CIDR 20.0.1.0/24. The user is planning
to host a web server in the public subnet (port 80) and a DB server in the private subnet
(port 3306). The user is configuring a security group for the public subnet (WebSecGrp)

pg. 10
and the private subnet (DBSecGrp). Which of the below mentioned entries is required in
the private subnet database security group (DBSecGrp)?

A user can create a subnet with VPC and launch instances inside that subnet. If the user has
created a public private subnet to host the web server and DB server respectively, the user
should configure that the instances in the private subnet can receive inbound traffic from the
public subnet on the DB port. Thus, configure port 3306 in Inbound with the source as the Web
Server Security Group (WebSecGrp). The user should configure ports 80 and 443 for Destination
0.0.0.0/0 as the route table directs traffic to the NAT instance from the private subnet.

Automated backup of an Amazon RDS occurs during a daily user-configurable period of

time known as the preferred _____ .

The backup window is a specific (user defined) period of time in which the backup of your DB
instances is performed.

Can Amazon RDS manage synchronous data replication across Availability Zones?

Amazon RDS manages synchronous data replication across Availability Zones and automatic
failover.

Should Read Replicas use the same lower_case_table_names parameter value as the
master DB instance?

The lower_case_table_names parameter should be set as part of a custom DB parameter group

before creating a DB instance. You should avoid changing the lower_case_table_names
parameter for existing database instances because doing so could cause inconsistencies with
point-in-time recovery backups and Read Replica DB instances. Read Replicas should always use
the same lower_case_table_names parameter value as the master DB instance.

What are the two types of licensing options available for using Amazon RDS for Oracle?

BYOL and License Included service models are the two types of licensing options available for
using Amazon RDS for Oracle.

You are building infrastructure for a data warehousing solution and an extra request has
come through that there will be a lot of business reporting queries running all the time
and you are not sure if your current DB instance will be able to handle it. What would be
the best solution for this?

Read Replicas make it easy to take advantage of MySQL’s built-in replication functionality to
elastically scale out beyond the capacity constraints of a single DB Instance for read-heavy
database workloads.

There are a variety of scenarios where deploying one or more Read Replicas for a given source
DB Instance may make sense. Common reasons for deploying a Read Replica include:

pg. 11
 Scaling beyond the compute or I/O capacity of a single DB Instance for read-heavy
database workloads. This excess read traffic can be directed to one or more Read
Replicas.

 Serving read traffic while the source DB Instance is unavailable. If your source DB
Instance cannot take I/O requests (e.g. due to I/O suspension for backups or scheduled
maintenance), you can direct read traffic to your Read Replica(s). For this use case, keep
in mind that the data on the Read Replica may be “stale” since the source DB Instance is
unavailable.

 Business reporting or data warehousing scenarios; you may want business reporting
queries to run against a Read Replica, rather than your primary, production DB Instance.

Typically, you want your application to check whether a request generated an error
before you spend any time processing results. The easiest way to find out if an error
occurred is to look for a(an) ______ in the response from the Amazon RDS API.

XPath syntax provides a simple way to search for the presence of an Error node, as well as an
easy way to retrieve the error code and message. Typically, you want your application to check
whether a request generated an error before you spend any time processing results. The easiest
way to find out if an error occurred is to look for an Error node in the response from the
Amazon RDS API.

Is it possible to terminate a DB instance at any time?

You can delete a DB instance in any state and at any time. To delete a DB instance, you must
specify the name of the instance and specify if you want to have a final DB snapshot taken of
the instance.

You can check the RDS events to see if your storage space is exhausted using the _____
action.

You can receive notifications when your storage space is exhausted using the DescribeEvents
action.

Disabling the automated backups of your RDS instances will:

You may want to temporarily disable automated backups in certain situations, for example,
while loading large amounts of data. Amazon highly discourages disabling automated backups
because it disables point-in-time recovery. If you disable and then re-enable automated
backups, you are only able to restore starting from the time you re-enabled automated backups.

You think one of your DB instances has failed and consequently Amazon RDS has automatically
switched to a standby replica in another Availability Zone as you have Multi-AZ
enabled. However, you are not 100% sure that this has happened.

How can you determine if your Multi-AZ DB instance has failed?

pg. 12
There are several ways to determine if your Multi-AZ DB instance has failed over:

 DB event subscriptions can be setup to notify you via email or SMS that a failover has
been initiated.

 You can view your DB events via the Amazon RDS console or APIs.

 You can view the current state of your Multi-AZ deployment via the Amazon RDS
console and APIs.

In Amazon RDS, a _____ controls network access to a DB instance that is not inside a VPC.
By default, network access is turned off to a DB instance.

A DB security group controls network access to a DB instance that is not inside a VPC. By
default, network access is turned off to a DB instance.

A system admin is planning to setup event notifications on RDS. Which of the below
mentioned services will help the admin setup notifications?

Amazon RDS uses the Amazon Simple Notification Service to provide a notification when an
Amazon RDS event occurs. These notifications can be in any notification form supported by
Amazon SNS for an AWS region, such as an email, a text message or a call to an HTTP endpoint.

When running my DB Instance as a Multi-AZ deployment, can I use the standby for read
or write operations?

When running my DB Instance as a Multi-AZ deployment, you can't use the standby for read or
write operations.

Automated backups created during the backup window are retained for a user-
configurable number of days. The user-configurable days are known as _____.

Automated backups created during the backup window are retained for a user-configurable
number of days. The user-configurable days are known as backup retention period.

If I create a snapshot of the DB before deleting it, will that incur additional storage
charges?

Creating a DB snapshot creates a backup of your DB instance. Creating this backup on a Single-
AZ DB instance results in a brief I/O suspension that typically lasting no more than a few
minutes. Multi-AZ DB instances are not effected by this I/O suspension since the backup is taken
on the standby.

True or false: In DynamoDB, you can define any number of global secondary indexes per
table.

In DynamoDB, you can define up to five local secondary indexes and five global secondary
indexes per table.

pg. 13
True or false: For an online game, it is better to use DynamoDB than a relational database
engine.

This is true. An online game might start out with only a few thousand users and a light database
workload consisting of 10 writes per second and 50 reads per second. However, if the game
becomes successful, it may rapidly grow to millions of users and generate tens (or even
hundreds) of thousands of writes and reads per second. It may also create terabytes or more of
data per day. Developing your applications against Amazon DynamoDB enables you to start
small and simply dial-up your request capacity for a table as your requirements scale, without
incurring downtime. Amazon DynamoDB gives you the peace of mind that your database is fully
managed and can grow with your application requirements.

In Amazon CloudSearch, can a DynamoDB table be specified as a source when

configuring indexing options through the console or command line tools?

You can specify a DynamoDB table as a source when configuring indexing options or uploading
data to a search domain through the console or command line tools. This enables you to quickly
set up a search domain to experiment with searching data stored in DynamoDB database tables.

To add more alarms to your table, in DynamoDB you need to click _____________.

To add more alarms to your table, in DynamoDB you need to click the Alarm Setup tab.

Which of the following is NOT true of the DynamoDB Console?

The DynamoDB Console lets you do the following: Create, update, and delete tables. The
throughput calculator provides you with estimates of how many capacity units you will need to
request based on the usage information you provide. View items stored in a tables, add, update,
and delete items. Query a table. Set up alarms to monitor your table's capacity usage. View your
table's top monitoring metrics on real-time graphs from CloudWatch. View alarms configured
for each table and create custom alarms.

You have just been given a scope for a new client who has an enormous amount of data
(petabytes) that he constantly needs analyzed. Currently he is paying a huge amount of
money for a data warehousing company to do this for him and is wondering if AWS can
provide a cheaper solution. Do you think AWS has a solution for this?

Amazon Redshift is a fast, fully managed, petabyte-scale data warehouse service that makes it
simple and cost-effective to efficiently analyze all your data using your existing business
intelligence tools. You can start small for just $0.25 per hour with no commitments or upfront
costs and scale to a petabyte or more for $1,000 per terabyte per year, less than a tenth of most
other data warehousing solutions.

Amazon Redshift delivers fast query performance by using columnar storage technology to
improve I/O efficiency and parallelizing queries across multiple nodes. Redshift uses standard
PostgreSQL JDBC and ODBC drivers, allowing you to use a wide range of familiar SQL clients.

pg. 14
Data load speed scales linearly with cluster size, with integrations to Amazon S3, Amazon
DynamoDB, Amazon Elastic MapReduce, Amazon Kinesis or any SSH-enabled host.

In order for a table write to succeed, the provisioned throughput settings for the table
and global secondary indexes, in DynamoDB, must have __________; otherwise, the write to
the table will be throttled.

In order for a table write to succeed in DynamoDB, the provisioned throughput settings for the
table and global secondary indexes must have enough write capacity to accommodate the write;
otherwise, the write will be throttled.

In regard to DynamoDB, can I delete local secondary indexes?

In DynamoDB, an index cannot be modified once it is created.

In DynamoDB, the default table size is:

DynamoDB has seamless scalability with no table size limits and unlimited storage, so you
shouldn't be worried about managing storage on the host or to provisioning more drive, as your
data requirement changes.

Which of the following solutions is not supported by DynamoDB:

In DynamoDB, a secondary index is a data structure that contains a subset of attributes from a
table, along with an alternate key to support Query operations. DynamoDB supports the
following two types of secondary indexes:

 Local secondary index is an index that has the same hash key as the table, but a different
range key. A local secondary index is "local" in the sense that every partition of a local
secondary index is scoped to a table partition that has the same hash key.

 Global secondary index is an index with a hash and range key that can be different from
those on the table. A global secondary index is considered "global" because queries on
the index can span all of the data in a table, across all partitions.

True or False: In DynamoDB, Scan operations are always eventually consistent.

In DynamoDB, Scan operations are always eventually consistent.

In DynamoDB, which of the following conditions is NOT required for every local
secondary index?

In DynamoDB, you can have as many attributes you want and it is not mandatory that they
should be part of secondary indexes.

pg. 15
In DynamoDB, which of the following allows you to set alarms when you reach a specified
threshold for a metric?

CloudWatch allows you to set alarms when you reach a specified threshold for a metric.

______________ pricing offers significant savings over the normal price of DynamoDB
provisioned throughput capacity.

Reserved Capacity pricing offers significant savings over the normal price of DynamoDB
provisioned throughput capacity. When you buy Reserved Capacity, you pay a one-time upfront
fee and commit to paying for a minimum usage level, at the hourly rates indicated above, for
the duration of the Reserved Capacity term.

To analyze performance metrics of Amazon DynamoDB by using _______.

Amazon DynamoDB and Amazon CloudWatch are integrated, so you can gather and analyze
performance metrics. You can monitor these metrics using the CloudWatch console,
CloudWatch's own command-line interface, or programmatically using the CloudWatch API.

In Amazon RDS, a _____ controls network access to a DB instance that is not inside a VPC.
By default, network access is turned off to a DB instance.

A DB security group controls network access to a DB instance that is not inside a VPC. By
default, network access is turned off to a DB instance.

Currently, ______ is the only service to support the use of server certificates with IAM.

Server Certificates allow you to further protect your requests using a public-key cryptographic
algorithm. Currently, ELB (Elastic Load Balancing) is the only AWS service that supports the use
of server certificates with IAM.

When using IAM, what is the maximum number of groups allowed per AWS account?

Currently, an AWS account can manage a maximum of 100 user groups within IAM.

What is MFA-protected API access?

MFA-Protected API provides an extra layer of security for your AWS resources by requesting
MFA authentication to every user that wants to interact with your resources through the API
interface. Nevertheless, this feature can only be enabled for non-federated users different than
the root account.

The possible values of the Effect element included within the statements of an IAM policy
are ______.

The Effect element included within the statement of an IAM policy can have only two values:
"Allow" and "Deny."

pg. 16
Which of the following is NOT an option to set a password policy in an IAM?

You can set a password policy on your AWS account to specify complexity requirements and
mandatory rotation periods for your IAM users' passwords. The following list describes the
options that are available when you configure a password policy for your account: it must have
a number from 6 to 128, it requires at least one uppercase letter, it requires at least one non-
alphanumeric character.

Which of the following statements is true of IAM?

IAM uses a few different identifiers for users, groups, roles, policies, and server certificates. Your
AWS account ID is the same as your account number, but without hyphens.

What is AWS MFA?

AWS MFA is AWS Multi Factor Authentication.

An IAM policy document includes: an optional policy-wide information block as well as

one or more individual ______.

IAM policies are formatted as JSON documents that include: an optional policy-wide
information block as well as one or more individual statements

Identify a true statement about the virtual multi-factor authentication (MFA) device.

Make a secure backup of the QR code or secret configuration key, or make sure that you enable
multiple virtual MFA devices for your account. If the virtual MFA device is unavailable (for
example, if you lose the smartphone where the virtual MFA device is hosted), you will not be
able to sign in to your account and you will have to contact customer service to remove MFA
protection for the account.

Can you use the AWS Identity and Access Management (IAM) to assign permissions that
determine who is allowed to manage RDS resources?

Use AWS Identity and Access Management (IAM) policies to assign permissions that determine
who is allowed to manage RDS resources. For example, you can use IAM to determine who is
allowed to create, describe, modify, and delete DB instances, tag resources, or modify DB
security groups.

If an IAM policy has multiple conditions, or if a condition has multiple keys, its boolean
outcome will be calculated using a logical ______ operation.

If there are multiple condition operators, or if there are multiple keys attached to a single
condition operator, the conditions are evaluated using a logical AND.

The Version element of an AWS IAM policy specifies the ______ version.

The Version element of an IAM policy specifies the Access Policy Language version used to
formulate the policy. If not included, it defaults to "2008-10-17".

pg. 17
If an access key is deleted in IAM, can it be retrieved?

For security reasons, an IAM user's access key cannot be retrieved after being deleted.

Query API returns sensitive information such as security credentials. Hence, you must use
______ for all your API requests.

HTTPS communications are preferred when using IAM's Query API. Because the Query API
returns sensitive information such as security credentials, you must use HTTPS with all API
requests.

Which of the following is a correct statement about AWS Identity and Access
Management?

Even though temporary security credentials are the best solution when trying to grant access to
your AWS resources to trusted users for a specific amount of time, currently they are not
supported by some AWS services.

Which of the following occurs when you change a user's name or path in IAM?

When you change a user's name or path in IAM, the user's policies and belonging groups stay
the same but under the new name. On the other hand, the user's unique ID remains untouched.

Identify a true statement about theSid element.

Among the elements that can be added to an IAM policy statement, there is an optional
element, namely the Sid that can be included to provide an identifier for a statement inside of a
policy. This Sidcan't however be used to retrieve a particular statement of a policy and is
currently not exposed through the IAM API.

What should an IAM policy structure include?

Each IAM policy is a JSON document. A policy includes: optional policy-wide information (at the
top of the document) and one or more individual statements.

In Amazon IAM, what is the maximum length for a role name?

In Amazon IAM, the maximum length for a role name is 64 characters.

Cloud Academy has three AWS accounts. They have created separate IAM users within
each account. Cloud Academy wants a single IAM console URL such as
https://cloudacademy.signin.aws.amazon.com/console/ for all account users. How can
this be achieved?

If a user wants the URL of the AWS IAM sign-in page to have a company name instead of the
AWS account ID, he can create an alias for his AWS account ID. The alias should be unique.

What is the default maximum number of Roles per AWS account?

pg. 18
The default maximum number of Roles per AWS account is 250.

In IAM, the size of a group policy cannot exceed ______.

A group policy in IAM cannot exceed the 5,120 characters.

Identify a true statement about the statement ID (Sid) in IAM.

TheáSidá(statement ID) is an optional identifier that you provide for the policy statement. You
can assign a Sidávalue to each statement in a statement array. In IAM, the Sid is not exposed in
the IAM API. You can't retrieve a particular statement based on this ID.

When you create a user, IAM creates ______ and ______ to identify the user.

When you create a user, IAM creates Amazon Resource Name (ARN) and Unique ID to identify
the user.

In regards to IAM, select the correct statement.

In IAM you can grant permissions to users to create temporary security credentials. However,
with those credentials, users will not be able to access or utilize IAM or AWS Security Token
Services.

If you use aws:SourceIp in one of your IAM policies, and a request is made from one of
your Amazon EC2 instances, the instance's ______ IP address is evaluated to determine
whether access is allowed.

When using the policy conditional key aws:SourceIp in IAM, the instance's public IP address is
evaluated to determine whether the requested access is allowed.

Is there a limit to the number of IAM groups you can have associated to a single AWS
account?

Currently, you can have a maximum of 100 IAM user groups associated with a single AWS
account.

Which of the following statements is true of IAM?

If you need a signing certificate, you must first obtain one, and then upload it to AWS. There is
no Amazon EC2 API action to create signing certificates, so you must use a third-party tool such
as OpenSSL to create the user signing certificate.

Identify an appropriate format that IAM users can use as a password for signing in to the
AWS Management Console.

The following list describes the options that are available when you configure a password policy
for your account. Minimum password length You can specify the minimum number of characters
allowed in an IAM user password. You can enter any number from 6 to 128. Require at least one
uppercase letter You can require that IAM user passwords contain at least one uppercase

pg. 19
character from the ISO basic Latin alphabet (A to Z). Require at least one lowercase letter You
can require that IAM user passwords contain at least one lowercase character from the ISO basic
Latin alphabet (a to z). Require at least one number You can require that IAM user passwords
contain at least one numeric character (0 to 9). Require at least one nonalphanumeric character
You can require that IAM user passwords contain at least one of the following nonalphanumeric
characters: ! @ # $ % ^ & * ( ) _ + - = [ ] { } | '

A user is planning to use AWS Cloudformation for his automatic deployment

requirements. Which of the below mentioned components are required as a part of the
template?

AWS Cloudformation is an application management tool which provides application modelling,

deployment, configuration, management and related activities. The template is a JSON-format,
text-based file that describes all the AWS resources required to deploy and run an application. It
can have option fields, such as Template Parameters, Output, Data tables, and Template file
format version. The only mandatory value is Resource. The user can define the AWS services
which will be used/ created by this template inside the Resource section.

A customer is using AWS for Dev and Test. The customer wants to setup the Dev
environment with Cloudformation. Which of the below mentioned steps are not required
while using Cloudformation?

AWS Cloudformation is an application management tool which provides application modelling,

deployment, configuration, management and related activities. AWS CloudFormation introduces
two concepts: the template and the stack. The template is a JSON-format, text-based file that
describes all the AWS resources required to deploy and run an application. The stack is a
collection of AWS resources which are created and managed as a single unit when AWS
CloudFormation instantiates a template. While creating a stack, the user uploads the template
and provides the data for the parameters if required.

What does Amazon CloudFormation provide?

You can use AWS CloudFormation's sample templates or create your own templates to describe
the AWS resources, and any associated dependencies or runtime parameters, required to run
your application.

You need to develop and run some new applications on AWS and you know that Elastic
Beanstalk and Cloudformation can both help as a deployment mechanism for a broad
range of AWS resources. Which of the following statements best describes the differences
between Elastic Beanstalk and Cloudformation?

These services are designed to complement each other. AWS Elastic Beanstalk provides an
environment to easily develop and run applications in the cloud. It is integrated with developer
tools and provides a one-stop experience for you to manage the lifecycle of your applications.
AWS CloudFormation is a convenient deployment mechanism for a broad range of AWS
resources. It supports the infrastructure needs of many different types of applications such as

pg. 20
existing enterprise applications, legacy applications, applications built using a variety of AWS
resources and container-based solutions (including those built using AWS Elastic Beanstalk).

AWS CloudFormation introduces two new concepts: The template, a JSON-format, text-based
file that describes all the AWS resources you need to deploy to run your application and the
stack, the set of AWS resources that are created and managed as a single unit when AWS
CloudFormation instantiates a template.

A user is planning to use AWS Cloudformation. Which of the below mentioned

functionalities does not help him to correctly understand Cloudformation?

AWS Cloudformation is an application management tool which provides application modelling,

deployment, configuration, management and related activities. It supports a wide variety of
AWS services, such as EC2, EBS, AS, ELB, RDS, VPC, etc. It also provides application
bootstrapping scripts which enable the user to install software packages or create folders. It is
free of the cost and only charges the user for the services created with it. The only challenge is
that it does not follow any model, such as DevOps; instead customers can define templates and
use them to provision and manage the AWS resources in an orderly way.

You are playing around with setting up stacks using JSON templates in CloudFormation
to try and understand them a little better. You have set up about 5 or 6 but now start to
wonder if you are being charged for these stacks. What is AWS's billing policy regarding
stack resources?

A stack is a collection of AWS resources that you can manage as a single unit. In other words,
you can create, update, or delete a collection of resources by creating, updating, or deleting
stacks. All the resources in a stack are defined by the stack's AWS CloudFormation template. A
stack, for instance, can include all the resources required to run a web application, such as a web
server, a database, and networking rules. If you no longer require that web application, you can
simply delete the stack, and all of its related resources are deleted.

You are charged for the stack resources for the time they were operating (even if you deleted
the stack right away).

When using the AWS CLI for AWS CloudFormation, which of the following commands
returns all stack-related events for a specified stack?

aws-cli cloudformation

describe-stack-events

Description
Returns all stack-related events for a specified stack.

Note
You can list events for stacks that have failed to create or have been deleted by specifying the
unique stack identifier (stack ID).

pg. 21
In CloudFormation, what information do you get from the the “aws cloudformation list-
stacks” command?

The aws cloudformation list-stacks command enables you to get a list of any of the stacks you
have created (even those which have been deleted up to 90 days).

AWS CloudFormation is a service that helps you model and set up your Amazon Web
Services resources so that you can spend less time managing those resources and more
time focusing on your applications that run in AWS. You create a template that describes
all the AWS resources that you want (like Amazon EC2 instances or Amazon RDS DB
instances), and AWS CloudFormation takes care of provisioning and configuring those
resources for you. What formatting is required for this template?

You can write an AWS CloudFormation template (a JSON-formatted document) in a text editor
or pick an existing template. The template describes the resources you want and their settings.
For example, suppose you want to create an Amazon EC2. Your template can declare an
instance Amazon EC2 and describe its properties, as shown in the following example:

{
"AWSTemplateFormatVersion" :
"2010-09-09",
"Description" : "A simple Amazon EC2 instance",
"Resources" : {
"MyEC2Instance" : {
"Type" : "AWS::EC2::Instance",
"Properties" : {
"ImageId" : "ami-2f726546",
"InstanceType" : "t1.micro"
}
}
}
}

Does AWS CloudFormation support Amazon EC2 tagging?

In AWS CloudFormation, Amazon EC2 resources that support the tagging feature can also be
tagged in an AWS template. The tag values can refer to template parameters, other resource
names, resource attribute values (e.g. addresses), or values computed by simple functions (e.g., a
concatenated list of strings).

True or false: With respect to the CloudFormation, you always need to write a template
from scratch to create the infrastructure you want.

To create the infrastructure you want, you enumerate what AWS resources, configuration values,
and interconnections you need in a template and then let AWS CloudFormation do the rest with
a few simple clicks in the AWS Management Console, one command by using the AWS

pg. 22
command line interface, or a single request by calling the APIs.You also donÆt need to write a
template from scratch if you start with one of the many sample templates that come with AWS
CloudFormation.

You need to create a JSON-formatted text file for AWS CloudFormation. This is your first
template and the only thing you know is that the templates include several major
sections but there is only one that is required for it to work. What is the only section
required?

AWS CloudFormation is a service that helps you model and set up your Amazon Web Services
resources so that you can spend less time managing those resources and more time focusing on
your applications that run in AWS. You create a template that describes all the AWS resources
that you want (like Amazon EC2 instances or Amazon RDS DB instances), and AWS
CloudFormation takes care of provisioning and configuring those resources for you.

A template is a JSON-formatted text file that describes your AWS infrastructure. Templates
include several major sections.

The Resources section is the only section that is required.

The first character in the template must be an open brace ({), and the last character must be a
closed brace (}). The following template fragment shows the template structure and sections.

Is it possible to create an S3 bucket accessible only by a certain IAM user, using policies
in a CloudFormation template?

With AWS Identity and Access Management (IAM), you can create IAM users to control who has
access to which resources in your AWS account. You can use IAM with AWS CloudFormation to
control what AWS CloudFormation actions users can perform, such as view stack templates,
create stacks, or delete stacks.

In addition to AWS CloudFormation actions, you can manage what AWS services and resources
are available to each user.

Can you configure an RDS Read Replica using CloudFormation templates?

AWS CloudFormation gives developers and systems administrators an easy way to create and
manage collections of AWS resources. You can now set Read Replicas for your databases with
RDS when you create a new CloudFormation template.You can start using it with the sample
template of CloudFormation.

Can you change the database password for the stack you want to deploy using
CloudFormation?

Because the templates are declarative, you need only specify what you want and
CloudFormation will figure out the rest. Templates can include parameters and the parameters
can have default values. You can use the parameter model to create a single template that will

pg. 23
work across more than one AWS account, Availability Zone, or Region. You can also use the
parameters to transmit changing or sensitive data (e.g. database passwords) into the templates.

When you create a distribution in Amazon CloudFront, you can specify a(n)
____________________, the minimum amount of time that you want CloudFront to cache error
responses from your origin server.

When you create a distribution in Amazon CloudFront, you can specify an Error Caching
Minimum TTL, the minimum amount of time that you want CloudFront to cache error responses
from your origin server.

In Amazon CloudFront, if you include a more restrictive crossdomain.xml file in your

Amazon S3 bucket then, CloudFront:

Amazon CloudFront supplies a default file that allows all domains to access the media files in
your RTMP distribution, and you cannot change this behavior.

If you include a more restrictive crossdomain.xml file in your Amazon S3 bucket, CloudFront
ignores it.

In the context of Amazon CloudFront, when you configure the media player, the path you
specify to the media file must contain the characters _____________.

In Amazon CloudFront, when you configure the media player, the path you specify to the media
file must contain the characters cfx/st immediately after the domain name. For example:

rtmp://s5c39gqb8ow64r.cloudfront.net/cfx/st/mediafile.flv

You are architecting a highly-scalable and reliable web application which will have a
huge amount of content .You have decided to use Cloudfront as you know it will speed
up distribution of your static and dynamic web content and know that Amazon
CloudFront integrates with Amazon CloudWatch metrics so that you can monitor your
web application. Because you live in Sydney you have chosen the the Asia Pacific
(Sydney) region in the AWS console. However you have set up this up but no CloudFront
metrics seem to be appearing in the CloudWatch console. What is the most likely reason
from the possible choices below for this?

CloudFront is a global service, and metrics are available only when you choose the US East (N.
Virginia) region in the AWS console. If you choose another region, no CloudFront metrics will
appear in the CloudWatch console.

How many requests per second per distribution can Amazon CloudFront handle?

Amazon CloudFront has some limitations you should know about. Mainly, there is a distribution
peak data transfer speed of 1000 megabits/s, and a transaction peak of 15,000 requests per
second. You can have those limits increased if you would like, just request a higher limit from
AWS.

pg. 24
In Amazon CloudFront, when you create a web distribution, the maximum length of a
path pattern is _____ characters.

In Amazon CloudFront, when you create a new distribution, you specify settings for the default
cache behavior, which automatically forwards all requests to the origin that you specify when
you create the distribution. A path pattern (for example, /images/*.jpg) specifies which requests
you want this cache behavior to apply to. When CloudFront receives an end-user request, the
requested path is compared with path patterns in the order in which cache behaviors are listed
in the distribution. In Amazon CloudFront, the maximum length of a path pattern is 255
characters. The value can contain any of the following characters:

 A-Z, a-z, (path patterns are case sensitive, so the path pattern /*.jpg doesn't apply to the
file /LOGO.JPG)

 0-9

 _-.*$/~"'@:+

 &, passed and returned as &

True or False: In Amazon CloudFront RTMP distribution, if you had two distributions for
an Amazon S3 bucket, you could reference a single media file using either distribution.

In Amazon CloudFront, you typically create one RTMP distribution per Amazon S3 bucket, but
you can choose to create multiple RTMP distributions for the same bucket. For example, if you
had two distributions for an Amazon S3 bucket, you could reference a single media file using
either distribution. In this case, if you had a media file called media.flv in your origin server,
CloudFront would work with each distribution as though it referenced an individual media.flv
object: one media.flv accessible through one distribution, and another media.flv accessible
through the other distribution.

You receive the following request from a client to quickly deploy a static website for
them, specifically on AWS. The requirements are low-cost, reliable, online storage, and
a reliable and cost-effective way to route customers to the website, as well as a way to
deliver content with low latency and high data transfer speeds so that visitors to
his website don't experience unnecessary delays. What do you think would be the
minimum AWS services that could fulfill the client's request?

You can easily and inexpensively use AWS to host a website that uses client-side technologies
(such as HTML, CSS, and JavaScript) and does not require server-side technologies (such as PHP
and ASP.NET). This type of site is called a static website, and is used to display content that does
not change frequently.

Before you create and deploy a static website, you must plan your architecture to ensure that it
meets your requirements. Amazon S3, Amazon Route 53, and Amazon CloudFront would be
required in this instance.

pg. 25
Which protocol does Amazon CloudFront use to stream objects?

In Amazon CloudFront, RTMP distributions stream media files using Adobe Media Server and
the Adobe Real-Time Messaging Protocol (RTMP). An RTMP distribution must use an Amazon S3
bucket as the origin.

After you've created your distribution in Amazon CloudFront, to test your links, you must
wait until the status of your distribution changes to ____ before testing your links.

After you've created your distribution in Amazon CloudFront, you must wait until the status of
your distribution changes to Deployed before testing your links.

If you enable Amazon CloudFront access logging, can you identify the requests that
CloudFront rejected with anHTTP status code of 403?

If you enable Amazon CloudFront access logging, you can identify the requests that CloudFront
rejected with an HTTP status code of 403. However, using only the access logs, you can't
distinguish a request that CloudFront rejected based on the location of the user from a request
that CloudFront rejected because the user didn't have permission to access the object for
another reason.

In Amazon CloudFront, whenever a distribution is ________, CloudFront doesn't accept any

end-user requests that use the domain name associated with that distribution.

In Amazon CloudFront, for a distribution status, Disabled means that even though the
distribution might be deployed and ready to use, end users can't use it. Whenever a distribution
is disabled, CloudFront doesn't accept any end-user requests that use the domain name
associated with that distribution. Until you switch the distribution from disabled to enabled (by
updating the distribution's configuration), no one can use it.

Which of the following statements is true about using Amazon CloudFront URLs for your
objects in Amazon CloudFront?

In Amazon CloudFront, you can use domain name in URLs for your objects in CloudFront, for
example:

http://d111111abcdef8.cloudfront.net/image.jpg

instead of your own domain name

http://www.example.com/image.jpg

In the context of Amazon CloudFront, which of the following statements is incorrect?

In Amazon CloudFront, using an existing Amazon S3 bucket as your CloudFront origin server
doesn't change the bucket in any way; you can still use it as you normally would to store and

pg. 26
access Amazon S3 objects (at the normal Amazon S3 prices). You can use the same Amazon S3
bucket for both RTMP and web distributions.

In Amazon CloudFront, when you update a web distribution, can the path pattern value
contain (@, *, $ and +)?

In Amazon CloudFront, when you create a new distribution, you specify settings for the default
cache behavior, which automatically forwards all requests to the origin that you specify when
you create the distribution. A path pattern (for example, /images/*.jpg) specifies which requests
you want this cache behavior to apply to. When CloudFront receives an end-user request, the
requested path is compared with path patterns in the order in which cache behaviors are listed
in the distribution. In Amazon CloudFront, the maximum length of a path pattern is 255
characters. The value can contain any of the following characters.

 A-Z, a-z , Path patterns are case sensitive, so the path pattern /*.jpg doesn't apply to
the file /LOGO.JPG.

 0-9

 _-.*$/~"'@:+

 &, passed and returned as &

A friend tells you he is being charged $100 a month to host his WordPress website, and
you tell him you can move it to AWS for him and he will only pay a fraction of that,
which makes him very happy. He then tells you he is being charged $50 a month for the
domain, which is registered with the same people that set it up, and he asks if it's
possible to move that to AWS as well. You tell him you aren't sure, but will look into it.
Which of the following statements is true in regards to transferring domain names to
AWS?

With Amazon Route 53, you can create and manage your public DNS records with the AWS
Management Console or with an easy-to-use API. If you need a domain name, you can find an
available name and register it using Amazon Route 53. You can also transfer existing domains
into Amazon Route 53’s management.

__________ is a highly available and scalable Domain Name System (DNS) web service.

Amazon Route 53 is a highly available and scalable Domain Name System (DNS) web service. It
is designed to give developers and businesses an extremely reliable and cost effective way to
route end users to Internet applications by translating names like www.example.com into the
numeric IP addresses like 192.0.2.1 that computers use to connect to each other.

True or False: Amazon Route 53 provides highly available and scalable Domain Name
System (DNS), domain name registration, and health-checking web services.

pg. 27
Amazon Route 53 provides highly available and scalable Domain Name System (DNS), domain
name registration, and health-checking web services.

What does Amazon Route53 provide?

Amazon Route53 provides a scalable Domain Name System.

In which AWS services can you map "Queries to Alias records" for free?

Queries to Alias records that are mapped to Elastic Load Balancers, Amazon CloudFront
distributions, AWS Beanstalk, and Amazon S3 website buckets are free.

These queries are listed as “Intra-AWS-DNS-Queries” on the Amazon Route 53 usage report.

Which one of the Amazon services translates domain names like www.example.com into
IP addresses like 192.0.2.1?

Amazon Route 53 is a scalable Domain Name System (DNS) web service. Amazon Route 53 is an
authoritative DNS service, meaning it translates friendly domain names like www.example.com
into IP addresses like 192.0.2.1.

Does Route 53 integrate with AWS IAM to specify which Amazon Route 53 API actions a
user can perform on which Amazon Route 53 resources?

Amazon Routeá53 integrates with AWS Identity and Access Management (IAM) so that you can
specify which Amazon Routeá53 API actions a user can perform on which Amazon Routeá53
resources. For example, you can create an IAM policy that gives certain users in your
organization permission to update resource record sets of specific hosted zones that your
organization owns.

Regarding Amazon Route 53, the “example.com” hosted zone can contain the following
resource record sets EXCEPT:

The name of each resource record set in a hosted zone must end with the name of the hosted
zone. For example, the example.com hosted zone can contain resource record sets for
www.example.com and accounting.tokyo.example.com subdomains, but cannot contain
resource record sets for a www.example.ca subdomain.

In Amazon Route 53, how will you control users in the AWS account to create a new
hosted zone or change resource record sets?

You can use IAM with Amazon Route 53 to control which users in your AWS Account can create
a new hosted zone or change resource record sets.

What happens if you accidentally delete a hosted zone that still contains resource record
sets in Amazon Route 53?

In Amazon Route 53, you can delete a hosted zone only if there are no resource record sets
other than the default SOA and NS records. If your hosted zone contains other resource record

pg. 28
sets, you must delete them before you can delete your hosted zone. This prevents you from
accidentally deleting a hosted zone that still contains resource record sets.

By using Amazon Route 53, is it possible to improve your application’s performance for a
global audience?

In Amazon Route 53, LBR (Latency Based Routing) is a new feature for Amazon Route 53 that
helps you improve your application’s performance for a global audience. You can run
applications in multiple AWS regions and Amazon Route 53, using dozens of edge locations
worldwide, will route end users to the AWS region that provides the lowest latency.

Can you register a domain name with Amazon Route 53?

Yes. You can use the AWS Management Console or API to register new domain names with
Route 53. You can also request to transfer in existing domain names from other registrars to be
managed by Route 53. Domain name registration services are provided under our Domain
Name Registration Agreement.

Identify a true statement about resource record sets in Amazon Route 53.

In Amazon Route 53, the name of each resource record set in a hosted zone must end with the
name of the hosted zone. For example, the example.com hosted zone can contain resource
record sets for www.example.com and accounting.tokyo.example.com subdomains, but cannot
contain resource record sets for a www.example.ca subdomain.

Can resource record sets in a hosted zone have a different domain suffix (for example,
www.blog. acme.com and www.acme.ca)?

The resource record sets contained in a hosted zone must share the same suffix. For example,
the example.com hosted zone can contain resource record sets for www.example.com and
www.aws.example.com subdomains, but it cannot contain resource record sets for a
www.example.ca subdomain.

Can you create a subdomain that uses Amazon Route 53 as the DNS service without
migrating the parent domain from another DNS service?

You can create a subdomain that uses Route 53 as the DNS service without migrating the parent
domain from another DNS service. To do that, you must create a hosted zone.

Can you register a domain name with Amazon Route 53?

Yes. You can use the AWS Management Console or API to register new domain names with
Route 53. You can also request to transfer in existing domain names from other registrars to be
managed by Route 53. Domain name registration services are provided under our Domain
Name Registration Agreement.

pg. 29
Regarding Amazon Route 53, to create weighted resource record sets using the Amazon
Route 53 console, when you create resource set, if you set Weight to ________ for all of the
resource record sets in the group, traffic is routed to all resources with equal probability.

In Amazon Route 53, for the value of Weight, you can enter an integer between 0 and 255. To
disable routing to a resource, set Weight to 0. If you set Weight to 0 for all of the resource
record sets in the group, traffic is routed to all resources with equal probability. This ensures
that you don't accidentally disable routing for a group of weighted resource record sets.

In Amazon Route 53, if a resource record set does not already exist, Amazon Route 53
creates it using _____.

In Amazon Route 53, if a resource record set does not already exist, Amazon Route 53 creates it
using UPSERT.

__________ is a highly available and scalable Domain Name System (DNS) web service.

Amazon Route 53 is a highly available and scalable Domain Name System (DNS) web service. It
is designed to give developers and businesses an extremely reliable and cost effective way to
route end users to Internet applications by translating names like www.example.com into the
numeric IP addresses like 192.0.2.1 that computers use to connect to each other.

In which AWS services can you map "Queries to Alias records" for free?

Queries to Alias records that are mapped to Elastic Load Balancers, Amazon CloudFront
distributions, AWS Beanstalk, and Amazon S3 website buckets are free.

These queries are listed as “Intra-AWS-DNS-Queries” on the Amazon Route 53 usage report.

The Amazon Elastic Beanstalk provides platform for programming languages such as
______.

Elastic Beanstalk provides platforms for programming languages (Java, PHP, Python, Ruby, Go),
web containers (Tomcat, Passenger, Puma) and Docker containers, with multiple configurations
of each.

Identify a true statement about resource record sets in Amazon Route 53.

In Amazon Route 53, the name of each resource record set in a hosted zone must end with the
name of the hosted zone. For example, the example.com hosted zone can contain resource
record sets for www.example.com and accounting.tokyo.example.com subdomains, but cannot
contain resource record sets for a www.example.ca subdomain.

With latency-based routing, Amazon Route 53 can direct your users to the lowest-latency
AWS endpoint available. Amazon Route 53 supports latency-based routing for A, AAAA,
TXT, and CNAME resource record sets, as well as aliases to:

pg. 30
With latency-based routing, Amazon Route 53 can direct your users to the lowest-latency AWS
endpoint available. For example, you may associate a DNS name like www.example.com with
ELB load balancers or with Amazon EC2 instances or Elastic IP addresses that are hosted in the
US East (Virginia) and EU West (Ireland) regions. The Amazon Route 53 DNS servers decide,
based on network conditions of the past couple of weeks, which instances in which regions
should serve particular users. A user in London will likely be directed to the EU West (Ireland)
instance, a user in Chicago will likely be directed to the US East (Virginia) instance, and so on.
Amazon Route 53 supports latency-based routing for A, AAAA, TXT, and CNAME resource record
sets, as well as aliases to A and AAAA resource record sets.

In Amazon Route 53, new resource record sets take time to propagate to the Amazon
Route 53 DNS servers. Changes generally propagate to all Amazon Route 53 name servers
_____.

Your new resource record sets take time to propagate to the Amazon Routeá53 DNS servers.
Currently, the only way to verify that changes have propagated is to use the GetChange API
action. Changes generally propagate to all Amazon Routeá53 name servers in a couple of
minutes. In rare circumstances, propagation can take up to 30 minutes.

In regard to Amazon Route 53, what is the delegation set when you create a hosted zone?

In Amazon Route 53, when you create a hosted zone, Amazon Route 53 assigns four name
servers to your hosted zone; these four name servers are called the delegation set. To ensure
that the Domain Name System routes queries for your domain to the Amazon Route 53 name
servers, update your registrar's or your DNS service's NS records for the domain to replace the
current name servers with the names of the four Amazon Route 53 name servers in the
delegation set for your hosted zone. The method that you use to update the NS records
depends on which registrar or DNS service you're using. you can get the name servers in the
delegation set for a hosted zone using the Amazon Route 53 console or using
the GET GetHostedZoneAPI action.

Does Route 53 support MX Records?

Route 53 supports MX Records. After you create a hosted zone for your domain, such as
example.com, you create resource record sets to tell the Domain Name System (DNS) how you
want traffic to be routed for that domain. Each resource record set includes the name of a
domain or a subdomain, a record type (for example, a resource record set with a type of MX
routes email), and other information applicable to the record type (for MX records, the host
name of one or more mail servers and a priority for each server).

In Amazon Route 53, a(n) ___________ contains a pointer to a CloudFront distribution, an

Elastic Load Balancing load balancer, an Amazon S3 bucket that is configured as a static
website, or another Amazon Route 53 resource record set in the same hosted zone.

While ordinary Amazon Route 53 resource record sets are standard DNS resource record
sets, alias resource record sets provide an Amazon Route 53–specific extension to DNS

pg. 31
functionality. Instead of an IP address or a domain name, an alias resource record set contains a
pointer to a CloudFront distribution, an Elastic Beanstalk environment, an ELB load balancer, an
Amazon S3 bucket that is configured as a static website, or another Amazon Route 53 resource
record set in the same hosted zone.

A(n) __________ is a collection of resource record sets hosted by Amazon Route 53. Like a
traditional DNS zone file, it represents a collection of resource record sets that are
managed together under a single domain name, and it has its own metadata and
configuration information.

In Amazon Route 53, a hosted zone is a collection of resource record sets hosted by Amazon
Route 53. Like a traditional DNS zone file, a hosted zone represents a collection of resource
record sets that are managed together under a single domain name. Each hosted zone has its
own metadata and configuration information.

In Amazon Route 53, after you create a hosted zone for a specified domain, for
example, example.com, you tell the Domain Name System how you want traffic to be
routed for that domain by ______________________.

In Amazon Route 53, after you create a hosted zone for a specified domain, for example,
example.com, you create resource record sets to tell the Domain Name System how you want
traffic to be routed for that domain.

What is the Perl script dnscurl.pl used for?

The Perl script dnscurl.pl is used for configuring Amazon Route 53.

In Amazon S3, what is the document that defines who can access a particular bucket or
object called?

Access Control List is the document that defines who can access a particular bucket or object in
Amazon S3. Amazon S3 Access Control Lists (ACLs) enable you to manage access to buckets and
objects. Each bucket and object has an ACL attached to it as a subresource. It defines which
AWS accounts or groups are granted access and the type of access.

What does Amazon SES stand for?

Amazon SES stands for Simple Email Service.

Regarding Amazon SNS , _________ consume or receive the message or notification over
one of the supported protocols when they are subscribed to the topic.

In Amazon SNS, subscribers (i.e., web servers, email addresses, Amazon SQS queues) consume
or receive the message or notification over one of the supported protocols (i.e., Amazon SQS,
HTTP/S, email, SMS) when they are subscribed to the topic.

Which service is offered by Auto Scaling?

pg. 32
Auto Scaling is a service that allows users to scale the EC2 resources up or down automatically
according to the conditions or by manual intervention. It is a seamless process to scale the EC2
compute units up and down.

Which of the following size ranges is true of Individual Amazon S3 objects?

The total volume of data and number of objects you can store are unlimited. Individual Amazon
S3 objects can range in size from 0 bytes to 5 terabytes.

In AWS Elastic Beanstalk, an environment tier whose web application processes web
requests is known as a ________. An environment tier whose web application runs
background jobs is known as a ___________.

When you launch an AWS Elastic Beanstalk environment, you choose an environment tier,
platform, and environment type. An environment tier whose web application processes web
requests is known as a web server tier. An environment tier whose web application runs
background jobs is known as a worker tier.

_________ is a fast, reliable, scalable, fully managed message queuing service.

Amazon Simple Queue Service (SQS) is a fast, reliable, scalable, fully managed message queuing
service. SQS makes it simple and cost-effective to decouple the components of a cloud
application.

Amazon EC2 provides virtual computing environments known as _____.

Amazon EC2 provides virtual computing environments known as instances.

Which of the following does Amazon S3 provide?

Amazon S3 provides Scalable Storage in the Cloud.

EBS (Elastic Block Store) can be best described as:

Amazon Elastic Block Store (Amazon EBS) provides block level (file system type) storage
volumes for use with Amazon EC2 instances. Amazon EBS volumes are highly available and
reliable storage volumes that can be attached to any running instance that is in the same
Availability Zone. Amazon EBS volumes that are attached to an Amazon EC2 instance are
exposed as storage volumes that persist independently from the life of the instance.

What is the maximum size of an object in Amazon S3?

5Tb is the maximum size of an object in Amazon S3.

Amazon SQS is engineered to always be available and deliver messages. However,

because of this, what is one of the resulting tradeoffs?

pg. 33
Amazon SQS is engineered to always be available and deliver messages and because of
this, one of the resulting tradeoffs is that SQS does not guarantee first in, first out delivery of
messages.

What does Amazon EC2 provide?

Amazon EC2 provides Virtual Server Hosting.

Amazon CloudFront is a ________.

Amazon CloudFront is a content delivery network (CDN) service. It integrates with other Amazon
Web Services to give developers and businesses an easy way to distribute content to end users
with low latency, high data transfer speeds, and no minimum usage commitments.

You need to develop and run some new applications on AWS and you know that Elastic
Beanstalk and Cloudformation can both help as a deployment mechanism for a broad
range of AWS resources. Which of the following statements best describes the differences
between Elastic Beanstalk and Cloudformation?

These services are designed to complement each other. AWS Elastic Beanstalk provides an
environment to easily develop and run applications in the cloud. It is integrated with developer
tools and provides a one-stop experience for you to manage the lifecycle of your applications.
AWS CloudFormation is a convenient deployment mechanism for a broad range of AWS
resources. It supports the infrastructure needs of many different types of applications such as
existing enterprise applications, legacy applications, applications built using a variety of AWS
resources and container-based solutions (including those built using AWS Elastic Beanstalk).

AWS CloudFormation introduces two new concepts: The template, a JSON-format, text-based
file that describes all the AWS resources you need to deploy to run your application and the
stack, the set of AWS resources that are created and managed as a single unit when AWS
CloudFormation instantiates a template.

What does Amazon EC2 stand for?

Amazon EC2 (Elastic Compute Cloud) is a web service that provides resizeable computing
capacity—literally, servers in Amazon's data centers—that you use to build and host your
software systems. You can access the components and features that EC2 provides by using a
web-based GUI, a command line interface, and APIs.

What does Amazon RDS stand for?

Amazon RDS stands for Relational Database Service, which offers easy to scale and manage
relational databases on the Cloud.

You are setting up a VPC and you need to set up a public subnet within that VPC.
Which following requirement must be met for this subnet to be considered a public
subnet?

pg. 34
A virtual private cloud (VPC) is a virtual network dedicated to your AWS account. It is logically
isolated from other virtual networks in the AWS cloud. You can launch your AWS resources, such
as Amazon EC2 instances, into your VPC. You can configure your VPC: you can select its IP
address range, create subnets, and configure route tables, network gateways, and security
settings.

A subnet is a range of IP addresses in your VPC. You can launch AWS resources into a subnet
that you select. Use a public subnet for resources that must be connected to the internet, and a
private subnet for resources that won't be connected to the Internet.

 If a subnet's traffic is routed to an internet gateway, the subnet is known as a public

subnet.

 If a subnet doesn't have a route to the internet gateway, the subnet is known as
a private subnet.

 If a subnet doesn't have a route to the internet gateway, but has its traffic routed to a
virtual private gateway, the subnet is known as a VPN-only subnet.

Which of the following comes before Auto Scaling group creation?

The Auto Scaling launch config is the first step that should be run before a user can create an
Auto Scaling group. The launch config has all the information, such as the instance type, AMI ID,
and other instance launch parameters. The Auto Scaling group uses this launch config to create
a new group.

What is Amazon WorkSpaces?

Amazon WorkSpaces is a fully managed desktop computing service in the AWS cloud, allowing
end-users to access the documents, applications, and resources they need with the device of
their choice.

By using __________, you simply upload your application, and it automatically handles the
deployment details of capacity provisioning, load balancing, auto-scaling, and
application health monitoring.

AWS Elastic Beanstalk is an easy way for you to quickly deploy and manage applications in the
AWS cloud. You simply upload your application, and Elastic Beanstalk automatically handles the
deployment details of capacity provisioning, load balancing, auto-scaling, and application
health monitoring.

What does Amazon RDS perform?

Amazon RDS manages the work involved in setting up a relational database: from provisioning
the infrastructure capacity you request to installing the database software.

Where is an object stored in Amazon S3?

pg. 35
Every object in Amazon S3 is stored in a bucket. Before you can store data in Amazon S3, you
must create a bucket.

Is it possible to access S3 objects from the Internet?

You must grant read permission on the specific objects to make them publicly accessible so that
your users can view them on your website. You make objects publicly readable by using either
the object ACL or by writing a bucket policy.

What is the main use of EMR?

Using Amazon EMR, you can instantly provision as much or as little capacity as you like to
performdata-intensive tasks for applications such as web indexing, data mining, log file analysis,
machine learning, financial analysis, scientific simulation, and bioinformatics research. Amazon
EMR lets you focus on crunching or analyzing your data without having to worry about time-
consuming set-up, management or tuning of Hadoop clusters or the compute capacity upon
which they sit.

What is the default cool down period for an Auto Scaling Group?

Cool down is the wait period between the time a scaling activity ends and another scaling
activity can start. It is associated with the Cloudwatch alarms, and during cool down, the desired
capacity cannot be modified by the Cloudwatch alarms. The default cool down period is 300
seconds.

What does Amazon SWF stand for?

Amazon Simple Workflow Service (SWF) provides the glue needed by your application to
coordinate several tasks. These tasks are tackled by several instances coordinating aspects like
the dependencies between them.

___________ is a task coordination and state management service for cloud applications.

Amazon Simple Workflow (Amazon SWF) is a task coordination and state management service
for cloud applications. With Amazon SWF, you can stop writing complex glue-code and state
machinery and invest more in the business logic that makes your applications unique.

Identify the database engines currently supported by RDS.

Amazon RDS gives you online access to the capabilities of the following database systems.

 Amazon Aurora

 MySQL

 Oracle

 Microsoft SQL Server

pg. 36
 PostgreSQL

 MariaDB

In Amazon RDS, which of the following provides enhanced availability and durability for
Database (DB) Instances, making them to be a natural fit for production database
workloads?

Amazon RDS Multi-AZ deployments provide enhanced availability and durability for Database
(DB) Instances, making them a natural fit for production database workloads. When you
provision a Multi-AZ DB Instance, Amazon RDS automatically creates a primary DB Instance and
synchronously replicates the data to a standby instance in a different Availability Zone (AZ).
Each AZ runs on its own physically distinct, independent infrastructure, and is engineered to be
highly reliable.

Amazon EBS provides the ability to create backups of any Amazon EC2 volume into what
is known as _____.

Amazon allows you to make backups of the data stored in your EBS volumes through snapshots
that can later be used to create a new EBS volume.

What's the size limit of an Amazon EBS Magnetic volume?

You can create EBS Magnetic volumes from 1 GiB to 1 TB in size. You can, however, create EBS
General Purpose (SSD) and Provisioned IOPS (SSD) volumes up to 16 TiB in size.

What does AMI stand for?

AMI stands for Amazon Machine Image.

What does RRS stand for when talking about S3?

In Amazon S3, RRS stands for Reduced Redundancy Storage.

In regard to AWS CloudFormation, to pass values to your template at runtime you should
use ____________

Optional parameters are listed in the Parameters section. Parameters enable you to pass values
to your template at runtime, and can be dereferenced in the Resources and Outputs sections of
the template.

Which of the following platforms is not supported by Amazon's Elastic Beanstalk?

AWS Elastic Beanstalk web server environment tiers support applications developed in Java,
PHP, .NET, Node.js, Python, and Ruby as well as different container types for each language.
Worker environments are supported for all platforms except .NET.

Which AWS service offers cost optimization by launching instances automatically only
when needed?

pg. 37
AWS Auto Scaling can launch instances based on certain criteria. This provides cost optimization
to the user as it will only launch the instance when required, thereby resulting in cost saving.

A user is launching an instance with EC2. Which of the below mentioned options does the
user needs to consider before launching an instance?

Regarding Amazon EC2, when launching an instance, the user needs to select the region the
instance would be launched from. While launching, the user needs to plan for the instance type
and the OS of the instance.

Identify the operating system environments supported by Amazon EC2.

Amazon EC2 currently supports a variety of operating systems including: Amazon Linux, Ubuntu,
Windows Server, Red Hat Enterprise Linux, SUSE Linux Enterprise Server, Fedora, Debian,
CentOS, Gentoo Linux, Oracle Linux, and FreeBSD.á

In Amazon ElastiCache, a cluster is a collection of one or more cache nodes, all of which
run an instance of supported cache engine software, _____.

In Amazon ElastiCache, a cluster is a collection of one or more cache nodes, all of which run an
instance of supported cache engine software, Memcached or Redis. When you create a cache
cluster, you specify the cache engine that all of the nodes will use.

In AWS Elastic Beanstalk, an environment tier whose web application runs background
jobs is known as a ______________.

In AWS Elastic Beanstalk, an environment whose web application processes web requests is
known as a web server environment. An environment tier whose web application runs
background jobs is known as a worker environment.

What is the Reduced Redundancy option in Amazon S3 used for?

In order to reduce storage costs, you can use reduced redundancy storage for noncritical,
reproducible data at lower levels of redundancy than Amazon S3 provides with standard
storage.

Is there any web-based user interface to access and manage Amazon Web Services?

You can access and manage Amazon Web Services through a simple and intuitive web-based
user interface known as the AWS Management Console.

What does AWS S3 offer as a business service?

Amazon S3 has a simple web services interface that you can use to store and retrieve any
amount of data, at any time, from anywhere on the web.

Which of the following is the most accurate definition of the Amazon Machine Images
(AMIs)?

pg. 38
One of the main features of Amazon EC2 is Amazon Machine Images (AMIs), which is a template
that contains a software configuration (for example, an operating system, an application server,
and applications). AMIs contain common software configurations for public use.

Moreover, users can create their custom AMI or AMIs. This ability helps users to quickly and
easily start new instances that have everything they need.

Spot Instances are useful for?

There are four general categories of time-flexible and interruption-tolerant tasks that work well
with Spot Instances: Delayable tasks, Optional tasks, Tasks that can be sped up by adding
additional computing power and at the end, Tasks that require a large number of compute
instances that you can't access any other way.

How can we prevent accidental termination of our instances?

If you want to prevent your instance from being accidentally terminated using Amazon EC2, you
can enable termination protection for the instance.

____________ is a fast, flexible, fully managed push messaging service.

Amazon Simple Notification Service (Amazon SNS) is a fast, flexible, fully managed push
messaging service. Amazon SNS makes it simple and cost-effective to push to mobile devices
such as iPhone, iPad, Android, Kindle Fire, and internet connected smart devices, as well as
pushing to other distributed services.

What is a security group in Amazon AWS?

A security group acts as a virtual firewall that controls the traffic for one or more instances.
When you launch an instance, you associate one or more security groups with the instance. You
add rules to each security group that allow traffic to or from its associated instances. You can
modify the rules for a security group at any time; the new rules are automatically applied to all
instances that are associated with the security group. When we decide whether to allow traffic
to reach an instance, we evaluate all the rules from all the security groups that are associated
with the instance.

___________ is a fully managed service for real-time processing of streaming data at

massive scale.

Amazon Kinesis is a fully managed service for real-time processing of streaming data at massive
scale. Amazon Kinesis can collect and process hundreds of terabytes of data per hour from
hundreds of thousands of sources, allowing you to easily write applications that process
information in real-time from sources such as web site click-streams, marketing and financial
information, manufacturing instrumentation and social media, and operational logs and
metering data.

What does Amazon SES provide?

pg. 39
Amazon SES or Simple Email Service offers a transactional and highly scalable email service.

Which Database is not supported by Amazon RDS Databases?

Amazon RDS currently supports the MySQL, PostgreSQL, Oracle, and Microsoft SQL Server DB
engines. Each DB engine has its own supported features, and each version of a DB engine may
include specific features. Additionally, each DB engine has a set of parameters in a DB
parameter group that control the behavior of the databases that it manages.

When does the billing of an Amazon EC2 system begin?

Billing commences when Amazon EC2 initiates the boot sequence of an AMI instance. Billing
ends when the instance terminates, which could occur through a web services command, by
running "shutdown -h", or through instance failure. When you stop an instance, Amazon shuts it
down but doesnÆt charge hourly usage for a stopped instance, or data transfer fees, but
charges for the storage for any Amazon EBS volumes.

What does Amazon EMR stand for?

Amazon EMR stands for Elastic MapReduce (Amazon EMR.)

In Amazon RDS, are automated backups enabled by default for a new DB Instance?

Automated backup is an Amazon RDS feature that automatically creates a backup of your DB
instance. Automated backups are enabled by default for a new DB instance.

What does Amazon S3 stand for?

Amazon Simple Storage Service (Amazon S3) is storage for the Internet. It provides a simple
interface to manage scalable, reliable, and low latency data storage service over the Internet.

What does Amazon EBS stand for?

Amazon EBS stands for Elastic Block Store. It is a persistent storage that allows you to store the
data of the Amazon EC2 Instances in a separated virtual storage automatically replicated within
its Availability Zone in order to prevent component failure; with Amazon EBS the customer can
add more storage every time he needs it and also add more performances with Amazon EBS
Provisioned IOPS.

Elastic Load Balancing automatically distributes incoming traffic across multiple _____
instances.

AWS provides the Elastic Load Balancing service to automatically distribute the incoming traffic
across multiple Amazon Elastic Compute Cloud (Amazon EC2) instances.

You have just launched your first AWS Elastic Beanstalk application. How long will it be
before your application is fully deployed and accessible to your users?

pg. 40
It usually takes a few minutes to create the AWS resources to run your application. However,
you need to keep in mind that the time is dependent on a number of factors including the size
of your deployable code and the number of application servers you are deploying.

The Amazon Linux AMI is:

The Amazon Linux AMI is a supported and maintained Linux image provided by AWS.

By default, a network ACL that you create ____ until you add rules, and is not associated
with a subnet until you explicitly associate it with one.

You can create a custom network ACL for your VPC. By default, a network ACL that you create
blocks all inbound and outbound traffic until you add rules, and is not associated with a subnet
until you explicitly associate it with one.

Security groups in VPC operate at the ______.

You can secure your VPC instances using only security groups. When you launch an instance in a
VPC, you can associate one or more security groups that you've created. The security groups act
as a firewall for associated Amazon EC2 instances, controlling both inbound and outbound
traffic at the instance level.

The fastest way to load 300 TB of data to AWS is _____.

Even with high-speed Internet connections, it can take months to transfer large amounts of
data. For example, 100 terabytes of data will take more than 100 days to transfer over a
dedicated 100 Mbps connection. That same transfer can be accomplished in less than one day,
plus shipping time, using two Snowball appliances.

You are setting up a VPC and you need to set up a public subnet within that VPC.
Which following requirement must be met for this subnet to be considered a public
subnet?

A virtual private cloud (VPC) is a virtual network dedicated to your AWS account. It is logically
isolated from other virtual networks in the AWS cloud. You can launch your AWS resources, such
as Amazon EC2 instances, into your VPC. You can configure your VPC: you can select its IP
address range, create subnets, and configure route tables, network gateways, and security
settings.

A subnet is a range of IP addresses in your VPC. You can launch AWS resources into a subnet
that you select. Use a public subnet for resources that must be connected to the internet, and a
private subnet for resources that won't be connected to the Internet.

 If a subnet's traffic is routed to an internet gateway, the subnet is known as a public

subnet.

 If a subnet doesn't have a route to the internet gateway, the subnet is known as
a private subnet.

pg. 41
 If a subnet doesn't have a route to the internet gateway, but has its traffic routed to a
virtual private gateway, the subnet is known as a VPN-only subnet.

Which of the following states is not possible for the CloudWatch alarm?

The possible three states of a CloudWatch alarm are: OK, ALARM,Ø & INSUFFICIENT_DATA.

What does the AWS Storage Gateway provide?

AWS Storage Gateway connects an on-premises software appliance with cloud-based storage to
provide seamless integration with data security features between your on-premises IT
environment and the Amazon Web Services (AWS) storage infrastructure.

Which of the following is true of an Elastic IP Address (EIP) in EC2?

An Elastic IP address is a static IP address designed for dynamic cloud computing. An Elastic IP
address is associated with your AWS account. With an Elastic IP address, you can mask the
failure of an instance or software by rapidly remapping the address to another instance in your
account. If your account supports EC2-Classic, there's one pool of Elastic IP addresses for use
with the EC2-Classic platform and another for use with the EC2-VPC platform. The following are
the basic characteristics of an Elastic IP address: You can disassociate an Elastic IP address from
a resource, and reassociate it with a different resource. A disassociated Elastic IP address
remains allocated to your account until you explicitly release it. An Elastic IP address is for use in
a specific region only.

What is the default maximum number of VPCs allowed per region?

The maximum number of VPCs allowed per region is 5.

What is Amazon Import/Export?

AWS Import/Export accelerates transferring large amounts of data between the AWS cloud and
portable storage devices that you mail to us. AWS transfers data directly onto and off of your
storage devices using Amazon high-speed internal network.

For how many days does CloudWatch store the metric data?

CloudWatch stores the metric data only for 14 days. If the user wants to store the data for a
longer period, he has to download the data using SDKs and store it in his system.

Network ACLs in VPC operate at the ______.

Security Groups in VPC operate at the instance level, providing a way to control the incoming
and outgoing instance traffic. In contrast, network ACLs operate at the subnet level, providing a
way to control the traffic that flows through the subnets of your VPC.

The use of placement group in Amazon EC2 is to:

pg. 42
A placement group in Amazon EC2 is a logical entity that enables creating a cluster of instances
by launching instances as part of a group. The cluster of instances then provides low latency, full
bisection 10 Gigabit Ethernet bandwidth connectivity between instances in the group. Cluster
placement groups are created through the Amazon EC2 API or AWS Management Console.

True or False: Amazon Route 53 provides highly available and scalable Domain Name
System (DNS), domain name registration, and health-checking web services.

Amazon Route 53 provides highly available and scalable Domain Name System (DNS), domain
name registration, and health-checking web services.

Which of the following states is possible for the CloudWatch alarm?

The possible three states of a CloudWatch alarm are "OK", "ALARM", and "INSUFFICIENT_DATA."

Which of the following statements is true of AWS ELB?

Elastic Load Balancing automatically distributes incoming traffic across multiple EC2 instances.
You create a load balancer and register instances with the load balancer in one or more
Availability Zones. The load balancer serves as a single point of contact for clients.

Network ACLs are _______.

Network ACLs are stateless; responses to allowed inbound traffic are subject to the rules for
outbound traffic (and vice versa).

______ in VPC are stateful where return traffic is automatically allowed, regardless of any
rules.

Security groups in VPC are stateful where return traffic is automatically allowed without having
to go through the whole evaluation process again.

What does Amazon VPC stand for?

Amazon VPC stands for Amazon Virtual Private Cloud (Amazon VPC). It allows you to create and
manage your resources within a logically isolated private network that you can design and
manage yourself.

In Amazon EC2, how many Elastic IP addresses can you have by default?

The number of Elastic IP addresses you can have in EC2 is 5.

What does Amazon ELB stand for?

Amazon ELB stands for Elastic Load Balancing.

What does Amazon Route53 provide?

Amazon Route53 provides a scalable Domain Name System.

pg. 43
In AWS Storage Gateway, Gateway-cached volumes allow you to retain ________________.

You store your data in Amazon S3 and retain a copy of frequently accessed data subsets locally.
Gateway-cached volumes offer a substantial cost savings on primary storage and minimize the
need to scale your storage on-premises. You also retain low-latency access to your frequently
accessed data.

What does enabling a sticky session with ELB do?

By default, a load balancer routes each request independently to the registered instance with
the smallest load. However, you can use the sticky session feature (also known as session
affinity), which enables the load balancer to bind a user's session to a specific instance. This
ensures that all requests from the user during the session are sent to the same instance.

What is the time period with which metric data is sent to CloudWatch when detailed
monitoring is enabled on an Amazon EC2 instance?

By default, Amazon EC2 metric data is automatically sent to CloudWatch in 5-minute periods.
However, you can, enable detailed monitoring on an Amazon EC2 instance, which sends data to
CloudWatch in 1-minute periods

Which of the following statements describes launch configuration in Auto Scaling?

A launch configuration represents a template that the Auto Scaling group uses to launch the
Amazon EC2 instances. When you create a launch configuration, you specify information for the
instances such as the ID of the Amazon Machine Image (AMI), the instance type, a key pair, one
or more security groups, and a block device mapping.

Security groups in Amazon VPC ______.

Security Groups in VPC allow you to specify rules for both outgoing and incoming traffic. In
contrast, security groups in EC2-Classic allow you to specify rules for incoming traffic only.

Which service is offered by Auto Scaling?

Auto Scaling is a service that allows users to scale the EC2 resources up or down automatically
according to the conditions or by manual intervention. It is a seamless process to scale the EC2
compute units up and down.

Elastic Load Balancing automatically distributes incoming traffic across multiple _____
instances.

AWS provides the Elastic Load Balancing service to automatically distribute the incoming traffic
across multiple Amazon Elastic Compute Cloud (Amazon EC2) instances.

A route table in VPC can be associated with multiple subnets. However, a subnet can be
associated with only ______ route table(s) at a time.

pg. 44
Every subnet in your VPC must be associated with exactly one route table at a time. However,
the same route table can be associated with multiple subnets.

Is it possible to publish your own metrics to CloudWatch?

You can publish your own metrics to CloudWatch with the put-metric-data command (or its
Query API equivalent PutMetricData).

What is a placement group in Amazon EC2?

A placement group is a logical grouping of instances within a single Availability Zone.

In the AWS Storage Gateway, using the ____________, you can cost-effectively and durably
archive backup data in Amazon Glacier.

In AWS Storage Gateway, using Gateway–virtual tape library (VTL), you can cost-effectively and
durably store archive and long-term backup data in Amazon Glacier. Gateway-VTL provides
virtual tape infrastructure that scales seamlessly with your business needs and eliminates the
operational burden of provisioning, scaling and maintaining a physical tape infrastructure.

AMIs can be ______________.

Amazon AMIs can be public or private.

Elasticity is one of the benefits of using Elastic Beanstalk. Which of the

following best describes the concept of elasticity?

Because applications deployed using Elastic Beanstalk run on Amazon cloud resources, you
should keep several things in mind when designing your application: scalability, security,
persistent storage, fault tolerance, content delivery, software updates and patching, and
connectivity. Elasticity is the streamlining of resource acquisition and release, so that your
infrastructure can rapidly scale in and scale out as demand fluctuates.

Your VPC automatically comes with a modifiable default network ACL, which by default
_____.

Your VPC automatically comes with a modifiable default network ACL. By default, it allows all
inbound and outbound traffic.

Which of the following services is used to monitor the Amazon Web Services resources?

AWS CloudWatch is a service used to monitor the AWS resources and the applications running
on EC2. It collects and tracks the metrics of various services or applications.

In IAM, can you attach more than one inline policy to a particular entity such a user, role,
or group?

In AWS IAM, you can add as many inline policies as you want to a user, role, or group, but the
total aggregate policy size (the sum size of all inline policies) per entity cannot exceed the

pg. 45
following limits: User policy size cannot exceed 2,048 characters. Role policy size cannot exceed
10,240 characters. Group policy size cannot exceed 5,120 characters.

You have been setting up an Amazon Virtual Private Cloud (Amazon VPC) for your
company, including setting up subnets. Security is a concern, and you are not sure which
is the best security practice for securing subnets in your VPC. Which statement below is
correct in describing the protection of AWS resources in each subnet?

A subnet is a range of IP addresses in your VPC. You can launch AWS resources into a subnet
that you select. Use a public subnet for resources that must be connected to the Internet, and a
private subnet for resources that won't be connected to the Internet.

To protect the AWS resources in each subnet, you can use multiple layers of security, including
security groups and network access control lists (ACL).

A user has created an application which will be hosted on EC2. The application makes
calls to DynamoDB to fetch certain data. The application is using the DynamoDB SDK to
connect with from the EC2 instance. Which of the below mentioned statements is true
with respect to the best practice for security in this scenario?

With AWS IAM a user is creating an application which runs on an EC2 instance and makes
requests to AWS, such as DynamoDB or S3 calls. Here it is recommended that the user should
not create an IAM user and pass the user's credentials to the application or embed those
credentials inside the application. Instead, the user should use roles for EC2 and give that role
access to DynamoDB /S3. When the roles are attached to EC2, it will give temporary security
credentials to the application hosted on that EC2, to connect with DynamoDB / S3.

In Amazon CloudFront, if you have chosen On for Logging, the access logs are stored in:

In Amazon CloudFront, if you chose On for Logging, the logs store in the Amazon S3 bucket
that you want CloudFront to store access logs in. For example:

myawslogbucket.s3.amazonaws.com

If you enable logging, CloudFront records information about each end-user request for an
object and stores the files in the specified Amazon S3 bucket.

You have been asked to design a layered security solution for protecting your
organization's network infrastructure. You research several options and decide to deploy
a network-level security control appliance, inline, where traffic is intercepted and
analyzed prior to being forwarded to its final destination, such as an application server.
Which of the following is NOT considered an inline threat protection technology?

Many organizations consider layered security to be a best practice for protecting network
infrastructure. In the cloud, you can use a combination of Amazon VPC, implicit firewall rules at
the hypervisor-layer, alongside network access control lists, security groups, host-based
firewalls, and IDS/IPS systems to create a layered solution for network security. While security

pg. 46
groups, NACLs and host-based firewalls meet the needs of many customers, if you're looking for
defense in-depth, you should deploy a network-level security control appliance, and you should
do so inline, where traffic is intercepted and analyzed prior to being forwarded to its final
destination, such as an application server.

Examples of inline threat protection technologies include the following:

 Third-party firewall devices installed on Amazon EC2 instances (also known as soft
blades)

 Unified threat management (UTM) gateways

 Intrusion prevention systems

 Data loss management gateways

 Anomaly detection gateways

 Advanced persistent threat detection gateways

You have set up an IAM policy for your users to access Elastic Load Balancers and you
know that an IAM policy is a JSON document that consists of one or more statements.
Which of the following elements is not a part of the statement in an IAM policy
document?

When you attach a policy to a user or group of users to control access to your load balancer, it
allows or denies the users permission to perform the specified tasks on the specified resources.
An IAM policy is a JSON document that consists of one or more statements. Each statement is
structured as follows: Effectù The effect can be Allow or Deny. By default, IAM users don't have
permission to use resources and API actions, so all requests are denied. An explicit allow
overrides the default. An explicit deny overrides any allows. Actionù The action is the specific
API action for which you are granting or denying permission. Resourceù The resource that's
affected by the action. With many Elastic Load Balancing API actions, you can restrict the
permissions granted or denied to a specific load balancer by specifying its Amazon Resource
Name (ARN) in this statement. Otherwise, you can use the * wildcard to specify all of your load
balancers. Conditionù You can optionally use conditions to control when your policy is in effect.

An IAM group is regarded as a:

Within the IAM service, a group is regarded as a collection of users.

In IAM, a policy has to include the information about who (user) is allowed to access the
resource, known as the _____.

To specify resource-based permissions, you can attach a policy to the resource, such as an
Amazon SNS topic, an Amazon S3 bucket, or an Amazon Glacier vault. In that case, the policy
has to include information about who is allowed to access the resource, known as the principal.

pg. 47
(For user-based policies, the principal is the IAM user that the policy is attached to, or the user
who gets the policy from a group.)

You can configure Amazon CloudFront to deliver access logs per ________ to an Amazon S3
bucket of your choice.

If you use a custom origin, you will need to create an Amazon S3 bucket to store your log files
in. You can enable CloudFront to deliver access logs per distribution to an Amazon S3 bucket of
your choice.

In AWS Identity and Access Management, roles can be used by an external user
authenticated by an external identity provider (IdP) service that is compatible with _____.

In AWS Identity and Access Management, roles can be used by an external user authenticated
by an external identity provider (IdP) service that is compatible with SAML 2.0 (Security Assertion
Markup Language 2.0).

You are building a secure and highly available checkout service for a client's e-commerce
website. The client expects his/her private data, such as his/her purchase history and
his/her credit card information, to be managed on a secure infrastructure and application
stack. Can it be accomplished using AWS?

With Amazon Web Services, you can build a secure and highly available checkout service for
your e-commerce website that scales with your business. AWS customers expect their private
data, such as their purchase history and their credit card information, to be managed on a
secure infrastructure and application stack. AWS has achieved multiple security certifications
relevant to e-commerce business, including the Payment Cards Industry (PCI) Data Security
Standard (DSS).

To give a particular IAM entity a permission, you simply write a(n) _____ according to the
access policy language IAM uses, then attach the policy to the entity you want it to apply
to (a particular user or group in your AWS account).

To give a particular IAM entity a permission, you simply write a policy according to the access
policy language IAM uses, then attach the policy to the entity you want it to apply to (a
particular user or group in your AWS account).

AWS Cloud Hardware Security Modules (HSMs) are designed to _____.

A Hardware Security Module (HSM) is a hardware appliance that provides secure key storage
and cryptographic operations within a tamper-resistant hardware device. They are designed to
securely store cryptographic key material and also to be able to use this key material without
exposing it outside the cryptographic boundary of the appliance.

Amazon Cognito supports web identity federation through _____.

Amazon Cognito supports developer authenticated identities, in addition to web identity

federation through Facebook, Google, and Amazon.

pg. 48
Which of the below mentioned options is not a best practice to securely manage the AWS
access credentials?

It is a recommended approach to avoid using the access and secret access keys of the root
account. Thus, do not download or delete it. Instead make the IAM user as powerful as the root
account and use its credentials. The user cannot generate their own access and secret access
keys as they are always generated by AWS.

pg. 49