NEW QUESTION 1
An organization (Account ID 123412341234. has attached the below mentioned IAM policy to a user. What does this policy statement entitle the user to perform?
"Statement": [
{
"Sid": "AllowUsersAllActionsForCredentials", "Effect": "Allow",
"Action": [
"iam:*AccessKey*",
],
"Resource": ["arn:aws:iam:: 123412341234:user/${aws:username}"]
}
]

• A. The policy allows the IAM user to modify all IAM user??s credentials using the console, SDK, CLI or APIs
• B. The policy will give an invalid resource error
• C. The policy allows the IAM user to modify all credentials using only the console
• D. The policy allows the user to modify all IAM user??s password, sign in certificates and access keys using only CLI, SDK or APIs

Answer: D

Explanation:
AWS Identity and Access Management is a web service which allows organizations to manage users and user permissions for various AWS services. If the organization (Account ID 123412341234. wants some of their users to manage keys (access and secret access keys. of all IAM users, the organization should set the below mentioned policy which entitles the IAM user to modify keys of all IAM users with CLI, SDK or API.
"Statement": [
{
"Sid": "AllowUsersAllActionsForCredentials", "Effect": "Allow",
"Action": [ "iam:*AccessKey*",
],
"Resource": ["arn:aws:iam:: 123412341234:user/${aws:username}"]
}
]

NEW QUESTION 2
An organization has added 3 of his AWS accounts to consolidated billing. One of the AWS accounts has purchased a Reserved Instance (RI. of a small instance size in the US-East-1a zone. All other AWS accounts are running instances of a small size in the same zone. What will happen in this case for the RI pricing?

• A. Only the account that has purchased the RI will get the advantage of RI pricing
• B. One instance of a small size and running in the US-East-1a zone of each AWS account will get the benefit of RI pricing
• C. Any single instance from all the three accounts can get the benefit of AWS RI pricing if they are running in the same zone and are of the same size
• D. If there are more than one instances of a small size running across multiple accounts in the same zone no one will get the benefit of RI

Answer: C

Explanation:
AWS consolidated billing enables the organization to consolidate payments for multiple Amazon Web Services (AWS. accounts within a single organization by making a single paying account. For billing purposes, consolidated billing treats all the accounts on the consolidated bill as one account. This means that all accounts on a consolidated bill can receive the hourly cost benefit of the Amazon EC2 Reserved Instances purchased by any other account. In this case only one Reserved Instance has been purchased by one account. Thus, only a single instance from any of the accounts will get the advantage of RI. AWS will implement the blended rate for each instance if more than one instance is running concurrently.

NEW QUESTION 3
Your mission is to create a lights-out datacenter environment, and you plan to use AWS OpsWorks to accomplish this. First you created a stack and added an App Server layer with an instance running in it. Next you added an application to the instance, and now you need to deploy a MySQL RDS database instance.
Which of the following answers accurately describe how to add a backend database server to an OpsWorks stack? Choose 3 answers

• A. Add a new database layer and then add recipes to the deploy actions of the database and App Server layers.
• B. Use OpsWorks' "Clone Stack" feature to create a second RDS stack in another Availability Zone for redundancy in the event of a failure in the Primary A
• C. To switch to the secondary RDS instance, set the [:database] attributes to values that are appropriate for your server which you can do by using custom JSON.
• D. The variables that characterize the RDS database connection?Xhost, user, and so on?Xare set using the corresponding values from the deploy JSON's [:deploy][:app_name][:database] attributes.
• E. Cookbook attributes are stored in a repository, so OpsWorks requires that the "password": "your_password" attribute for the RDS instance must be encrypted using at least a 256-bit key.
• F. Set up the connection between the app server and the RDS layer by using a custom recip
• G. The recipe configures the app server as required, typically by creating a configuration fil
• H. The recipe gets the connection data such as the host and database name from a set of attributes in the stack configuration and deployment JSON that AWS OpsWorks installs on every instance.

Answer: BCE

NEW QUESTION 4
A user has launched an EC2 instance from an instance store backed AMI. The user has attached an additional instance store volume to the instance. The user wants to create an AMI from the running instance. Will the AMI have the additional instance store volume data?

• A. Yes, the block device mapping will have information about the additional instance store volume
• B. No, since the instance store backed AMI can have only the root volume bundled
• C. It is not possible to attach an additional instance store volume to the existing instance store backed AMI instance
• D. No, since this is ephermal storage it will not be a part of the AMI

Answer: A

Explanation:
When the user has launched an EC2 instance from an instance store backed AMI and added an instance store volume to the instance in addition to the root device volume, the block device mapping for the new AMI contains the information for these volumes as well. In addition, the block device mappings for the instances those are launched from the new AMI will automatically contain information for these volumes.

NEW QUESTION 5
A user has setup a CloudWatch alarm on an EC2 action when the CPU utilization is above 75%. The alarm sends a notification to SNS on the alarm state. If the user wants to simulate the alarm action how can he achieve this?

• A. Run activities on the CPU such that its utilization reaches above 75%
• B. From the AWS console change the state to ??Alarm??
• C. The user can set the alarm state to ??Alarm?? using CLI
• D. Run the SNS action manually

Answer: C

Explanation:
Amazon CloudWatch alarms watch a single metric over a time period that the user specifies and performs one or more actions based on the value of the metric relative to a given threshold over a number of time periods.The user can test an alarm by setting it to any state using the SetAlarmState API (mon-set-alarm-state command.. This temporary state change lasts only until the next alarm comparison occurs. http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/AlarmThatSendsEmail.ht ml

NEW QUESTION 6
An organization has setup Auto Scaling with ELB. Due to some manual error, one of the instances got rebooted. Thus, it failed the Auto Scaling health check. Auto Scaling has marked it for replacement. How can the system admin ensure that the instance does not get terminated?

• A. Update the Auto Scaling group to ignore the instance reboot event
• B. It is not possible to change the status once it is marked for replacement
• C. Manually add that instance to the Auto Scaling group after reboot to avoid replacement
• D. Change the health of the instance to healthy using the Auto Scaling commands

Answer: D

Explanation:
After an instance has been marked unhealthy by Auto Scaling, as a result of an Amazon EC2 or ELB health check, it is almost immediately scheduled for replacement as it will never automatically recover its health. If the user knows that the instance is healthy then he can manually call the SetInstanceHealth action (or the as-setinstance- health command from CLI. to set the instance's health status back to healthy. Auto Scaling will throw an error if the instance is already terminating or else it will mark it healthy.

NEW QUESTION 7
A user has a refrigerator plant. The user is measuring the temperature of the plant every 15 minutes. If the user wants to send the data to CloudWatch to view the data visually, which of the below mentioned statements is true with respect to the information given above?

• A. The user needs to use AWS CLI or API to upload the data
• B. The user can use the AWS Import Export facility to import data to CloudWatch
• C. The user will upload data from the AWS console
• D. The user cannot upload data to CloudWatch since it is not an AWS service metric

Answer: A

Explanation:
AWS CloudWatch supports the custom metrics. The user can always capture the custom data and upload the data to CloudWatch using CLI or APIs. While sending the data the user has to include the metric name, namespace and timezone as part of the request.

NEW QUESTION 8
A user has created a VPC with public and private subnets using the VPC wizard. Which of the below mentioned statements is not true in this scenario?

• A. The VPC will create a routing instance and attach it with a public subnet
• B. The VPC will create two subnets
• C. The VPC will create one internet gateway and attach it to VPC
• D. The VPC will launch one NAT instance with an elastic IP

Answer: A

Explanation:
A user can create a subnet with VPC and launch instances inside that subnet. If the user has created a public private subnet, the instances in the public subnet can receive inbound traffic directly from the internet, whereas the instances in the private subnet cannot. If these subnets are created with Wizard, AWS will create a NAT instance with an elastic IP. Wizard will also create two subnets with route tables. It will also create an internet gateway and attach it to the VPC.

NEW QUESTION 9
A user is having data generated randomly based on a certain event. The user wants to upload that data to CloudWatch. It may happen that event may not have data generated for some period due to andomness. Which of the below mentioned options is a recommended option for this case?

• A. For the period when there is no data, the user should not send the data at all
• B. For the period when there is no data the user should send a blank value
• C. For the period when there is no data the user should send the value as 0
• D. The user must upload the data to CloudWatch as having no data for some period will cause an errorat CloudWatch monitoring

Answer: C

Explanation:
AWS CloudWatch supports the custom metrics. The user can always capture the custom data and upload the data to CloudWatch using CLI or APIs. When the user data is more random and not generated at regular intervals, there can be a period which has no associated data. The user can either publish the zero (0. Value for that period or not publish the data at all. It is recommended that the user should publish zero instead of no value to monitor the health of the application. This is helpful in an alarm as well as in the generation of the sample data count.

NEW QUESTION 10
A user is trying to create an EBS volume with the highest PIOPS supported by EBS. What is the minimum size of EBS required to have the maximum IOPS?

• A. 124
• B. 150
• C. 134
• D. 128

Answer: C

Explanation:
A provisioned IOPS EBS volume can range in size from 10 GB to 1 TB and the user can provision up to 4000 IOPS per volume. The ratio of IOPS provisioned to the volume size requested should be a maximum of 30.

NEW QUESTION 11
A user is trying to aggregate all the CloudWatch metric data of the last 1 week. Which of the below mentioned statistics is not available for the user as a part of data aggregation?

• A. Aggregate
• B. Sum
• C. Sample data
• D. Average

Answer: A

Explanation:
Amazon CloudWatch is basically a metrics repository. Either the user can send the custom data or an AWS product can put metrics into the repository, and the user can retrieve the statistics based on those metrics. The statistics are metric data aggregations over specified periods of time. Aggregations are made using the namespace, metric name, dimensions, and the data point unit of measure, within the time period that is specified by the user. CloudWatch supports Sum, Min, Max, Sample Data and Average statistics aggregation.

NEW QUESTION 12
When preparing for a compliance assessment of your system built inside of AWS. what are three best-practices for you to prepare for an audit?
Choose 3 answers

• A. Gather evidence of your IT operational controls
• B. Request and obtain applicable third-party audited AWS compliance reports and certifications
• C. Request and obtain a compliance and security tour of an AWS data center for a pre-assessment security review
• D. Request and obtain approval from AWS to perform relevant network scans and in-depth penetration tests of your system's Instances and endpoints
• E. Schedule meetings with AWS's third-party auditors to provide evidence of AWS compliance that maps to your control objectives

Answer: ABD

NEW QUESTION 13
A user had aggregated the CloudWatch metric data on the AMI ID. The user observed some abnormal behaviour of the CPU utilization metric while viewing the last 2 weeks of data. The user wants to share that data with his manager. How can the user achieve this easily with the AWS console?

• A. The user can use the copy URL functionality of CloudWatch to share the exact details
• B. The user can use the export data option from the CloudWatch console to export the current data point
• C. The user has to find the period and data and provide all the aggregation information to the manager
• D. The user can use the CloudWatch data copy functionality to copy the current data points

Answer: A

Explanation:
Amazon CloudWatch provides the functionality to graph the metric data generated either by the AWS services or the custom metric to make it easier for the user to analyse. The console provides the option to save the URL or bookmark it so that it can be used in the future by typing the same URL. The Copy URL functionality is available under the console when the user selects any metric to view.

NEW QUESTION 14
You have been asked to automate many routine systems administrator backup and recovery activities. Your current plan is to leverage AWS-managed solutions as much as possible and automate the rest with the AWS CLI and scripts.
Which task would be best accomplished with a script?

• A. Creating daily EBS snapshots with a monthly rotation of snapshots
• B. Creating daily RDS snapshots with a monthly rotation of snapshots
• C. Automatically detect and stop unused or underutilized EC2 instances
• D. Automatically add Auto Scaled EC2 instances to an Amazon Elastic Load Balancer

Answer: A

NEW QUESTION 15
A user has created a VPC with the public and private subnets using the VPC wizard. The VPC has CIDR 20.0.0.0/16. The public subnet uses CIDR 20.0.1.0/24. The user is planning to host a web server in the public subnet (port 80. and a DB server in the private subnet (port 3306.. The user is configuring a security group for the public subnet (WebSecGrp. and the private subnet (DBSecGrp.. Which of the below mentioned entries is required in the web server security group (WebSecGrp.?

• A. Configure Destination as DB Security group ID (DbSecGr
• B. for port 3306 Outbound
• C. 80 for Destination 0.0.0.0/0 Outbound
• D. Configure port 3306 for source 20.0.0.0/24 InBound
• E. Configure port 80 InBound for source 20.0.0.0/16

Answer: A

Explanation:
A user can create a subnet with VPC and launch instances inside that subnet. If the user has created a public private subnet to host the web server and DB server respectively, the user should configure that the instances in the public subnet can receive inbound traffic directly from the internet. Thus, the user should configure port 80 with source 0.0.0.0/0 in InBound. The user should configure that the instance in the public subnet can send traffic to the private subnet instances on the DB port. Thus, the user should configure the DB security group of the private subnet (DbSecGrp. as the destination for port 3306 in Outbound.

NEW QUESTION 16
A user has launched multiple EC2 instances for the purpose of development and testing in the same region. The user wants to find the separate cost for the production and development instances. How can the user find the cost distribution?

• A. The user should download the activity report of the EC2 services as it has the instance ID wise data
• B. It is not possible to get the AWS cost usage data of single region instances separately
• C. The user should use Cost Distribution Metadata and AWS detailed billing
• D. The user should use Cost Allocation Tags and AWS billing reports

Answer: D

Explanation:
AWS provides cost allocation tags to categorize and track the AWS costs. When the user applies tags to his AWS resources (such as Amazon EC2 instances or Amazon S3 buckets., AWS generates a cost allocation report as a comma-separated value (CSV file. with the usage and costs aggregated by those tags. The user can apply tags which represent business categories (such as cost centres, application names, or instance type ?V Production/Dev. to organize usage costs across multiple services.

NEW QUESTION 17
A user is checking the CloudWatch metrics from the AWS console. The user notices that the CloudWatch data is coming in UTC. The user wants to convert the data to a local time zone. How can the user perform this?

• A. In the CloudWatch dashboard the user should set the local timezone so that CloudWatch shows the data only in the local time zone
• B. In the CloudWatch console select the local timezone under the Time Range tab to view the data as per the local timezone
• C. The CloudWatch data is always in UTC; the user has to manually convert the data
• D. The user should have send the local timezone while uploading the data so that CloudWatch will show the data only in the local timezone

Answer: B

Explanation:
If the user is viewing the data inside the CloudWatch console, the console provides options to filter values
either using the relative period, such as days/hours or using the Absolute tab where the user can provide data with a specific date and time. The console also provides the option to search using the local timezone under the time range caption in the console because the time range tab allows the user to change the time zone.

NEW QUESTION 18
An application is generating a log file every 5 minutes. The log file is not critical but may be required only for verification in case of some major issue. The file should be accessible over the internet whenever required. Which of the below mentioned options is a best possible storage solution for it?

• A. AWS S3
• B. AWS Glacier
• C. AWS RDS
• D. AWS RRS

Answer: D

Explanation:
Amazon S3 stores objects according to their storage class. There are three major storage classes: Standard, Reduced Redundancy Storage and Glacier. Standard is for AWS S3 and provides very high durability. However, the costs are a little higher. Glacier is for archival and the files are not available over the internet. Reduced Redundancy Storage is for less critical files. Reduced Redundancy is little cheaper as it provides less durability in comparison to S3. In this case since the log files are not mission critical files, RRS will be a better option.

NEW QUESTION 19
George has launched three EC2 instances inside the US-East-1a zone with his AWS account. Ray has launched two EC2 instances in the US-East-1a zone with his AWS account. Which of the below entioned statements will help George and Ray understand the availability zone (AZ. concept better?

• A. The instances of George and Ray will be running in the same data centre
• B. All the instances of George and Ray can communicate over a private IP with a minimal cost
• C. All the instances of George and Ray can communicate over a private IP without any cost
• D. The US-East-1a region of George and Ray can be different availability zones

Answer: D

Explanation:
Each AWS region has multiple, isolated locations known as Availability Zones. To ensure that the AWS resources are distributed across the Availability Zones for a region, AWS independently maps the Availability Zones to identifiers for each account. In this case the Availability Zone US-East-1a where George??s EC2 instances are running might not be the same location as the US-East-1a zone of Ray??s EC2 instances. There is no way for the user to coordinate the Availability Zones between accounts.

NEW QUESTION 20
How can an EBS volume that is currently attached to an EC2 instance be migrated from one Availability Zone to another?

• A. Simply create a new volume in the other AZ and specify the original volume as the source.
• B. Detach the volume, then use the ec2-migrate-volume command to move it to another AZ.
• C. Create a snapshot of the volume, and create a new volume from the snapshot in the other AZ.
• D. Detach the volume and attach it to another EC2 instance in the other AZ.

Answer: C

Explanation:
Snapshots can be used to create multiple new EBS volumes, expand the size of a volume, or move volumes across Availability Zones.
See: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumes.html

NEW QUESTION 21
A sysadmin has created the below mentioned policy on an S3 bucket named cloudacademy. What does this policy define?
"Statement": [{
"Sid": "Stmt1388811069831",
"Effect": "Allow", "Principal": { "AWS": "*"},
"Action": [ "s3:GetObjectAcl", "s3:ListBucket"], "Resource": [ "arn:aws:s3:::cloudacademy]
}]

• A. It will make the cloudacademy bucket as well as all its objects as public
• B. It will allow everyone to view the ACL of the bucket
• C. It will give an error as no object is defined as part of the policy while the action defines the rule aboutthe object
• D. It will make the cloudacademy bucket as public

Answer: D

Explanation:
A sysadmin can grant permission to the S3 objects or the buckets to any user or make objects public using the bucket policy and user policy. Both use the JSON-based access policy language. Generally if the user is defining the ACL on the bucket, the objects in the bucket do not inherit it and vice a versa. The bucket policy can be defined at the bucket level which allows the objects as well as the bucket to be public with a single policy applied to that bucket. In the sample policy the action says ??S3:ListBucket?? for effect Allow on Resource arn:aws:s3:::cloudacademy. This will make the cloudacademy bucket public.
"Statement": [{
"Sid": "Stmt1388811069831",
"Effect": "Allow", "Principal": { "AWS": "*" },
"Action": [ "s3:GetObjectAcl", "s3:ListBucket"], "Resource": [ "arn:aws:s3:::cloudacademy]
}]

NEW QUESTION 22
Which services allow the customer to retain full administrative privileges of the underlying EC2 instances?
Choose 2 answers

• A. Amazon Elastic Map Reduce
• B. Elastic Load Balancing
• C. AWS Elastic Beanstalk
• D. Amazon ElastiCache
• E. Amazon Relational Database service

Answer: AC

Explanation:
The below services provide Root level access:
* EC2
* Elastic Beanstalk
* Elastic MapReduce ?V Master Node
* Opswork

NEW QUESTION 23
A user has configured ELB with SSL using a security policy for secure negotiation between the client and load balancer. Which of the below mentioned security policies is supported by ELB?

• A. Dynamic Security Policy
• B. All the other options
• C. Predefined Security Policy
• D. Default Security Policy

Answer: C

Explanation:
Elastic Load Balancing uses a Secure Socket Layer (SSL. negotiation configuration which is known as a Security Policy. It is used to negotiate the SSL connections between a client and the load balancer. ELB supports two policies:
Predefined Security Policy, which comes with predefined cipher and SSL protocols; Custom Security Policy, which allows the user to configure a policy.

NEW QUESTION 24
......