NEW QUESTION 1
A user has created an ELB with three instances. How many security groups will ELB create by default?

• A. 3
• B. 5
• C. 2
• D. 1

Answer: C

Explanation:
Elastic Load Balancing provides a special Amazon EC2 source security group that the user can use to ensure that back-end EC2 instances receive traffic only from Elastic Load Balancing. This feature needs two security groups: the source security group and a security group that defines the ingress rules for the back-end instances. To ensure that traffic only flows between the load balancer and the back-end instances, the user can add or modify a rule to the back-end security group which can limit the ingress traffic. Thus, it can come only from the source security group provided by Elastic Load Balancing.

NEW QUESTION 2
A user has created an S3 bucket which is not publicly accessible. The bucket is having thirty objects which are also private. If the user wants to make the objects public, how can he configure this with minimal efforts?

• A. The user should select all objects from the console and apply a single policy to mark them public
• B. The user can write a program which programmatically makes all objects public using S3 SDK
• C. Set the AWS bucket policy which marks all objects as public
• D. Make the bucket ACL as public so it will also mark all objects as public

Answer: C

Explanation:
A system admin can grant permission of the S3 objects or buckets to any user or make the objects public using the bucket policy and user policy. Both use the JSON-based access policy language.
Generally, if the user is defining the ACL on the bucket, the objects in the bucket do not inherit it and vice a versa. The bucket policy can be defined at the bucket level which allows the objects as well as the bucket to be public with a single policy applied to that bucket.

NEW QUESTION 3
A Syslog Administrator is troubleshooting an Amazon EC2 server and discovers a bottleneck in reading and writing data to the attached Amazon EBS block storage volume. The instance is a larger and the EBS is io1 with 1,000 IOPS provisioned initially, the Administrator increase the provisioned IOPS to 2,000, but performance does not improve.
What should the Administrator do next?

• A. Change the instance type to a t2 large.
• B. Change the volume to gp2 and make it larger.
• C. Change the instance type to c4 xlarge.
• D. Change the volume to Amazon S3 and introduce random key prepending

Answer: D

NEW QUESTION 4
A user is configuring the Multi AZ feature of an RDS DB. The user came to know that this RDS DB does not use the AWS technology, but uses server mirroring to achieve H

• A. Which DB is the user using right now?
• B. My SQL
• C. Oracle
• D. MS SQL
• E. PostgreSQL

Answer: C

Explanation:
Amazon RDS provides high availability and failover support for DB instances using Multi AZ deployments. In a Multi AZ deployment, Amazon RDS automatically provisions and maintains a synchronous standby replica in a different Availability Zone. Multi AZ deployments for Oracle, PostgreSQL, and MySQL DB instances use Amazon technology, while SQL Server (MS SQL. DB instances use SQL Server Mirroring.

NEW QUESTION 5
You are creating an Auto Scaling group whose Instances need to insert a custom metric into CloudWatch.
Which method would be the best way to authenticate your CloudWatch PUT request?

• A. Create an IAM role with the Put MetricData permission and modify the Auto Scaling launch configuration to launch instances in that role
• B. Create an IAM user with the Put MetricData permission and modify the Auto Scaling launch configuration to inject the users credentials into the instance User Data
• C. Modify the appropriate Cloud Watch metric policies to allow the Put MetricData permission to instances from the Auto Scaling group
• D. Create an IAM user with the Put MetricData permission and put the credentials in a private repository and have applications on the server pull the credentials as needed

Answer: A

NEW QUESTION 6
A user has configured ELB with two EBS backed instances. The user has stopped the instances for 1 week to save costs. The user restarts the instances after 1 week. Which of the below mentioned statements will help the user to understand the ELB and instance registration better?

• A. There is no way to register the stopped instances with ELB
• B. The user cannot stop the instances if they are registered with ELB
• C. If the instances have the same Elastic IP assigned after reboot they will be registered with ELB
• D. The instances will automatically get registered with ELB

Answer: C

Explanation:
Elastic Load Balancing registers the user??s load balancer with his EC2 instance using the associated IP address. When the instances are stopped and started back they will have a different IP address. Thus, they will not get registered with ELB unless the user manually registers them. If the instances are assigned the same Elastic IP after reboot they will automatically get registered with ELB.

NEW QUESTION 7
A user has configured an HTTPS listener on an ELB. The user has not configured any security policy which can help to negotiate SSL between the client and ELB. What will ELB do in this scenario?

• A. By default ELB will select the first version of the security policy
• B. By default ELB will select the latest version of the policy
• C. ELB creation will fail without a security policy
• D. It is not required to have a security policy since SSL is already installed

Answer: B

Explanation:
Elastic Load Balancing uses a Secure Socket Layer (SSL. negotiation configuration which is known as a Security Policy. It is used to negotiate the SSL connections between a client and the load balancer. If
the user has created an HTTPS/SSL listener without associating any security policy, Elastic Load Balancing will, by default, associate the latest version of the ELBSecurityPolicy-YYYY-MM with the load balancer.

NEW QUESTION 8
An organization has setup multiple IAM users. The organization wants that each IAM user accesses the IAM console only within the organization and not from outside. How can it achieve this?

• A. Create an IAM policy with the security group and use that security group for AWS console login
• B. Create an IAM policy with a condition which denies access when the IP address range is not from the organization
• C. Configure the EC2 instance security group which allows traffic only from the organization??s IP range
• D. Create an IAM policy with VPC and allow a secure gateway between the organization and AWS Console

Answer: B

Explanation:
AWS Identity and Access Management is a web service which allows organizations to manage users and user permissions for various AWS services. The user can add conditions as a part of the IAM policies. The condition can be set on AWS Tags, Time, and Client IP as well as on many other parameters. If the organization wants the user to access only from a specific IP range, they should set an IAM policy condition which denies access when the IP is not in a certain range. E.g. The sample policy given below denies all traffic when the IP is not in a certain range.
"Statement": [{
"Effect": "Deny",
"Action": "*",
"Resource": "*", "Condition": { "NotIpAddress": {
"aws:SourceIp": ["10.10.10.0/24", "20.20.30.0/24"]
}
}
}]

NEW QUESTION 9
What would happen to an RDS (Relational Database Service) multi-Availability Zone deployment if the primary DB instance fails?

• A. The IP of the primary DB Instance is switched to the standby DB Instance.
• B. A new DB instance is created in the standby availability zone.
• C. The canonical name record (CNAME) is changed from primary to standby.
• D. The RDS (Relational Database Service) DB instance reboots.

Answer: D

Explanation:
Reference:
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_RebootInstance.html

NEW QUESTION 10
A user is running a batch process on EBS backed EC2 instances. The batch process starts a few instances to process hadoop Map reduce jobs which can run between 50 ?V 600 minutes or sometimes for more time. The user wants to configure that the instance gets terminated only when the process is completed. How can the user configure this with CloudWatch?

• A. Setup the CloudWatch action to terminate the instance when the CPU utilization is less than 5%
• B. Setup the CloudWatch with Auto Scaling to terminate all the instances
• C. Setup a job which terminates all instances after 600 minutes
• D. It is not possible to terminate instances automatically

Answer: D

Explanation:
Amazon CloudWatch alarm watches a single metric over a time period that the user specifies and performs one or more actions based on the value of the metric relative to a given threshold over a number of time periods. The user can setup an action which terminates the instances when their CPU utilization is below a certain threshold for a certain period of time. The EC2 action can either terminate or stop the instance as part of the EC2 action.

NEW QUESTION 11
When attached to an Amazon VPC which two components provide connectivity with external networks? Choose 2 answers

• A. Elastic IPS (EIP)
• B. NAT Gateway (NAT)
• C. Internet Gateway {IGW)
• D. Virtual Private Gateway (VGW)

Answer: CD

NEW QUESTION 12
You have established a virtual private cloud (VPC) peering relationship between VPC 1 and VPC 2. VPC 1 has routes to VPC 2, yet hosts in VPC 1 cannot connect to hosts in VPC 2. Which of the following is possible cause?

• A. Security groups to VPC2 are blocking the traffic
• B. The network access control list applied to VPC2 denies by default
• C. The subnet route table in VPC 2 does not have routes to VPC 1
• D. The VPCs have not been attached to virtual private gateway

Answer: B

NEW QUESTION 13
A user is using the AWS EC2. The user wants to make so that when there is an issue in the EC2 server, such as instance status failed, it should start a new instance in the user??s private cloud. Which AWS service helps to achieve this automation?

• A. AWS CloudWatch + Cloudformation
• B. AWS CloudWatch + AWS AutoScaling + AWS ELB
• C. AWS CloudWatch + AWS VPC
• D. AWS CloudWatch + AWS SNS

Answer: D

Explanation:
Amazon SNS can deliver notifications by SMS text message or email to the Amazon Simple Queue Service (SQS. queues or to any HTTP endpoint. The user can configure a web service (HTTP End point. in his data centre which receives data and launches an instance in the private cloud. The user should configure the CloudWatch alarm to send a notification to SNS when the ??StatusCheckFailed?? metric is true for the EC2 instance. The SNS topic can be configured to send a notification to the user??s HTTP end point which launches an instance in the private cloud.

NEW QUESTION 14
When assessing an organization s use of AWS API access credentials which of the following three credentials should be evaluated? Choose 3 answers

• A. Key pairs
• B. Console passwords
• C. Access keys
• D. Signing certificates
• E. Security Group memberships

Answer: ACD

Explanation:
Reference:
http://media.amazonwebservices.com/AWS_Operational_Checklists.pdf

NEW QUESTION 15
A user is trying to launch an EBS backed EC2 instance under free usage. The user wants to achieve encryption of the EBS volume. How can the user encrypt the data at rest?

• A. Use AWS EBS encryption to encrypt the data at rest
• B. The user cannot use EBS encryption and has to encrypt the data manually or using a third party tool
• C. The user has to select the encryption enabled flag while launching the EC2 instance
• D. Encryption of volume is not available as a part of the free usage tier

Answer: B

Explanation:
AWS EBS supports encryption of the volume while creating new volumes. It supports encryption of the data at rest, the I/O as well as all the snapshots of the EBS volume. The EBS supports encryption for the selected instance type and the newer generation instances, such as m3, c3, cr1, r3, g2. It is not supported with a micro instance.

NEW QUESTION 16
You have a server with a 5O0GB Amazon EBS data volume. The volume is 80% full. You need to back up the volume at regular intervals and be able to re-create the volume in a new Availability Zone in the shortest time possible. All applications using the volume can be paused for a period of a few minutes with no discernible user impact.
Which of the following backup methods will best fulfill your requirements?

• A. Take periodic snapshots of the EBS volume
• B. Use a third party Incremental backup application to back up to Amazon Glacier
• C. Periodically back up all data to a single compressed archive and archive to Amazon S3 using a parallelized multi-part upload
• D. Create another EBS volume in the second Availability Zone attach it to the Amazon EC2 instance, and use a disk manager to mirror me two disks

Answer: A

Explanation:
Since an EBS volume should be in the same AZ as the EC2 instance. You cannot connect a EBS volume in another AZ. http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-restoring-volume.html EBS volumes can only be attached to EC2 instances within the same Availability Zone.

NEW QUESTION 17
A user is trying to understand the ACL and policy for an S3 bucket. Which of the below mentioned policy permissions is equivalent to the WRITE ACL on a bucket?

• A. s3:GetObjectAcl
• B. s3:GetObjectVersion
• C. s3:ListBucketVersions
• D. s3:DeleteObject

Answer: D

Explanation:
Amazon S3 provides a set of operations to work with the Amazon S3 resources. Each AWS S3 bucket can have an ACL (Access Control List. or bucket policy associated with it. The WRITE ACL list allows the other AWS accounts to write/modify to that bucket. The equivalent S3 bucket policy permission for it is
s3:DeleteObject.

NEW QUESTION 18
An organization has created 10 IAM users. The organization wants each of the IAM users to have access to a separate DyanmoDB table. All the users are added to the same group and the organization wants to setup a group level policy for this. How can the organization achieve this?

• A. Define the group policy and add a condition which allows the access based on the IAM name
• B. Create a DynamoDB table with the same name as the IAM user name and define the policy rule which grants access based on the DynamoDB ARN using a variable
• C. Create a separate DynamoDB database for each user and configure a policy in the group based on the DB variable
• D. It is not possible to have a group level policy which allows different IAM users to different DynamoDB Tables

Answer: D

Explanation:
AWS Identity and Access Management is a web service which allows organizations to manage users and user permissions for various AWS services. AWS DynamoDB has only tables and the organization cannot makeseparate databases. The organization should create a table with the same name as the IAM user name and use the ARN of DynamoDB as part of the group policy. The sample policy is shown below:
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Allow",
"Action": ["dynamodb:*"],
"Resource": "arn:aws:dynamodb:region:account-number-without-hyphens:table/${aws:username}"
}
]
}

NEW QUESTION 19
A user has created a VPC with CIDR 20.0.0.0/16 using VPC Wizard. The user has created a public CIDR (20.0.0.0/24. and a VPN only subnet CIDR (20.0.1.0/24. along with the hardware VPN access to connect to the user??s data centre. Which of the below mentioned components is not present when the VPC is setup with the wizard?

• A. Main route table attached with a VPN only subnet
• B. A NAT instance configured to allow the VPN subnet instances to connect with the internet
• C. Custom route table attached with a public subnet
• D. An internet gateway for a public subnet

Answer: B

Explanation:
The user can create subnets as per the requirement within a VPC. If the user wants to connect VPC from his own data centre, he can setup a public and VPN only subnet which uses hardware VPN access to connect with his data centre. When the user has configured this setup with Wizard, it will update the main route table used with the VPN-only subnet, create a custom route table and associate it with the public subnet. It also creates an internet gateway for the public subnet. The wizard does not create a NAT instance by default. The user can create it manually and attach it with a VPN only subnet.

NEW QUESTION 20
When an EC2 instance that is backed by an S3-based AMI Is terminated, what happens to the data on me root volume?

• A. Data is automatically saved as an EBS volume.
• B. Data is automatically saved as an ESS snapshot.
• C. Data is automatically deleted.
• D. Data is unavailable until the instance is restarted.

Answer: C

Explanation:
Reference:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ComponentsAMIs.html

NEW QUESTION 21
You receive a frantic call from a new DBA who accidentally dropped a table containing all your customers.
Which Amazon RDS feature will allow you to reliably restore your database to within 5 minutes of when the mistake was made?

• A. Multi-AZ RDS
• B. RDS snapshots
• C. RDS read replicas
• D. RDS automated backup

Answer: D

Explanation:
Reference:
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.BackingUpAndRestoringAma zonRDSInstances.html

NEW QUESTION 22
You have a web-style application with a stateless but CPU and memory-intensive web tier running on
a cc2 8xlarge EC2 instance inside of a VPC The instance when under load is having problems returning requests within the SLA as defined by your business The application maintains its state in a DynamoDB table, but the data tier is properly provisioned and responses are consistently fast.
How can you best resolve the issue of the application responses not meeting your SLA?

• A. Add another cc2 8xlarge application instance, and put both behind an Elastic Load Balancer
• B. Move the cc2 8xlarge to the same Availability Zone as the DynamoDB table
• C. Cache the database responses in ElastiCache for more rapid access
• D. Move the database from DynamoDB to RDS MySQL in scale-out read-replica configuration

Answer: C

Explanation:
But it is possibly A as DynamoDB is automatically available across three facilities in an AWS Region. So moving in to a same AZ is not possible / necessary.
In this case the DB layer is not the issue, the EC2 8xlarge is the issue; so add another one with a ELB in-frond of it.
See also: https://aws.amazon.com/dynamodb/faqs/

NEW QUESTION 23
Exhibit:

Based on the information provided what is causing the lack of access to S3 from the instance?

• A. The instance profile does not have explicit permissions to write objects to the S3 bucket.
• B. The route table does not have a rule tor all traffic to pass through a NAT gateway.
• C. The route table does not have a rule for all traffic to pass through an internet gateway
• D. The security group does not allow all TCP and all UDP traffic.

Answer: C

Explanation:
In practice, to cover the different types of clients that might initiate traffic to public-facing instances in your VPC, you can open ephemeral ports 1024-65535. However, you can also add rules to the ACL to deny traffic on any malicious ports within that range. Ensure that you place the DENY rules earlier in the table than the ALLOW rules that open the wide range of ephemeral ports.

NEW QUESTION 24
......