NEW QUESTION 1
What happens to the 1/0 operations while you take a database snapshot?

• A. 1/0 operations to the database are suspended for a few minutes while the backup is in progress.
• B. 1/0 operations to the database are sent to a Replica (if available) for a few minutes while the backup is in progress.
• C. 1/0 operations will be functioning normally
• D. 1/0 operations to the database are suspended for an hour while the backup is in progress

Answer: A

NEW QUESTION 2
If you have chosen Multi-AZ deployment, in the event of a planned or unplanned outage of your primary DB Instance, Amazon RDS automatically switches to the standby replica. The automatic failover mechanism simply changes the record of the main DB Instance to point to the standby DB Instance.

• A. DNAME
• B. CNAME
• C. TXT
• D. MX

Answer: B

NEW QUESTION 3
Which of the following statements is true of tagging an Amazon EC2 resource?

• A. You don't need to specify the resource identifier while terminating a resource.
• B. You can terminate, stop, or delete a resource based solely on its tags.
• C. You can't terminate, stop, or delete a resource based solely on its tags.
• D. You don't need to specify the resource identifier while stopping a resourc

Answer: C

Explanation: You can assign tags only to resources that already exist. You can't terminate, stop, or delete a resource based solely on its tags; you must specify the resource identifier.
Reference: http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/Using_Tags.html

NEW QUESTION 4
When you use the AWS Management Console to delete an IAM user, IAM also deletes any signing certificates and any access keys belonging to the user.

• A. FALSE
• B. This is configurable
• C. TRUE

Answer: C

NEW QUESTION 5
You are in the process of moving your friend's WordPress site onto AWS to try and save him some money, and you have told him that he should probably also move his domain name. He asks why he can't leave
his domain name where it is and just have his infrastructure on AWS. What would be an incorrect response to his question ?

• A. Route 53 offers low query latency for your end users.
• B. Route 53 is designed to automatically answer queries from the optimal location depending on network conditions.
• C. The globally distributed nature of AWS's DNS servers helps ensure a consistent ability to route your end users to your application.
• D. Route 53 supports Domain Name System Security Extensions (DNSSEC).

Answer: D

Explanation: Amazon Route 53 provides highly available and scalable Domain Name System (DNS), domain name registration, and health-checking web services.
Route 53 is built using AWS’s highly available and reliable infrastructure. The globally distributed nature of our DNS servers helps ensure a consistent ability to route your end users to your application by circumventing any internet or network related issues. Route 53 is designed to provide the level of dependability required by important applications. Using a global anycast network of DNS servers around the world, Route 53 is designed to automatically answer queries from the optimal location depending on network conditions. As a result, the service offers low query latency for your end users.
Amazon Route 53 does not support Domain Name System Security Extensions (DNSSEC) at this time. Reference: https://aws.amazon.com/route53/faqs/

NEW QUESTION 6
In the Amazon RDS Oracle DB engine, the Database Diagnostic Pack and the Database Tuning Pack are only available with _ _

• A. Oracle Standard Edition
• B. Oracle Express Edition
• C. Oracle Enterprise Edition
• D. None of these

Answer: C

NEW QUESTION 7
Can we attach an EBS volume to more than one EC2 instance at the same time?

• A. Yes.
• B. No
• C. Only EC2-optimized EBS volumes.
• D. Only in read mode.

Answer: A

NEW QUESTION 8
A customer enquires about whether all his data is secure on AWS and is especially concerned about Elastic Map Reduce (EMR) so you need to inform him of some of the security features in place for AWS. Which of the below statements would be an incorrect response to your customers enquiry?

• A. Amazon ENIR customers can choose to send data to Amazon S3 using the HTTPS protocol for secure transmission.
• B. Amazon S3 provides authentication mechanisms to ensure that stored data is secured against unauthorized access.
• C. Every packet sent in the AWS network uses Internet Protocol Security (IPsec).
• D. Customers may encrypt the input data before they upload it to Amazon S3.

Answer: C

Explanation: Amazon S3 provides authentication mechanisms to ensure that stored data is secured against unauthorized access. Unless the customer who is uploading the data specifies otherwise, only that customer can access the data. Amazon EMR customers can also choose to send data to Amazon S3
using the HTTPS protocol for secure transmission. In addition, Amazon EMR always uses HTTPS to send data between Amazon S3 and Amazon EC2. For added security, customers may encrypt the input data before they upload it to Amazon S3 (using any common data compression tool); they then need to add a decryption step to the beginning of their cluster when Amazon EMR fetches the data from Amazon S3. Reference: https://aws.amazon.com/elasticmapreduce/faqs/

NEW QUESTION 9
You have been asked to design the storage layer for an application. The application requires disk
performance of at least 100,000 IOPS in addition, the storage layer must be able to survive the loss of an indMdual disk. EC2 instance, or Availability Zone without any data loss. The volume you provide must have a capacity of at least 3 TB. Which of the following designs will meet these objectives'?

• A. Instantiate a c3.8x|arge instance in us-east-1. Provision 4x1TB EBS volumes, attach them to the instance, and configure them as a single RAID 5 volum
• B. Ensure that EBS snapshots are performed every 15 minutes.
• C. Instantiate a c3.8xIarge instance in us-east-1. Provision 3xiTB EBS volumes, attach them to the Instance, and configure them as a single RAID 0 volum
• D. Ensure that EBS snapshots are performed every 15 minutes.
• E. Instantiate an i2.8xIarge instance in us-east-I
• F. Create a RAID 0 volume using the four 800GB SSD ephemeral disks provided with the instanc
• G. Provision 3x1TB EBS volumes, attach them to the instance, and configure them as a second RAID 0 volum
• H. Configure synchronous, block-level replication from the ephemeral-backed volume to the EBS-backed volume.
• I. Instantiate a c3.8xIarge instance in us-east-1. Provision an AWS Storage Gateway and configure it for 3 TB of storage and 100,000 IOP
• J. Attach the volume to the instanc
• K. Instantiate an i2.8x|arge instance in us-east-I
• L. Create a RAID 0 volume using the four 800GB SSD ephemeral disks provided with the instanc
• M. Configure synchronous, block- level replication to an identically configured instance inus-east-I

Answer: C

NEW QUESTION 10
After an Amazon VPC instance is launched, can I change the VPC security groups it belongs to?

• A. N
• B. You cannot.
• C. Ye
• D. You can.
• E. Only if you are the root user
• F. Only if the tag "VPC_Change_Group" is true

Answer: C

NEW QUESTION 11
You are setting up a VPC and you need to set up a public subnet within that VPC. Which following requirement must be met for this subnet to be considered a public subnet?

• A. Subnet's traffic is not routed to an internet gateway but has its traffic routed to a virtual private gateway.
• B. Subnet's traffic is routed to an internet gateway.
• C. Subnet's traffic is not routed to an internet gateway.
• D. None of these answers can be considered a public subne

Answer: B

Explanation: A virtual private cloud (VPC) is a virtual network dedicated to your AWS account. It is logically isolated from other virtual networks in the AWS cloud. You can launch your AWS resources, such as Amazon EC2 instances, into your VPC. You can configure your VPC: you can select its IP address range, create subnets, and configure route tables, network gateways, and security settings.
A subnet is a range of IP addresses in your VPC. You can launch AWS resources into a subnet that you select. Use a public subnet for resources that must be connected to the internet, and a private subnet for resources that won't be connected to the Internet.
If a subnet's traffic is routed to an internet gateway, the subnet is known as a public subnet.
If a subnet doesn't have a route to the internet gateway, the subnet is known as a private subnet.
If a subnet doesn't have a route to the internet gateway, but has its traffic routed to a virtual private gateway, the subnet is known as a VPN-only subnet.
Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Subnets.html

NEW QUESTION 12
A photo-sharing service stores pictures in Amazon Simple Storage Service (53) and allows application sign-in using an OpenID Connect-compatible identity provider. Which AWS Security Token Service approach to temporary access should you use for the Amazon 53 operations?

• A. SANIL-based Identity Federation
• B. Cross-Account Access
• C. AWS Identity and Access Management roles
• D. Web Identity Federation

Answer: D

NEW QUESTION 13
What does t he following command do with respect to the Amazon EC2 security groups? ec2-create-group CreateSecurityGroup

• A. Groups the user created security groups in to a new group for easy access.
• B. Creates a new security group for use with your account.
• C. Creates a new group inside the security group.
• D. Creates a new rule inside the security grou

Answer: B

NEW QUESTION 14
Select a true statement about Amazon EC2 Security Groups (EC2-Classic).

• A. After you launch an instance in EC2-Classic, you can't change its security groups.
• B. After you launch an instance in EC2-Classic, you can change its security groups only once.
• C. After you launch an instance in EC2-Classic, you can only add rules to a security group.
• D. After you launch an instance in EC2-Classic, you cannot add or remove rules from a security grou

Answer: A

Explanation: After you launch an instance in EC2-Classic, you can't change its security groups. However, you can add rules to or remove rules from a security group, and those changes are automatically applied to all instances that are associated with the security group.
Reference: http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/using-network-security.html

NEW QUESTION 15
A US-based company is expanding their web presence into Europe. The company wants to extend their AWS infrastructure from Northern Virginia (us-east-1) into the Dublin (eu-west-1) region. Which of the following options would enable an equivalent experience for users on both continents?

• A. Use a public-facing load balancer per region to load-balance web traffic, and enable HTIP health checks.
• B. Use a public-facing load balancer per region to load-balance web traffic, and enable sticky sessions.
• C. Use Amazon Route 53, and apply a geolocation routing policy to distribute traffic across both regions.
• D. Use Amazon Route 53, and apply a weighted routing policy to distribute traffic across both region

Answer: D

Explanation: Reference: http://docs.aws.amazon.com/Route53/latest/DeveIoperGuide/routing-policy.html

NEW QUESTION 16
Any person or application that interacts with AWS requires security credentials. AWS uses these credentials to identify who is making the call and whether to allow the requested access. You have just set up a VPC network for a client and you are now thinking about the best way to secure this network. You set up a security group called vpcsecuritygroup. Which following statement is true in respect to the initial settings that will be applied to this security group if you choose to use the default settings for this group?

• A. Allow all inbound traffic and allow no outbound traffic.
• B. Allow no inbound traffic and allow all outbound traffic.
• C. Allow inbound traffic on port 80 only and allow all outbound traffic.
• D. Allow all inbound traffic and allow all outbound traffi

Answer: B

Explanation: Amazon VPC provides advanced security features such as security groups and network access control lists to enable inbound and outbound filtering at the instance level and subnet level.
AWS assigns each security group a unique ID in the form sg-xxxxxxxx. The following are the initial settings for a security group that you create:
Allow no inbound traffic Allow all outbound traffic
Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html

NEW QUESTION 17
After a major security breach your manager has requested a report of all users and their credentials in AWS. You discover that in IAM you can generate and download a credential report that lists all users in your account and the status of their various credentials, including passwords, access keys, MFA devices,
and signing certificates. Which following statement is incorrect in regards to the use of credential reports?

• A. Credential reports are downloaded XML files.
• B. You can get a credential report using the AWS Management Console, the AWS CLI, or the IAM API.
• C. You can use the report to audit the effects of credential lifecycle requirements, such as password rotation.
• D. You can generate a credential report as often as once every four hour

Answer: A

Explanation: To access your AWS account resources, users must have credentials.
You can generate and download a credential report that lists all users in your account and the status of their various credentials, including passwords, access keys, MFA devices, and signing certificates. You can get a credential report using the AWS Management Console, the AWS CLI, or the IAM API.
You can use credential reports to assist in your auditing and compliance efforts. You can use the report to audit the effects of credential lifecycle requirements, such as password rotation. You can provide the report to an external auditor, or grant permissions to an auditor so that he or she can download the report directly.
You can generate a credential report as often as once every four hours. When you request a report, IAM first checks whether a report for the account has been generated within the past four hours. If so, the most recent report is downloaded. If the most recent report for the account is more than four hours old, or if there are no previous reports for the account, IAM generates and downloads a new report.
Credential reports are downloaded as comma-separated values (CSV) files.
You can open CSV files with common spreadsheet software to perform analysis, or you can build an application that consumes the CSV files programmatically and performs custom analysis. Reference: http://docs.aws.amazon.com/IAM/latest/UserGuide/credential-reports.html

NEW QUESTION 18
Your manager has come to you saying that he is very confused about the bills he is receMng from AWS as he is getting different bills for every user and needs you to look into making it more understandable. Which of the following would be the best solution to meet his request?

• A. AWS Billing Aggregation
• B. Consolidated Billing
• C. Deferred Billing
• D. Aggregated Billing

Answer: B

Explanation: Consolidated Billing enables you to consolidate payment for multiple AWS accounts within your company by designating a single paying account. Consolidated Billing enables you to see a combined view of AWS costs incurred by all accounts, as well as obtain a detailed cost report for each of the indMdual AWS accounts associated with your "Paying Account". Consolidated Billing is offered at no additional charge. Reference: https://aws.amazon.com/bi|Iing/faqs/

NEW QUESTION 19
You're running an application on-premises due to its dependency on non-x86 hardware and want to use AWS for data backup. Your backup application is only able to write to POSIX-compatible blockbased storage. You have 140TB of data and would like to mount it as a single folder on your file server Users must be able to access portions of this data while the backups are taking place. What backup solution would be most appropriate for this use case?

• A. Use Storage Gateway and configure it to use Gateway Cached volumes.
• B. Configure your backup software to use 53 as the target for your data backups.
• C. Configure your backup software to use Glacier as the target for your data backups.
• D. Use Storage Gateway and configure it to use Gateway Stored volume

Answer: A

Explanation: Gateway-Cached Volume Architecture
Gateway-cached volumes let you use Amazon Simple Storage Service (Amazon 53) as your primary data storage while retaining frequently accessed data locally in your storage gateway. Gateway cached volumes minimize the need to scale your on-premises storage infrastructure, while still providing your applications with low-latency access to their frequently accessed data. You can create storage volumes up to 32 TIB in size and attach to them as iSCSI devices from your on-premises application servers. Your gateway stores data that you write to these volumes in Amazon 53 and retains recently read data in your on-premises storage gateway's cache and upload buffer storage.
Gateway-cached volumes can range from 1 GIB to 32 TIB in size and must be rounded to the nearest GIB. Each gateway configured for gateway-cached volumes can support up to 32 volumes for a total maximum storage volume of 1,024 TIB (1 Pi B).
In the gateway-cached volume solution, AWS Storage Gateway stores all your on-premises application data in a storage volume in Amazon 53.
The following diagram provides an overview of the AWS Storage Gateway-cached volume deployment.
After you've installed the AWS Storage Gateway software appliance-the virtual machine (VM)-on a host in your data center and activated it, you can use the AWS Management Console to provision storage
volumes backed by Amazon 53. You can also provision storage volumes programmatically using the AWS Storage Gateway API or the AWS SDK libraries. You then mount these storage volumes to your on-premises application servers as iSCSI devices.
You also al locate disks on-premises for the VM. These on-premises disks serve the following purposes: Disks for use by the gateway as cache storage - As your applications write data to the storage volumes in AWS, the gateway initially stores the data on the on-premises disks referred to as cache storage before uploading the data to Amazon 53. The cache storage acts as the on-premises durable store for data that is waiting to upload to Amazon 53 from the upload buffer.
The cache storage also lets the gateway store your appIication's recently accessed data on-premises for low-latency access. If your application requests data, the gateway first checks the cache storage for the data before checking Amazon 53.
You can use the following guidelines to determine the amount of disk space to allocate for cache storage. Generally, you should allocate at least 20 percent of your existing file store size as cache storage. Cache storage should also be larger than the upload buffer. This latter guideline helps ensure cache storage is large enough to persistently hold all data in the upload buffer that has not yet been uploaded to Amazon 53.
Disks for use by the gateway as the upload buffer - To prepare for upload to Amazon 53, your gateway also stores incoming data in a staging area, referred to as an upload buffer. Your gateway uploads this buffer data over an encrypted Secure Sockets Layer (SSL) connection to AWS, where it is stored encrypted in Amazon 53.
You can take incremental backups, called snapshots, of your storage volumes in Amazon 53. These point-in-time snapshots are also stored in Amazon 53 as Amazon EBS snapshots. When you take a new snapshot, only the data that has changed since your last snapshot is stored. You can initiate snapshots on a scheduled or one-time basis. When you delete a snapshot, only the data not needed for any other snapshots is removed.
You can restore an Amazon EBS snapshot to a gateway storage volume if you need to recover a backup of your data. Alternatively, for snapshots up to 16 TiB in size, you can use the snapshot as a starting point for a new Amazon EBS volume. You can then attach this new Amazon EBS volume to an Amazon EC2 instance.
All gateway-cached volume data and snapshot data is stored in Amazon 53 encrypted at rest using server-side encryption (SSE). However, you cannot access this data with the Amazon 53 API or other tools such as the Amazon 53 console.