NEW QUESTION 1

A user is checking the CloudWatch metrics from the AWS console. The user notices that the CloudWatch data is coming in UTC. The user wants to convert the data to a local time zone. How can the user perform this?

• A. In the CloudWatch dashboard the user should set the local timezone so that CloudWatch shows the data only in the local time zone
• B. In the CloudWatch console select the local timezone under the Time Range tab to view the data as per the local timezone
• C. The CloudWatch data is always in UTC; the user has to manually convert the data
• D. The user should have send the local timezone while uploading the data so that CloudWatch will show the data only in the local timezone

Answer: B

Explanation:

If the user is viewing the data inside the CloudWatch console, the console provides options to filter values either using the relative period, such as days/hours or using the Absolute tab where the user can provide data with a specific date and time. The console also provides the option to search using the local timezone under the time range caption in the console because the time range tab allows the user to change the time zone.

NEW QUESTION 2

An organization has configured the custom metric upload with CloudWatch. The organization has given permission to its employees to upload data using CLI as well SDK. How can the user track the calls made to CloudWatch?

• A. The user can enable logging with CloudWatch which logs all the activities
• B. Use CloudTrail to monitor the API calls
• C. Create an IAM user and allow each user to log the data using the S3 bucket
• D. Enable detailed monitoring with CloudWatch

Answer: B

Explanation:

AWS CloudTrail is a web service which will allow the user to monitor the calls made to the Amazon CloudWatch API for the organization’s account, including calls made by the AWS Management Console, Command Line Interface (CLI., and other services. When CloudTrail logging is turned on, CloudWatch will write log files into the Amazon S3 bucket, which is specified during the CloudTrail configuration.

NEW QUESTION 3

A user has enabled versioning on an S3 bucket. The user is using server side encryption for data at Rest. If the user is supplying his own keys for encryption (SSE-C., which of the below mentioned statements is true?

• A. The user should use the same encryption key for all versions of the same object
• B. It is possible to have different encryption keys for different versions of the same object
• C. AWS S3 does not allow the user to upload his own keys for server side encryption
• D. The SSE-C does not work when versioning is enabled

Answer: B

Explanation:

AWS S3 supports client side or server side encryption to encrypt all data at rest. The server side encryption can either have the S3 supplied AES-256 encryption key or the user can send the key along with each API call to supply his own encryption key (SSE-C.. If the bucket is versioning-enabled, each object version uploaded by the user using the SSE-C feature can have its own encryption key. The user is responsible for tracking which encryption key was used for which object's version

NEW QUESTION 4

A user is observing the EC2 CPU utilization metric on CloudWatch. The user has observed some interesting patterns while filtering over the 1 week period for a particular hour. The user wants to zoom that data point to a more granular period. How can the user do that easily with CloudWatch?

• A. The user can zoom a particular period by selecting that period with the mouse and then releasing the mouse
• B. The user can zoom a particular period by double clicking on that period with the mouse
• C. The user can zoom a particular period by specifying the aggregation data for that period
• D. The user can zoom a particular period by specifying the period in the Time Range

Answer: A

NEW QUESTION 5

A user is trying to connect to a running EC2 instance using SSH. However, the user gets an Unprotected
Private Key File error. Which of the below mentioned options can be a possible reason for rejection?

• A. The private key file has the wrong file permission
• B. The ppk file used for SSH is read only
• C. The public key file has the wrong permission
• D. The user has provided the wrong user name for the OS login

Answer: A

Explanation:

While doing SSH to an EC2 instance, if you get an Unprotected Private Key File error it means that the private key file's permissions on your computer are too open. Ideally the private key should have the Unix permission of 0400. To fix that, run the command: chmod 0400 /path/to/private.key

NEW QUESTION 6

You are creating an Auto Scaling group whose Instances need to insert a custom metric into CloudWatch.
Which method would be the best way to authenticate your CloudWatch PUT request?

• A. Create an IAM role with the Put MetricData permission and modify the Auto Scaling launch configuration to launch instances in that role
• B. Create an IAM user with the PutMetricData permission and modify the Auto Scaling launch configuration to inject the userscredentials into the instance User Data
• C. Modify the appropriate Cloud Watch metric policies to allow the Put MetricData permission to instances from the Auto Scaling group
• D. Create an IAM user with the PutMetricData permission and put the credentials in a private repository and have applications on the server pull the credentials as needed

Answer: A

NEW QUESTION 7

A user is trying to launch an EBS backed EC2 instance under free usage. The user wants to achieve
encryption of the EBS volume. How can the user encrypt the data at rest?

• A. Use AWS EBS encryption to encrypt the data at rest
• B. The user cannot use EBS encryption and has to encrypt the data manually or using a third party tool
• C. The user has to select the encryption enabled flag while launching the EC2 instance
• D. Encryption of volume is not available as a part of the free usage tier

Answer: B

Explanation:

AWS EBS supports encryption of the volume while creating new volumes. It supports encryption of the data at rest, the I/O as well as all the snapshots of the EBS volume. The EBS supports encryption for the selected instance type and the newer generation instances, such as m3, c3, cr1, r3, g2. It is not supported with a micro instance.

NEW QUESTION 8

A user runs the command “dd if=/dev/xvdf of=/dev/null bs=1M” on an EBS volume created from a snapshot and attached to a Linux instance. Which of the below mentioned activities is the user performing with the step given above?

• A. Pre warming the EBS volume
• B. Initiating the device to mount on the EBS volume
• C. Formatting the volume
• D. Copying the data from a snapshot to the device

Answer: A

Explanation:

When the user creates an EBS volume and is trying to access it for the first time it will encounter reduced IOPS due to wiping or initiating of the block storage. To avoid this as well as achieve the best performance it is required to pre warm the EBS volume. For a volume created from a snapshot and attached with a Linux OS, the “dd” command pre warms the existing data on EBS and any restored snapshots of volumes that have been previously fully pre warmed. This command maintains incremental snapshots; however, because this operation is read-only, it does not pre warm unused space that has never been written to on the original volume. In the command “dd if=/dev/xvdf of=/dev/null bs=1M” , the parameter “if=input file” should be set to the drive that the user wishes to warm. The “of=output file” parameter should be set to the Linux null virtual device, /dev/null. The “bs” parameter sets the block size of the read operation; for optimal performance, this should be set to 1 MB.

NEW QUESTION 9

The compliance department within your multi-national organization requires that all data for your customers that reside in the European Union (EU) must not leave the EU and also
data for customers that reside in the US must not leave the US without explicit authorization.
What must you do to comply with this requirement for a web based profile management application running on EC2?

• A. Run EC2 instances in multiple AWS Availability Zones in single Region and leverage an Elastic Load Balancer with session stickiness to route traffic to the appropriate zone to create their profile
• B. Run EC2 instances in multiple Regions and leverage Route 53's Latency Based Routing capabilities to route traffic to the appropriate region to create their profile
• C. Run EC2 instances in multiple Regions and leverage a third party data provider to determine if a user needs to be redirect to the appropriate region to create their profile
• D. Run EC2 instances in multiple AWS Availability Zones in a single Region and leverage a third party data provider to determine if a user needs to be redirect to the appropriate zone to create their profile

Answer: C

NEW QUESTION 10

A user has launched two EBS backed EC2 instances in the US-East-1a region. The user wants to change the zone of one of the instances. How can the user change it?

• A. Stop one of the instances and change the availability zone
• B. The zone can only be modified using the AWS CLI
• C. From the AWS EC2 console, select the Actions - > Change zones and specify new zone
• D. Create an AMI of the running instance and launch the instance in a separate AZ

Answer: D

Explanation:

With AWS EC2, when a user is launching an instance he can select the availability zone (AZ. at the time of launch. If the zone is not selected, AWS selects it on behalf of the user. Once the instance is launched, the user cannot change the zone of that instance unless he creates an AMI of that instance and launches a new instance from it.

NEW QUESTION 11

A user has created a public subnet with VPC and launched an EC2 instance within it. The user is trying to
delete the subnet. What will happen in this scenario?

• A. It will delete the subnet and make the EC2 instance as a part of the default subnet
• B. It will not allow the user to delete the subnet until the instances are terminated
• C. It will delete the subnet as well as terminate the instances
• D. The subnet can never be deleted independently, but the user has to delete the VPC first

Answer: B

Explanation:

A Virtual Private Cloud (VPC. is a virtual network dedicated to the user’s AWS account. A user can create a subnet with VPC and launch instances inside that subnet. When an instance is launched it will have a network interface attached with it. The user cannot delete the subnet until he terminates the instance and deletes the network interface.

NEW QUESTION 12

George has shared an EC2 AMI created in the US East region from his AWS account with Stefano. George copies the same AMI to the US West region. Can Stefano access the copied AMI of George’s account from the US West region?

• A. No, copy AMI does not copy the permission
• B. It is not possible to share the AMI with a specific account
• C. Yes, since copy AMI copies all private account sharing permissions
• D. Yes, since copy AMI copies all the permissions attached with the AMI

Answer: A

Explanation:

Within EC2, when the user copies an AMI, the new AMI is fully independent of the source AMI; there is no link to the original (source. AMI. AWS does not copy launch the permissions, user-defined tags or the Amazon S3 bucket permissions from the source AMI to the new AMI. Thus, in this case by default Stefano will not have access to the AMI in the US West region.

NEW QUESTION 13

When creation of an EBS snapshot Is initiated but not completed the EBS volume?

• A. Cannot De detached or attached to an EC2 instance until me snapshot completes
• B. Can be used in read-only mode while me snapshot is in progress
• C. Can be used while me snapshot Is in progress
• D. Cannot be used until the snapshot completes

Answer: C

Explanation:
Reference:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-copy-snapshot.html

NEW QUESTION 14

A user is planning to setup infrastructure on AWS for the Christmas sales. The user is planning to use Auto Scaling based on the schedule for proactive scaling. What advise would you give to the user?

• A. It is good to schedule now because if the user forgets later on it will not scale up
• B. The scaling should be setup only one week before Christmas
• C. Wait till end of November before scheduling the activity
• D. It is not advisable to use scheduled based scaling

Answer: C

Explanation:

Auto Scaling based on a schedule allows the user to scale the application in response to predictable load changes. The user can specify any date in the future to scale up or down during that period. As per Auto Scaling the user can schedule an action for up to a month in the future. Thus, it is recommended to wait until end of November before scheduling for Christmas.

NEW QUESTION 15

A user has stored data on an encrypted EBS volume. The user wants to share the data with his friend’s AWS account. How can user achieve this?

• A. Create an AMI from the volume and share the AMI
• B. Copy the data to an unencrypted volume and then share
• C. Take a snapshot and share the snapshot with a friend
• D. If both the accounts are using the same encryption key then the user can share the volume directly

Answer: B

Explanation:

AWS EBS supports encryption of the volume. It also supports creating volumes from existing snapshots
provided the snapshots are created from encrypted volumes. If the user is having data on an encrypted volume and is trying to share it with others, he has to copy the data from the encrypted volume to a new unencrypted volume. Only then can the user share it as an encrypted volume data. Otherwise the snapshot cannot be shared.

NEW QUESTION 16

A user has created a VPC with CIDR 20.0.0.0/16 using the wizard. The user has created a public subnet CIDR (20.0.0.0/24. and VPN only subnets CIDR (20.0.1.0/24. along with the VPN gateway (vgw-12345. to connect to the user’s data centre. Which of the below mentioned options is a valid entry for the main route table in this scenario?

• A. Destination: 20.0.0.0/24 and Target: vgw-12345
• B. Destination: 20.0.0.0/16 and Target: ALL
• C. Destination: 20.0.1.0/16 and Target: vgw-12345
• D. Destination: 0.0.0.0/0 and Target: vgw-12345

Answer: D

Explanation:

The user can create subnets as per the requirement within a VPC. If the user wants to connect VPC from his own data centre, he can setup a public and VPN only subnet which uses hardware VPN access to connect with his data centre. When the user has configured this setup with Wizard, it will create a virtual private gateway to route all traffic of the VPN subnet. Here are the valid entries for the main route table in this scenario: Destination: 0.0.0.0/0 & Target: vgw-12345 (To route all internet traffic to the VPN gateway. Destination: 20.0.0.0/16 & Target: local (To allow local routing in VPC.

NEW QUESTION 17

You are tasked with setting up a cluster of EC2 Instances for a NoSQL database. The database requires random read IO disk performance up to a 100,000 IOPS at 4KB block side per node.
Which of the following EC2 instances will perform the best for this workload?

• A. A High-Memory Quadruple Extra Large (m2.4xlarge) with EBS-Optimized set to true and a PIOPs EBS volume
• B. A Cluster Compute Eight Extra Large (cc2.8xlarge) using instance storage
• C. High I/O Quadruple Extra Large (hi1.4xlarge) using instance storage
• D. A Cluster GPU Quadruple Extra Large (cg1.4xlarge) using four separate 4000 PIOPS EBS volumes in a RAID 0 configuration

Answer: C

Explanation:
Explanation: Reference:
http://aws.amazon.com/ec2/instance-types/

NEW QUESTION 18

When an EC2 EBS-backed (EBS root) instance is stopped, what happens to the data on any ephemeral store volumes?

• A. Data will be deleted and win no longer be accessible
• B. Data is automatically saved in an EBS volum
• C. Data is automatically saved as an EBS snapshot
• D. Data is unavailable until the instance is restarted

Answer: D

NEW QUESTION 19

A user has configured Elastic Load Balancing by enabling a Secure Socket Layer (SSL. negotiation
configuration known as a Security Policy. Which of the below mentioned options is not part of this secure policy while negotiating the SSL connection between the user and the client?

• A. SSL Protocols
• B. Client Order Preference
• C. SSL Ciphers
• D. Server Order Preference

Answer: B

Explanation:

Elastic Load Balancing uses a Secure Socket Layer (SSL. negotiation configuration which is known as a Security Policy. It is used to negotiate the SSL connections between a client and the load balancer. A security policy is a combination of SSL Protocols, SSL Ciphers, and the Server Order Preference option.

NEW QUESTION 20

You have a server with a 5O0GB Amazon EBS data volume. The volume is 80% full. You need to back up the volume at regular intervals and be able to re-create the volume in a new Availability Zone in the shortest time possible. All applications using the volume can be paused for a period of a few minutes with no discernible user impact.
Which of the following backup methods will best fulfill your requirements?

• A. Take periodic snapshots of the EBS volume
• B. Use a third party Incremental backup application to back up to Amazon Glacier
• C. Periodically back up all data to a single compressed archive and archive to Amazon S3 using a parallelized multi-part upload
• D. Create another EBS volume in the second Availability Zone attach it to the Amazon EC2 instance, and use a disk manager to mirror me two disks

Answer: D

Explanation:
Reference:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-creating-snapshot.html

NEW QUESTION 21

A user has launched a Windows based EC2 instance. However, the instance has some issues and the user wants to check the log. When the user checks the Instance console output from the AWS console, what will it display?

• A. All the event logs since instance boot
• B. The last 10 system event log error
• C. The Windows instance does not support the console output
• D. The last three system events’ log errors

Answer: D

Explanation:

The AWS EC2 console provides a useful tool called Console output for problem diagnosis. It is useful to find out any kernel issues, termination reasons or service configuration issues. For a Windows instance it lists the last three system event log errors. For Linux it displays the exact console output.

NEW QUESTION 22

A user has created an application which will be hosted on EC2. The application makes calls to DynamoDB to fetch certain data. The application is using the DynamoDB SDK to connect with from the EC2 instance. Which of the below mentioned statements is true with respect to the best practice for security in this scenario?

• A. The user should attach an IAM role with DynamoDB access to the EC2 instance
• B. The user should create an IAM user with DynamoDB access and use its credentials within the application to connect with DynamoDB
• C. The user should create an IAM role, which has EC2 access so that it will allow deploying the application
• D. The user should create an IAM user with DynamoDB and EC2 acces
• E. Attach the user with the application so that it does not use the root account credentials

Answer: A

Explanation:

With AWS IAM a user is creating an application which runs on an EC2 instance and makes requests to AWS, such as DynamoDB or S3 calls. Here it is recommended that the user should not create an IAM user and pass the user's credentials to the application or embed those credentials inside the application. Instead, the user should use roles for EC2 and give that role access to DynamoDB /S3. When the roles are attached to EC2, it will give temporary security credentials to the application hosted on that EC2, to connect with DynamoDB / S3.

NEW QUESTION 23

An admin is planning to monitor the ELB. Which of the below mentioned services does not help the admin capture the monitoring information about the ELB activity?

• A. ELB Access logs
• B. ELB health check
• C. CloudWatch metrics
• D. ELB API calls with CloudTrail

Answer: B

Explanation:

The admin can capture information about Elastic Load Balancer using either: CloudWatch Metrics ELB Logs files which are stored in the S3 bucket CloudTrail with API calls which can notify the user as well generate logs for each API calls The health check is internally performed by ELB and does not help the admin get the ELB activity.

NEW QUESTION 24

An organization has created a Queue named “modularqueue” with SQS. The organization is not performing any operations such as SendMessage, ReceiveMessage, DeleteMessage, GetQueueAttributes, SetQueueAttributes, AddPermission, and RemovePermission on the queue. What can happen in this scenario?

• A. AWS SQS sends notification after 15 days for inactivity on queue
• B. AWS SQS can delete queue after 30 days without notification
• C. AWS SQS marks queue inactive after 30 days
• D. AWS SQS notifies the user after 2 weeks and deletes the queue after 3 week

Answer: B

Explanation:

Amazon SQS can delete a queue without notification if one of the following actions hasn't been performed on it for 30 consecutive days: SendMessage, ReceiveMessage, DeleteMessage, GetQueueAttributes, SetQueueAttributes, AddPermission, and RemovePermission.

NEW QUESTION 25

You use S3 to store critical data for your company Several users within your group currently have lull permissions to your S3 buckets You need to come up with a solution mat does not impact your users and also protect against the accidental deletion of objects.
Which two options will address this issue? Choose 2 answers

• A. Enable versioning on your S3 Buckets
• B. Configure your S3 Buckets with MFA delete
• C. Create a Bucket policy and only allow read only permissions to all users at the bucket level
• D. Enable object life cycle policies and configure the data older than 3 months to be archived in Glacier

Answer: AB

NEW QUESTION 26

A root AWS account owner is trying to understand various options to set the permission to AWS S3. Which of the below mentioned options is not the right option to grant permission for S3?

• A. User Access Policy
• B. S3 Object Access Policy
• C. S3 Bucket Access Policy
• D. S3 ACL

Answer: B

Explanation:

Amazon S3 provides a set of operations to work with the Amazon S3 resources. Managing S3 resource access refers to granting others permissions to work with S3. There are three ways the root account owner can define access with S3: S3 ACL: The user can use ACLs to grant basic read/write permissions to other AWS accounts. S3 Bucket Policy: The policy is used to grant other AWS accounts or IAM users permissions for the bucket and the objects in it. User Access Policy: Define an IAM user and assign him the IAM policy which grants him access to S3.

NEW QUESTION 27
......