-
You work for a company that has several instances running with automatically assigned public IPs. You performed an upgrade that required you to restart the instances from the console and your DNS records don’t work anymore. What happened?
- Your network interfaces need to be reinitialized
- You need to restart Route 53
- Restarting too many instances at once overloads the system
- The instances changed their public IP addresses on restart
Explanation:
Automatically assigned public IPs change on stop or termination of an instance.
-
Your company wishes to improve the performance of its EC2 instances. They require low latency and high throughput. They are currently deployed on T2.medium. It is imperative that you experience as little downtime as possible, but cost and performance are most important. How should you accomplish this?
- Create AMIs from the instances, create new instances on t2.medium, and start those instances in a placement group.
- Create AMIs from the instances, deploy the instances as i3.large, and start those instances in a placement group.
- Stop the instances and restart them in a placement group.
- Add an extra ENI to the instances and team them to provide greater throughput.
Explanation:
T2. medium is not compatible with placement groups. You cannot team ENIs to add more throughput on AWS.
-
You need to ensure the files served by your CloudFront distribution are only accessible to authorized users. You hope to serve thousands of users. What two steps should you take? (Choose two.)
- Configure signed cookies.
- Configure a WAF.
- Configure a bucket policy restricting the bucket to only CloudFront OAI.
- Configure an SSL on the distribution.
Explanation:
A WAF can block users from accessing the site and CloudFront, but that’s not the best option since you have so many users. An SSL will encrypt, but not prevent a user from viewing the content.
-
In Amazon CloudFront, which of the following is true of Smooth Streaming?
- It is a Microsoft format for streaming of media files.
- It is a CloudFront format for streaming of media files in RTMP distribution.
- It is the Adobe format for streaming of media files.
- It is a CloudFront format for streaming of media files in web distribution.
Explanation:
In the context of Amazon CloudFront, you can use CloudFront for on-demand streaming of media files that you’ve transcoded into the Microsoft Smooth Streaming format. To distribute Smooth Streaming content on demand, you have two options: As the origin for your distribution, specify a web server that can stream files that have been transcoded into Microsoft Smooth Streaming format. Enable Smooth Streaming in a CloudFront distribution. Smooth Streaming is a property of cache behaviors, which means that you can use one distribution to distribute Smooth Streaming media files as well as other conte
-
In the context of Amazon CloudFront Actions, you use the _____ when specifying APIs in IAM policies.
- object names
- class names
- entity names
- action names
Explanation:
In an AWS IAM policy, you can specify any and all API actions that Amazon CloudFront offers. The action name must be prefixed with the lowercase string cloudfront. For example: cloudfront:GetDistributionConfig
cloudfront:ListInvalidations
cloudfront:* (for all CloudFront actions).In the reference link, there are tables that list the canonical names for all CloudFront actions. Use these canonical names when specifying APIs in IAM policies.
-
In Amazon CloudFront, while creating a web distribution, which of the following can be used as origin servers?
- Any combination AWS Glacier archives and Oracle server
- Any combination of Amazon DB intances and XML servers
- Any combination of Amazon S3 buckets and HTTP servers
- Any combination of Amazon Data Insights and PHP servers
Explanation:
In Amazon CloudFront, while creating a web distribution, you can create one or more Amazon S3 buckets or configure HTTP servers as your origin servers. An origin is the location where you store the original version of your web content. When CloudFront gets a request for your files, it goes to the origin to get the files that it distributes at edge locations. You can use any combination of Amazon S3 buckets and HTTP servers as your origin servers.
-
In Amazon CloudFront, to link to your objects, if your domain name is d111111abcdef8.cloudfront.net and your object is image.jpg, then the URL for the link in your webpage will be _____.
- http://d111111abcdef8.cloudfront.net/images/image.jpg
- http://d111111abcdef8.dns/images/image.jpg>
- http://d111111abcdef8.dns/image.jpg
- http://d111111abcdef8.cloudfront.net/image.jpg
Explanation:
In Amazon CloudFront, to link to your objects, if your domain name was d111111abcdef8.cloudfront.net and your object was image.jpg, the URL for the link would be: http://d111111abcdef8.cloudfront.net/image.jpg.If your object is in a folder within your bucket, include the folder in the URL. For example, if image.jpg is located in an images folder, then the URL would be:
http://d111111abcdef8.cloudfront.net/images/image.jpg.
-
Which service is used by default to store the CloudTrail log files?
- Elastic Block Store (EBS)
- Redshift
- Simple Storage Service (S3)
- Glacier
Explanation:
S3 is used by default to store the CloudTrail log files and a dedicated S3 bucket is required during the creation of a new Trail
-
With AWS CloudTrail, creating multiple trails in one region allows ____ to focus on one aspect of AWS operation.
- callers
- events
- buckets
- stakeholders
Explanation:
With multiple trails, different stakeholders such as security administrators, software developers, and IT auditors can create and manage their own trails. For example, a security administrator can create a trail that applies to all regions and configure encryption using one Key Management Service key. A developer can create a trail that applies to one region for troubleshooting operational issues.
-
Your company has installed an AWS Direct Connect connection in an ap-southeast-1 Direct Connect location. A public virtual interface is configured through a router to a dedicated firewall. You advertise your company’s public /24 CIDR block to AWS with AS 65500. The company maintains a separate, corporate Internet firewall to map all outbound traffic to a single IP. This firewall maintains a BGP relationship with an upstream Internet provider that has delegated the public IP block your company uses. When the BGP session for the public virtual interface is up, corporate network users cannot access Amazon S3 resources in the ap-southeast-1 region.
Which step should you take to provide concurrent AWS and Internet access?
- Configure AS-PATH prepending for the public virtual interface.
- Advertise a host route for the corporate firewall on the public virtual interface.
- Advertise a host route for the corporate firewall to the upstream Internet provider.
- NAT the traffic destined for AWS from the dedicated firewall using the public virtual interface.
Explanation:
When outgoing traffic is routed via the corporate firewall, its return path is via the Direct Connect public virtual interface and therefore through the dedicated firewall. This dedicated firewall does not track the original NAT session and subsequently drops the traffic. Answer A is incorrect because AWS will always prefer Direct Connect over Internet routing. Answer B is incorrect because return traffic is still processed by the dedicated firewall. Answer C is incorrect because it does not change the traffic flow.
-
Your Amazon Kinesis application receives data streams from thousands of devices. The data is then stored in an on-premises Hadoop cluster. You are concerned about historical data that shows periods of sustained traffic between 1 Gbps and 2 Gbps during peaks. You must ensure that you have secure, fault- tolerant connectivity between Amazon Kinesis and your data center.
What should you implement to address these needs?
- Deploy a single 1-Gbps Direct Connect connection with a VPN backup.
- Deploy three 1-Gbps Direct Connect connections.
- Deploy two 1-Gbps Direct Connect connections.
- Set up an IPsec VPN connection over Direct Connect with two tunnels.
Explanation:
Three connections are required to provide fault tolerance. All of the other options would be unable to handle the peak loads over 1 Gbps without exceeding the available bandwidth.
-
You have a web application (app.mycompany.com) running on an EC2 instance with a single elastic network interface in a subnet in a VPC. Because of a network redesign, you need to move the web application to a different subnet in the same Availability Zone.
Which of the following migration strategies meets the requirements?
- Create an elastic network interface in the new subnet. Attach this interface to the instance, and detach the old interface.
- Launch a new instance in the subnet via an AMI created from the instance, and redirect new connections to this new instance using DNS. Decommission the old instance.
- Make an API call to change the subnet association of the elastic network interface.
- Change the IP addresses manually to another subnet within the server operating system.
Explanation:
Instances cannot change subnets, so a new instance must be created (Response B). A is wrong because you cannot remove the original elastic network interface. C is not possible. D is wrong because the OS has no ability to affect the AWS assigned IP addresses.
-
A user is collecting 1000 records per second. The user wants to send the data to CloudWatch using a custom namespace. Which of the below mentioned options is recommended for this activity?
- Aggregate the data with statistics, such as Min, max, Average, Sum and Sample data and send the data to CloudWatch
- Send all the data values to CloudWatch in a single command by separating them with a comma. CloudWatch will parse automatically
- It is not possible to send all the data in one call. Thus, it should be sent one by one. CloudWatch will aggregate the data automatically
- Create one csv file of all the data and send a single file to CloudWatch
Explanation:
AWS CloudWatch supports the custom metrics. The user can always capture the custom data and upload the data to CloudWatch using CLI or APIs. The user can publish data to CloudWatch as single data points or as an aggregated set of data points called a statistic set using the command put-metric-data. It is recommended that when the user is having multiple data points per minute, he should aggregate the data so that it will minimize the number of calls to put-metric-data. In this case it will be single call to CloudWatch instead of 1000 calls if the data is aggregated.
-
A user is having data generated randomly based on a certain event. The user wants to upload that data to CloudWatch. It may happen that event may not have data generated for some period due to randomness.
Which of the below mentioned options is a recommended option for this case?
- For the period when there is no data, the user should not send the data at all
- The user must upload the data to CloudWatch as having no data for some period will cause an error at CloudWatch monitoring
- For the period when there is no data the user should send the value as 0
- For the period when there is no data the user should send a blank value
Explanation:
AWS CloudWatch supports the custom metrics. The user can always capture the custom data and upload the data to CloudWatch using CLI or APIs. When the user data is more random and not generated at regular intervals, there can be a period which has no associated data. The user can either publish the zero (0) value for that period or not publish the data at all. It is recommended that the user should publish zero instead of no value to monitor the health of the application. This is helpful in an alarm as well as in the generation of the sample data count.
-
A user has enabled detailed CloudWatch monitoring with the AWS Simple Notification Service. Which of the below mentioned statements helps the user understand detailed monitoring better?
- SNS cannot provide data every minute
- There is no need to enable since SNS provides data every minute
- SNS will send data every minute after configuration
- AWS CloudWatch does not support monitoring for SNS
-
A user is trying to send custom metrics to CloudWatch using the PutMetricData APIs. Which of the below mentioned points should the user needs to take care while sending the data to CloudWatch?
- The size of a request is limited to 128KB for HTTP GET requests and 64KB for HTTP POST requests
- The size of a request is limited to 40KB for HTTP GET requests and 8KB for HTTP POST requests
- The size of a request is limited to 16KB for HTTP GET requests and 80KB for HTTP POST requests
- The size of a request is limited to 8KB for HTTP GET requests and 40KB for HTTP POST requests
Explanation:
With AWS CloudWatch, the user can publish data points for a metric that share not only the same time stamp, but also the same namespace and dimensions. CloudWatch can accept multiple data points in the same PutMetricData call with the same time stamp. The only thing that the user needs to take care of is that the size of a PutMetricData request is limited to 8KB for HTTP GET requests and 40KB for HTTP POST requests.
-
What is the maximum number of CloudTrails that you can create per AWS region?
Explanation:
You can create up to five CloudTrails per Amazon AWS region. A trail that applies to all regions exists in each region and is counted as one trail in each region.
-
An AWS account owner has setup multiple IAM users. One of these IAM users, named John, has CloudWatch access, but no access to EC2 services. John has setup an alarm action which stops EC2 instances when their CPU utilization is below the threshold limit. When an EC2 instance’s CPU Utilization rate drops below the threshold John has set, what will happen and why?
- Nothing will happen. John cannot set an alarm on EC2 since he does not have the permission.
- CloudWatch will stop the instance when the action is executed
- Nothing will happen because it is not possible to stop the instance using the CloudWatch alarm
- Nothing will happen. John can setup the action, but it will not be executed because he does not have EC2 access through IAM policies.
Explanation:
Amazon CloudWatch alarms watch a single metric over a time period that the user specifies and performs one or more actions based on the value of the metric relative to a given threshold over a number of time periods. The user can setup an action which stops the instances when their CPU utilization is below a certain threshold for a certain period of time. The EC2 action can either terminate or stop the instance as part of the EC2 action. If the IAM user has read/write permissions for Amazon CloudWatch but not for Amazon EC2, he can still create an alarm. However, the stop or terminate actions will not be performed on the Amazon EC2 instance.
-
You are architecting your e-business application for PCI compliance. To meet the compliance requirements, you need to monitor web application logs to identify any malicious activity. You also need to monitor for remote attempts to change the network interface of web instances.
Which two AWS services will be helpful to achieve this goal?
- Amazon CloudWatch Logs and VPC Flow Logs
- AWS CloudTrail and VPC Flow Logs
- AWS CloudTrail and CloudWatch Logs
- AWS CloudTrail and AWS Config
Explanation:
Web application logs are internal to the operating system, so the only way to monitor them with an AWS service is to export them using CloudWatch Logs. AWS CloudTrail monitors the API activity and can be used to watch for particular API calls. The correct answer is the only one that references both these services.
-
You have an application that is processing confidential data. The data is currently stored in your data center. You are moving workloads to AWS, and you need to ensure confidentiality and integrity of the data in transit to your VPC. Your company has an existing AWS Direct Connect connection.
What combination of steps should you perform to set up the most cost-effective connection between your on-premises data center and AWS? (Choose three.)
- Set up a VPC with a virtual private gateway.
- Set up a VPC with an Internet gateway.
- Configure a public virtual interface on your Direct Connect connection.
- Configure a private virtual interface to the virtual private gateway.
- Set up an IPsec tunnel between your customer gateway and a software VPN on Amazon EC2 in the VPC.
- Set up an IPsec tunnel between your customer gateway appliance and the virtual private gateway.
Explanation:
Setting up a VPN over your Direct Connect connection will secure the data in transit. The steps to do so are: adding a VGW to the VPC; setting up a public virtual interface; and creating the IPsec tunnel between your data center and the VGW via the public virtual interface. B would send traffic over the public Internet. D is not possible because a public virtual interface is needed to announce the VGW endpoint IPs. E would not take advantage of the already existing Direct Connect connection.