SAP-C01 : AWS Certified Solutions Architect – Professional : Part 09

SAP-C01 : AWS Certified Solutions Architect – Professional : Part 09

1. True or False: Amazon ElastiCache supports the Redis key-value store.

   • True, ElastiCache supports the Redis key-value store, but with limited functionalities.
   • False, ElastiCache does not support the Redis key-value store.
   • True, ElastiCache supports the Redis key-value store.
   • False, ElastiCache supports the Redis key-value store only if you are in a VPC environment.
   Explanation:
   This is true. ElastiCache supports two open-source in-memory caching engines: 1. Memcached – a widely adopted memory object caching system. ElastiCache is protocol compliant with Memcached, so popular tools that you use today with existing Memcached environments will work seamlessly with the service. 2. Redis – a popular open-source in-memory key-value store that supports data structures such as sorted sets and lists. ElastiCache supports Master / Slave replication and Multi-AZ which can be used to achieve cross AZ redundancy.

2. Which of the following is NOT an advantage of using AWS Direct Connect?

   • AWS Direct Connect provides users access to public and private resources by using two different connections while maintaining network separation between the public and private environments.
   • AWS Direct Connect provides a more consistent network experience than Internet-based connections.
   • AWS Direct Connect makes it easy to establish a dedicated network connection from your premises to AWS.
   • AWS Direct Connect reduces your network costs.
   Explanation:
   AWS Direct Connect makes it easy to establish a dedicated network connection from your premises to AWS. Using AWS Direct Connect, you can establish private connectivity between AWS and your datacenter, office, or colocation environment, which in many cases can reduce your network costs, increase bandwidth throughput, and provide a more consistent network experience than Internet-based connections.
   By using industry standard 802.1q VLANs, this dedicated connection can be partitioned into multiple virtual interfaces. This allows you to use the same connection to access public resources such as objects stored in Amazon S3 using public IP address space, and private resources such as Amazon EC2 instances running within an Amazon Virtual Private Cloud (VPC) using private IP space, while maintaining network separation between the public and private environments.

3. An organization is setting up an application on AWS to have both High Availability (HA) and Disaster Recovery (DR). The organization wants to have both Recovery point objective (RPO) and Recovery time objective (RTO) of 10 minutes.Which of the below mentioned service configurations does not help the organization achieve the said RPO and RTO?

   • Take a snapshot of the data every 10 minutes and copy it to the other region.
   • Use an elastic IP to assign to a running instance and use Route 53 to map the user’s domain with that IP.
   • Create ELB with multi-region routing to allow automated failover when required.
   • Use an AMI copy to keep the AMI available in other regions.
   Explanation:
   AWS provides an on demand, scalable infrastructure. AWS EC2 allows the user to launch On- Demand instances and the organization should create an AMI of the running instance. Copy the AMI to another region to enable Disaster Recovery (DR) in case of region failure. The organization should also use EBS for persistent storage and take a snapshot every 10 minutes to meet Recovery time objective (RTO). They should also setup an elastic IP and use it with Route 53 to route requests to the same IP. When one of the instances fails the organization can launch new instances and assign the same EIP to a new instance to achieve High Availability (HA). The ELB works only for a particular region and does not route requests across regions.

4. An organization is having an application which can start and stop an EC2 instance as per schedule. The organization needs the MAC address of the instance to be registered with its software. The instance is launched in EC2-CLASSIC.How can the organization update the MAC registration every time an instance is booted?

   • The organization should write a boot strapping script which will get the MAC address from the instance metadata and use that script to register with the application.
   • The organization should provide a MAC address as a part of the user data. Thus, whenever the instance is booted the script assigns the fixed MAC address to that instance.
   • The instance MAC address never changes. Thus, it is not required to register the MAC address every time.
   • AWS never provides a MAC address to an instance; instead the instance ID is used for identifying the instance for any software registration.
   Explanation:
   AWS provides an on demand, scalable infrastructure. AWS EC2 allows the user to launch On- Demand instances. AWS does not provide a fixed MAC address to the instances launched in EC2-CLASSIC. If the instance is launched as a part of EC2-VPC, it can have an ENI which can have a fixed MAC. However, with EC2-CLASSIC, every time the instance is started or stopped it will have a new MAC address. To get this MAC, the organization can run a script on boot which can fetch the instance metadata and get the MAC address from that instance metadata. Once the MAC is received, the organization can register that MAC with the software.

5. Does Amazon RDS API provide actions to modify DB instances inside a VPC and associate them with DB Security Groups?

   • Yes, Amazon does this but only for MySQL RDS.
   • Yes
   • No
   • Yes, Amazon does this but only for Oracle RDS.
   Explanation:
   You can use the action Modify DB Instance, available in the Amazon RDS API, to pass values for the parameters DB Instance Identifier and DB Security Groups specifying the instance ID and the DB Security Groups you want your instance to be part of.

6. An organization is setting up a backup and restore system in AWS of their in premise system. The organization needs High Availability(HA) and Disaster Recovery(DR) but is okay to have a longer recovery time to save costs.

   Which of the below mentioned setup options helps achieve the objective of cost saving as well as DR in the most effective way?

   • Setup pre-configured servers and create AMIs. Use EIP and Route 53 to quickly switch over to AWS from in premise.
   • Setup the backup data on S3 and transfer data to S3 regularly using the storage gateway.
   • Setup a small instance with AutoScaling; in case of DR start diverting all the load to AWS from on premise.
   • Replicate on premise DB to EC2 at regular intervals and setup a scenario similar to the pilot light.
   Explanation:
   AWS has many solutions for Disaster Recovery(DR) and High Availability(HA). When the organization wants to have HA and DR but are okay to have a longer recovery time they should select the option backup and restore with S3. The data can be sent to S3 using either Direct Connect, Storage Gateway or over the internet.
   The EC2 instance will pick the data from the S3 bucket when started and setup the environment. This process takes longer but is very cost effective due to the low pricing of S3. In all the other options, the EC2 instance might be running or there will be AMI storage costs. Thus, it will be a costlier option. In this scenario the organization should plan appropriate tools to take a backup, plan the retention policy for data and setup security of the data

7. By default, what is the maximum number of Cache Nodes you can run in Amazon ElastiCache?

   • 20
   • 50
   • 100
   • 200
   Explanation:
   In Amazon ElastiCache, you can run a maximum of 20 Cache Nodes.

8. Does an AWS Direct Connect location provide access to Amazon Web Services in the region it is associated with as well as access to other US regions?

   • No, it provides access only to the region it is associated with.
   • No, it provides access only to the US regions other than the region it is associated with.
   • Yes, it provides access.
   • Yes, it provides access but only when there’s just one Availability Zone in the region.
   Explanation:
   An AWS Direct Connect location provides access to Amazon Web Services in the region it is associated with, as well as access to other US regions. For example, you can provision a single connection to any AWS Direct Connect location in the US and use it to access public AWS services in all US Regions and AWS GovCloud (US).

9. Which of the following components of AWS Data Pipeline specifies the business logic of your data management?

   • Task Runner
   • Pipeline definition
   • AWS Direct Connect
   • Amazon Simple Storage Service 9Amazon S3)
   Explanation:
   A pipeline definition specifies the business logic of your data management.

10. What feature of the load balancing service attempts to force subsequent connections to a service to be redirected to the same node as long as it is online?

    • Node balance
    • Session retention
    • Session multiplexing
    • Session persistence
    Explanation:
    Session persistence is a feature of the load balancing service. It attempts to force subsequent connections to a service to be redirected to the same node as long as it is online.

11. What types of identities do Amazon Cognito identity pools support?

    • They support both authenticated and unauthenticated identities.
    • They support only unauthenticated identities.
    • They support neither authenticated nor unauthenticated identities.
    • They support only authenticated identities.
    Explanation:
    Amazon Cognito identity pools support both authenticated and unauthenticated identities. Authenticated identities belong to users who are authenticated by a public login provider or your own backend authentication process. Unauthenticated identities typically belong to guest users.

12. In IAM, which of the following is true of temporary security credentials?

    • Once you issue temporary security credentials, they cannot be revoked.
    • None of these are correct.
    • Once you issue temporary security credentials, they can be revoked only when the virtual MFA device is used.
    • Once you issue temporary security credentials, they can be revoked.
    Explanation:
    Temporary credentials in IAM are valid throughout their defined duration of time and hence can’t be revoked. However, because permissions are evaluated each time an AWS request is made using the credentials, you can achieve the effect of revoking the credentials by changing the permissions for the credentials even after they have been issued.

13. The CFO of a company wants to allow one of his employees to view only the AWS usage report page.

    Which of the below mentioned IAM policy statements allows the user to have access to the AWS usage report page?

    • “Effect”: “Allow”, “Action”: [“Describe”], “Resource”: “Billing”
    • “Effect”: “Allow”, “Action”: [“aws-portal: ViewBilling”], “Resource”: “*”
    • “Effect”: “Allow”, “Action”: [“aws-portal: ViewUsage”], “Resource”: “*”
    • “Effect”: “Allow”, “Action”: [“AccountUsage], “Resource”: “*”
    Explanation:
    AWS Identity and Access Management is a web service which allows organizations to manage users and user permissions for various AWS services. If the CFO wants to allow only AWS usage report page access, the policy for that IAM user will be as given below:
    {
    “Version”: “2012-10-17”,
    “Statement”: [
    {
    “Effect”: “Allow”, “Action”: [
    “aws-portal:ViewUsage”
    ],
    “Resource”: “*”
    }
    ]
    }

14. In Amazon VPC, what is the default maximum number of BGP advertised routes allowed per route table?

    • 15
    • 100
    • 5
    • 10
    Explanation:
    The maximum number of BGP advertised routes allowed per route table is 100.

15. An organization has created 5 IAM users. The organization wants to give them the same login ID but different passwords. How can the organization achieve this?

    • The organization should create each user in a separate region so that they have their own URL to login
    • The organization should create a separate login ID but give the IAM users the same alias so that each one can login with their alias
    • It is not possible to have the same login ID for multiple IAM users of the same account
    • The organization should create various groups and add each user with the same login ID to different groups. The user can login with their own group ID
    Explanation:
    AWS Identity and Access Management is a web service which allows organizations to manage users and user permissions for various AWS services.
    Whenever the organization is creating an IAM user, there should be a unique ID for each user. It is not possible to have the same login ID for multiple users. The names of users, groups, roles, instance profiles must be alphanumeric, including the following common characters: plus (+), equal (=), comma (,), period (.), at (@), and dash (-).

16. The user has provisioned the PIOPS volume with an EBS optimized instance.

    Generally speaking, in which I/O chunk should the bandwidth experienced by the user be measured by AWS?

    • 128 KB
    • 256 KB
    • 64 KB
    • 32 KB
    Explanation:
    IOPS are input/output operations per second. Amazon EBS measures each I/O operation per second (that is 256 KB or smaller) as one IOPS.

17. A user is planning to use EBS for his DB requirement. The user already has an EC2 instance running in the VPC private subnet.

    How can the user attach the EBS volume to a running instance?

    • The user can create EBS in the same zone as the subnet of instance and attach that EBS to instance.
    • It is not possible to attach an EBS to an instance running in VPC until the instance is stopped.
    • The user can specify the same subnet while creating EBS and then attach it to a running instance.
    • The user must create EBS within the same VPC and then attach it to a running instance.
    Explanation:
    A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. The user can create subnets as per the requirement within a VPC. The VPC is always specific to a region. The user can create a VPC which can span multiple Availability Zones by adding one or more subnets in each Availability Zone. The instance launched will always be in the same availability zone of the respective subnet. When creating an EBS the user cannot specify the subnet or VPC. However, the user must create the EBS in the same zone as the instance so that it can attach the EBS volume to the running instance.

18. An organization is planning to setup a management network on the AWS VPC. The organization is trying to secure the webserver on a single VPC instance such that it allows the internet traffic as well as the back-end management traffic. The organization wants to make so that the back end management network interface can receive the SSH traffic only from a selected IP range, while the internet facing webserver will have an IP address which can receive traffic from all the internet IPs.

    How can the organization achieve this by running web server on a single instance?

    • It is not possible to have two IP addresses for a single instance.
    • The organization should create two network interfaces with the same subnet and security group to assign separate IPs to each network interface.
    • The organization should create two network interfaces with separate subnets so one instance can have two subnets and the respective security groups for controlled access.
    • The organization should launch an instance with two separate subnets using the same network interface which allows to have a separate CIDR as well as security groups.
    Explanation:
    A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. It enables the user to launch AWS resources into a virtual network that the user has defined. An Elastic Network Interface (ENI) is a virtual network interface that the user can attach to an instance in a VPC. The user can create a management network using two separate network interfaces. For the present scenario it is required that the secondary network interface on the instance handles the public facing traffic and the primary network interface handles the back-end management traffic and it is connected to a separate subnet in the VPC that has more restrictive access controls. The public facing interface, which may or may not be behind a load balancer, has an associated security group to allow access to the server from the internet while the private facing interface has an associated security group allowing SSH access only from an allowed range of IP addresses either within the VPC or from the internet, a private subnet within the VPC or a virtual private gateway.

19. A user is trying to create a vault in AWS Glacier. The user wants to enable notifications.

    In which of the below mentioned options can the user enable the notifications from the AWS console?

    • Glacier does not support the AWS console
    • Archival Upload Complete
    • Vault Upload Job Complete
    • Vault Inventory Retrieval Job Complete
    Explanation:
    From AWS console the user can configure to have notifications sent to Amazon Simple Notifications Service (SNS). The user can select specific jobs that, on completion, will trigger the notifications such as Vault Inventory Retrieval Job Complete and Archive Retrieval Job Complete.

20. An organization is purchasing licensed software. The software license can be registered only to a specific MAC Address. The organization is going to host the software in the AWS environment.

    How can the organization fulfil the license requirement as the MAC address changes every time an instance is started/stopped/terminated?

    • It is not possible to have a fixed MAC address with AWS.
    • The organization should use VPC with the private subnet and configure the MAC address with that subnet.
    • The organization should use VPC with an elastic network interface which will have a fixed MAC Address.
    • The organization should use VPC since VPC allows to configure the MAC address for each EC2 instance.
    Explanation:
    A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. It enables the user to launch AWS resources into a virtual network that the user has defined. An Elastic Network Interface (ENI) is a virtual network interface that the user can attach to an instance in a VPC. An ENI can include attributes such as: a primary private IP address, one or more secondary private IP addresses, one elastic IP address per private IP address, one public IP address, one or more security groups, a MAC address, a source/destination check flag, and a description. The user can create a network interface, attach it to an instance, detach it from an instance, and attach it to another instance. The attributes of a network interface follow the network interface as it is attached or detached from an instance and reattached to another instance. Thus, the user can maintain a fixed MAC using the network interface.