SAP-C01 : AWS Certified Solutions Architect – Professional : Part 13

SAP-C01 : AWS Certified Solutions Architect – Professional : Part 13

1. AWS has launched T2 instances which come with CPU usage credit. An organization has a requirement which keeps an instance running for 24 hours. However, the organization has high usage only during 11 AM to 12 PM. The organization is planning to use a T2 small instance for this purpose.

   If the organization already has multiple instances running since Jan 2012, which of the below mentioned options should the organization implement while launching a T2 instance?

   • The organization must migrate to the EC2-VPC platform first before launching a T2 instance.
   • While launching a T2 instance the organization must create a new AWS account as this account does not have the EC2-VPC platform.
   • Create a VPC and launch a T2 instance as part of one of the subnets of that VPC.
   • While launching a T2 instance the organization must select EC2-VPC as the platform.
   Explanation:
   A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. The user can create subnets as per the requirement within a VPC. The AWS account provides two platforms:
   EC2-CLASSIC and EC2-VPC, depending on when the user has created his AWS account and which regions he is using. If the user has created the AWS account after 2013-12-04, it supports only EC2-VPC. In this scenario, since the account is before the required date the supported platform will be EC2-CLASSIC. It is required that the organization creates a VPC as the T2 instances can be launched only as a part of VPC.

2. How does AWS Data Pipeline execute activities on on-premise resources or AWS resources that you manage?

   • By supplying a Task Runner package that can be installed on your on-premise hosts
   • None of these
   • By supplying a Task Runner file that the resources can access for execution
   • By supplying a Task Runner json script that can be installed on your on-premise hosts
   Explanation:
   To enable running activities using on-premise resources, AWS Data Pipeline does the following: It supply a Task Runner package that can be installed on your on-premise hosts. This package continuously polls the AWS Data Pipeline service for work to perform. When it’s time to run a particular activity on your on-premise resources, it will issue the appropriate command to the Task Runner.

3. Which of following IAM policy elements lets you specify an exception to a list of actions?

   • NotException
   • ExceptionAction
   • Exception
   • NotAction
   Explanation:
   The NotAction element lets you specify an exception to a list of actions.

4. In AWS IAM, which of the following predefined policy condition keys checks how long ago (in seconds) the MFA-validated security credentials making the request were issued using multi- factor authentication (MFA)?

   • aws:MultiFactorAuthAge
   • aws:MultiFactorAuthLast
   • aws:MFAAge
   • aws:MultiFactorAuthPrevious
   Explanation:
   aws:MultiFactorAuthAge is one of the predefined keys provided by AWS that can be included within a Condition element of an IAM policy. The key allows to check how long ago (in seconds) the MFA-validated security credentials making the request were issued using Multi-Factor Authentication (MFA).

5. A user is configuring MySQL RDS with PIOPS. What should be the minimum PIOPS that the user should provision?

   • 1000
   • 200
   • 2000
   • 500
   Explanation:
   If a user is trying to enable PIOPS with MySQL RDS, the minimum size of storage should be 100 GB and the minimum PIOPS should be 1000.

6. You are setting up some EBS volumes for a customer who has requested a setup which includes a RAID (redundant array of inexpensive disks). AWS has some recommendations for RAID setups.

   Which RAID setup is not recommended for Amazon EBS?

   • RAID 1 only
   • RAID 5 only
   • RAID 5 and RAID 6
   • RAID 0 only
   Explanation:
   With Amazon EBS, you can use any of the standard RAID configurations that you can use with a traditional bare metal server, as long as that particular RAID configuration is supported by the operating system for your instance. This is because all RAID is accomplished at the software level. For greater I/O performance than you can achieve with a single volume, RAID 0 can stripe multiple volumes together; for on-instance redundancy, RAID 1 can mirror two volumes together. RAID 5 and RAID 6 are not recommended for Amazon EBS because the parity write operations of these RAID modes consume some of the IOPS available to your volumes.

7. Once the user has set ElastiCache for an application and it is up and running, which services, does Amazon not provide for the user:

   • The ability for client programs to automatically identify all of the nodes in a cache cluster, and to initiate and maintain connections to all of these nodes
   • Automating common administrative tasks such as failure detection and recovery, and software patching.
   • Providing default Time to Live (TTL) in the AWS Elasticache Redis Implementation for different type of data.
   • Providing detailed monitoring metrics associated with your Cache Nodes, enabling you to diagnose and react to issues very quickly
   Explanation:
   Amazon provides failure detection and recovery, and software patching and monitoring tools which is called CloudWatch. In addition it provides also Auto Discovery to automatically identify and initialize all nodes of cache cluster for Amazon ElastiCache.

8. In the context of AWS Cloud Hardware Security Module(HSM), does your application need to reside in the same VPC as the CloudHSM instance?

   • No, but the server or instance on which your application and the HSM client is running must have network (IP) reachability to the HSM.
   • Yes, always
   • No, but they must reside in the same Availability Zone.
   • No, but it should reside in same Availability Zone as the DB instance.
   Explanation:
   Your application does not need to reside in the same VPC as the CloudHSM instance. However, the server or instance on which your application and the HSM client is running must have network (IP) reachability to the HSM. You can establish network connectivity in a variety of ways, including operating your application in the same VPC, with VPC peering, with a VPN connection, or with Direct Connect.

9. True or False: In Amazon ElastiCache, you can use Cache Security Groups to configure the cache clusters that are part of a VPC.

   • FALSE
   • TRUE
   • True, this is applicable only to cache clusters that are running in an Amazon VPC environment.
   • True, but only when you configure the cache clusters using the Cache Security Groups from the console navigation pane.
   Explanation:
   Amazon ElastiCache cache security groups are only applicable to cache clusters that are not running in an Amazon Virtual Private Cloud environment (VPC). If you are running in an Amazon Virtual Private Cloud, Cache Security Groups is not available in the console navigation pane.

10. What is the role of the PollForTask action when it is called by a task runner in AWS Data Pipeline?

    • It is used to retrieve the pipeline definition.
    • It is used to report the progress of the task runner to AWS Data Pipeline.
    • It is used to receive a task to perform from AWS Data Pipeline.
    • It is used to inform AWS Data Pipeline of the outcome when the task runner completes a task.
    Explanation:
    Task runners call PollForTask to receive a task to perform from AWS Data Pipeline. If tasks are ready in the work queue, PollForTask returns a response immediately. If no tasks are available in the queue, PollForTask uses long-polling and holds on to a poll connection for up to 90 seconds, during which time any newly scheduled tasks are handed to the task agent. Your remote worker should not call PollForTask again on the same worker group until it receives a response, and this may take up to 90 seconds.

11. What is the average queue length recommended by AWS to achieve a lower latency for the 200 PIOPS EBS volume?

    • 5
    • 1
    • 2
    • 4
    Explanation:
    The queue length is the number of pending I/O requests for a device. The optimal average queue length will vary for every customer workload, and this value depends on a particular application’s sensitivity to IOPS and latency. If the workload is not delivering enough I/O requests to maintain the optimal average queue length, then the EBS volume might not consistently deliver the IOPS that have been provisioned. However, if the workload maintains an average queue length that is higher than the optimal value, then the per-request I/O latency will increase; in this case, the user should provision more IOPS for his volume. AWS recommends that the user should target an optimal average queue length of 1 for every 200 provisioned IOPS and tune that value based on his application requirements.

12. Who is responsible for modifying the routing tables and networking ACLs in a VPC to ensure that a DB instance is reachable from other instances in the VPC?

    • AWS administrators
    • The owner of the AWS account
    • Amazon
    • The DB engine vendor
    Explanation:
    You are in charge of configuring the routing tables of your VPC as well as the network ACLs rules needed to make your DB instances accessible from all the instances of your VPC that need to communicate with it.

13. An organization is planning to host a web application in the AWS VPC. The organization does not want to host a database in the public cloud due to statutory requirements.

    How can the organization setup in this scenario?

    • The organization should plan the app server on the public subnet and database in the organization’s data center and connect them with the VPN gateway.
    • The organization should plan the app server on the public subnet and use RDS with the private subnet for a secure data operation.
    • The organization should use the public subnet for the app server and use RDS with a storage gateway to access as well as sync the data securely from the local data center.
    • The organization should plan the app server on the public subnet and database in a private subnet so it will not be in the public cloud.
    Explanation:
    A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. The user can create subnets as per the requirement within a VPC. If the user wants to connect VPC from his own data centre, he can setup a public and VPN only subnet which uses hardware VPN access to connect with his data centre. When the user has configured this setup with Wizard, it will create a virtual private gateway to route all the traffic of the VPN subnet. If the virtual private gateway is attached with VPC and the user deletes the VPC from the console it will first automatically detach the gateway and only then delete the VPC.

14. A user is trying to create a PIOPS EBS volume with 4000 IOPS and 100 GB size. AWS does not allow the user to create this volume.

    What is the possible root cause for this?

    • PIOPS is supported for EBS higher than 500 GB size
    • The maximum IOPS supported by EBS is 3000
    • The ratio between IOPS and the EBS volume is higher than 30
    • The ratio between IOPS and the EBS volume is lower than 50

15. A user is planning to host a Highly Available system on the AWS VPC. Which of the below mentioned statements is helpful in this scenario?

    • Create VPC subnets in two separate availability zones and launch instances in different subnets.
    • Create VPC with only one public subnet and launch instances in different AZs using that subnet.
    • Create two VPCs in two separate zones and setup failover with ELB such that if one VPC fails it will divert traffic to another VPC.
    • Create VPC with only one private subnet and launch instances in different AZs using that subnet.
    Explanation:
    A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. It enables the user to launch AWS resources into a virtual network that the user has defined. The VPC is always specific to a region. The user can create a VPC which can span multiple Availability Zones by adding one or more subnets in each Availability Zone. Each subnet must reside entirely within one Availability Zone and cannot span across zones.

16. A user is creating a PIOPS volume. What is the maximum ratio the user should configure between PIOPS and the volume size?

    • 5
    • 10
    • 20
    • 30
    Explanation:
    Provisioned IOPS volumes are designed to meet the needs of I/O-intensive workloads, particularly database workloads that are sensitive to storage performance and consistency in random access I/O throughput. A provisioned IOPS volume can range in size from 10 GB to 1 TB and the user can provision up to 4000 IOPS per volume.
    The ratio of IOPS provisioned to the volume size requested can be a maximum of 30; for example, a volume with 3000 IOPS must be at least 100 GB.

17. What is a possible reason you would need to edit claims issued in a SAML token?

    • The NameIdentifier claim cannot be the same as the username stored in AD.
    • Authentication fails consistently.
    • The NameIdentifier claim cannot be the same as the claim URI.
    • The NameIdentifier claim must be the same as the username stored in AD.
    Explanation:
    The two reasons you would need to edit claims issued in a SAML token are:
    The NameIdentifier claim cannot be the same as the username stored in AD, and The app requires a different set of claim URIs.

18. A government client needs you to set up secure cryptographic key storage for some of their extremely confidential data. You decide that the AWS CloudHSM is the best service for this.
    However, there seem to be a few pre-requisites before this can happen, one of those being a security group that has certain ports open.

    Which of the following is correct in regards to those security groups?

    • A security group that has no ports open to your network.
    • A security group that has only port 3389 (for RDP) open to your network.
    • A security group that has only port 22 (for SSH) open to your network.
    • A security group that has port 22 (for SSH) or port 3389 (for RDP) open to your network.
    Explanation:
    AWS CloudHSM provides secure cryptographic key storage to customers by making hardware security modules (HSMs) available in the AWS cloud.
    AWS CloudHSM requires the following environment before an HSM appliance can be provisioned. A virtual private cloud (VPC) in the region where you want the AWS CloudHSM service. One private subnet (a subnet with no Internet gateway) in the VPC. The HSM appliance is provisioned into this subnet.
    One public subnet (a subnet with an Internet gateway attached). The control instances are attached to this subnet.
    An AWS Identity and Access Management (IAM) role that delegates access to your AWS resources to AWS CloudHSM.
    An EC2 instance, in the same VPC as the HSM appliance, that has the SafeNet client software installed. This instance is referred to as the control instance and is used to connect to and manage the HSM appliance.
    A security group that has port 22 (for SSH) or port 3389 (for RDP) open to your network. This security group is attached to your control instances so you can access them remotely.

19. What is the network performance offered by the c4.8xlarge instance in Amazon EC2?

    • Very High but variable
    • 20 Gigabit
    • 5 Gigabit
    • 10 Gigabit
    Explanation:
    Networking performance offered by the c4.8xlarge instance is 10 Gigabit.

20. An organization is setting up a web application with the JEE stack. The application uses the JBoss app server and MySQL DB. The application has a logging module which logs all the activities whenever a business function of the JEE application is called. The logging activity takes some time due to the large size of the log file.

    If the application wants to setup a scalable infrastructure which of the below mentioned options will help achieve this setup?

    • Host the log files on EBS with PIOPS which will have higher I/O.
    • Host logging and the app server on separate servers such that they are both in the same zone.
    • Host logging and the app server on the same instance so that the network latency will be shorter.
    • Create a separate module for logging and using SQS compartmentalize the module such that all calls to logging are asynchronous.
    Explanation:
    The organization can always launch multiple EC2 instances in the same region across multiple AZs for HA and DR. The AWS architecture practice recommends compartmentalizing the functionality such that they can both run in parallel without affecting the performance of the main application. In this scenario logging takes a longer time due to the large size of the log file. Thus, it is recommended that the organization should separate them out and make separate modules and make asynchronous calls among them. This way the application can scale as per the requirement and the performance will not bear the impact of logging.