SAP-C01 : AWS Certified Solutions Architect – Professional : Part 16
-
You have written a CloudFormation template that creates 1 Elastic Load Balancer fronting 2 EC2 Instances.
Which section of the template should you edit so that the DNS of the load balancer is returned upon creation of the stack?
- Parameters
- Outputs
- Mappings
- Resources
Explanation:
You can use AWS CloudFormation’s sample templates or create your own templates to describe the AWS resources, and any associated dependencies or runtime parameters, required to run your application.
In the following example, the output named BackupLoadBalancerDNSName returns the DNS name for the resource with the logical ID BackupLoadBalancer only when the CreateProdResources condition is true. (The second output shows how to specify multiple outputs.) “Outputs” : {
“BackupLoadBalancerDNSName” : {
“Description”: “The DNSName of the backup load balancer”, “Value” : { “Fn::GetAtt” : [ “BackupLoadBalancer”, “DNSName” ]}, “Condition” : “CreateProdResources”
},
“InstanceID” : {
“Description”: “The Instance ID”, “Value” : { “Ref” : “EC2Instance” }
}
} -
In CloudFormation, if you want to map an Amazon Elastic Block Store to an Amazon EC2 instance, _________.
- you reference the logical IDs to associate the block stores with the instance
- you reference the physical IDs of the instance along with the resource type
- you reference the instance IDs of the block store along with the resource properties
- you reference the physical IDs of both the block stores and the instance
Explanation:
In AWS CloudFormation, if you want to map an Amazon Elastic Block Store to an Amazon EC2 instance, you reference the logical IDs to associate the block stores with the instance. -
An organization hosts an app on EC2 instances which multiple developers need access to in order to perform updates.
The organization plans to implement some security best practices related to instance access.Which one of the following recommendations will not help improve its security in this way?
- Disable the password based login for all the users. All the users should use their own keys to connect with the instance securely.
- Create an IAM policy allowing only IAM users to connect to the EC2 instances with their own SSH key.
- Create a procedure to revoke the access rights of the individual user when they are not required to connect to EC2 instance anymore for the purpose of application configuration.
- Apply the latest patch of OS and always keep it updated.
Explanation:
Since AWS is a public cloud any application hosted on EC2 is prone to hacker attacks. It becomes extremely important for a user to setup a proper security mechanism on the EC2 instances. A few of the security measures are listed below:
– Always keep the OS updated with the latest patch
– Always create separate users with in OS if they need to connect with the EC2 instances, create their keys and disable their password
– Create a procedure using which the admin can revoke the access of the user when the business work on the EC2 instance is completed. . Lock down unnecessary ports
– Audit any proprietary applications that the user may be running on the EC2 instance. Provide temporary escalated privileges, such as sudo for users who need to perform occasional privileged tasks
IAM is useful when users are required to work with AWS resources and actions, such as launching an instance. It is not useful in this case because it does not manage who can connect via RDP or SSH with an instance. -
A user has configured two security groups which allow traffic as given below: 1: SecGrp1:
Inbound on port 80 for 0.0.0.0/0 Inbound on port 22 for 0.0.0.0/0 2: SecGrp2:
Inbound on port 22 for 10.10.10.1/32
If both the security groups are associated with the same instance, which of the below mentioned statements is true?
- It is not possible to have more than one security group assigned to a single instance
- It is not possible to create the security group with conflicting rules. AWS will reject the request
- It allows inbound traffic for everyone on both ports 22 and 80
- It allows inbound traffic on port 22 for IP 10.10.10.1 and for everyone else on port 80
Explanation:
A user can attach more than one security group to a single EC2 instance. In this case, the rules from each security group are effectively aggregated to create one set of rules. AWS uses this set of rules to determine whether to allow access or not. Thus, here the rule for port 22 with IP 10.10.10.1/32 will merge with IP 0.0.0.0/0 and open ports 22 and 80 for all. -
You have a website which requires international presence and consequently you have set it up as follows.
It is hosted on 30 EC2 instances.
It is on in 15 regions around the globe. Each region has 2 instances.
All the instances are a public hosted zone.Which of the following is the best way to configure your site to maintain availability with minimum downtime if one of the 15 regions was to lose network connectivity for an extended period? (Choose two.)
- Create a Route 53 Latency Based Routing Record set that resolves to an Elastic Load Balancer in each region and has the Evaluate Target Health flag set to true.
- Create a Route 53 failover routing policy and configure an active-passive failover.
- Create a Route 53 Failover Routing Policy and assign each resource record set a unique identifier and a relative weight.
- Create a Route 53 Geolocation Routing Policy that resolves to an Elastic Load Balancer in each region and has the Evaluate Target Health flag set to false.
Explanation:
It is best to use the latency routing policy when you have resources in multiple Amazon EC2 data centers that perform the same function and you want Amazon Route 53 to respond to DNS queries with the resources that provide the best latency. You could also use the failover routing policy (for public hosted zones only) when you want to configure an active-passive failover, in which one resource takes all traffic when it’s available and the other resource takes all traffic when the first resource isn’t available. -
A user is accessing an EC2 instance on the SSH port for IP 10.20.30.40/32.
Which one is a secure way to configure that the instance can be accessed only from this IP?
- In the security group, open port 22 for IP 10.20.30.40
- In the security group, open port 22 for IP 10.20.30.0
- In the security group, open port 22 for IP 10.20.30.40/32
- In the security group, open port 22 for IP 10.20.30.40/0
Explanation:
In AWS EC2, while configuring a security group, the user needs to specify the IP address in CIDR notation. The CIDR IP range 10.20.30.40/32 says it is for a single IP 10.20.30.40. If the user specifies the IP as 10.20.30.40 only, the security group will not accept and ask for it in a CIDR format. -
While assigning a tag to an instance, which of the below mentioned options is not a valid tag key/value pair?
- Key : “aws” Value:”aws”
- Key: “aws:name” Value: “instanceAnswer: Aws”
- Key: “Name :aws” Value: “instanceAnswer: Aws”
- Key : “nameAnswer: Aws” Value:”aws:instance”
Explanation:
In Amazon Web Services, to help manage EC2 instances as well their usage in a better way, the user can tag the instances. The tags are metadata assigned by the user which consists of a key and value. The tag key cannot have a prefix as “aws:”, although it can have only “aws”. -
Will you be able to access EC2 snapshots using the regular Amazon S3 APIs?
- Yes, you will be able to access using S3 APIs if you have chosen the snapshot to be stored in S3.
- No, snapshots are only available through the Amazon EBS APIs.
- Yes, you will be able to access them using S3 APIs as all snapshots are stored in S3.
- No, snapshots are only available through the Amazon EC2 APIs.
Explanation:
No, snapshots are only available through the Amazon EC2 APIs. -
A user has created an AWS AMI. The user wants the AMI to be available only to his friend and not anyone else. How can the user manage this?
- Share the AMI with the community and setup the approval workflow before anyone launches it.
- It is not possible to share the AMI with the selected user.
- Share the AMI with a friend’s AWS account ID.
- Share the AMI with a friend’s AWS login ID.
Explanation:
In Amazon Web Services, if a user has created an AMI and wants to share with his friends and colleagues he can share the AMI with their AWS account ID. Once the AMI is shared the other user can access it from the community AMIs under private AMIs options. -
A user is planning to launch multiple EC2 instance same as current running instance.
Which of the below mentioned parameters is not copied by Amazon EC2 in the launch wizard when the user has selected the option “Launch more like this”?
- Termination protection
- Tenancy setting
- Storage
- Shutdown behavior
Explanation:
The Amazon EC2 console provides a “Launch more like this” wizard option that enables the user to use a current instance as a template for launching other instances. This option automatically populates the Amazon EC2 launch wizard with certain configuration details from the selected instance.
The following configuration details are copied from the selected instance into the launch wizard: AMI ID
Instance type
Availability Zone, or the VPC and subnet in which the selected instance is located Public IPv4 address. If the selected instance currently has a public IPv4 address, the new instance receives a public IPv4 address – regardless of the selected instance’s default public IPv4 address setting.
For more information about public IPv4 addresses, see Public IPv4 Addresses and External DNS Hostnames.
Placement group, if applicable
IAM role associated with the instance, if applicable Shutdown behavior setting (stop or terminate) Termination protection setting (true or false)
CloudWatch monitoring (enabled or disabled) Amazon EBS-optimization setting (true or false)
Tenancy setting, if launching into a VPC (shared or dedicated) Kernel ID and RAM disk ID, if applicable
User data, if specified
Tags associated with the instance, if applicable Security groups associated with the instance
The following configuration details are not copied from your selected instance; instead, the wizard applies their default settings or behavior:
(VPC only) Number of network interfaces: The default is one network interface, which is the primary network interface (eth0).
Storage: The default storage configuration is determined by the AMI and the instance type. -
A user has launched an EBS optimized instance with EC2. Which of the below mentioned options is the correct statement?
- It provides additional dedicated capacity for EBS IO
- The attached EBS will have greater storage capacity
- The user will have a PIOPS based EBS volume
- It will be launched on dedicated hardware in VPC
Explanation:
An Amazon EBS-optimized instance uses an optimized configuration stack and provides additional, dedicated capacity for the Amazon EBS I/O. This optimization provides the best performance for the user’s Amazon EBS volumes by minimizing contention between the Amazon EBS I/O and other traffic from the user’s instance. -
Which status represents a failure state in AWS CloudFormation?
- ROLLBACK_IN_PROGRESS
- DELETE_IN_PROGRESS
- UPDATE_COMPLETE_CLEANUP_IN_PROGRESS
- REVIEW_IN_PROGRESS
Explanation:
ROLLBACK_IN_PROGRESS means an ongoing removal of one or more stacks after a failed stack creation or after an explicitly canceled stack creation. DELETE_IN_PROGRESS means an ongoing removal of one or more stacks. REVIEW_IN_PROGRESS means an ongoing creation of one or more stacks with an expected StackId but without any templates or resources.
UPDATE_COMPLETE_CLEANUP_IN_PROGRESS means an ongoing removal of old resources for one or more stacks after a successful stack update. -
You are playing around with setting up stacks using JSON templates in CloudFormation to try and understand them a little better. You have set up about 5 or 6 but now start to wonder if you are being charged for these stacks.
What is AWS’s billing policy regarding stack resources?
- You are not charged for the stack resources if they are not taking any traffic.
- You are charged for the stack resources for the time they were operating (but not if you deleted the stack within 30 minutes)
- You are charged for the stack resources for the time they were operating (but not if you deleted the stack within 60 minutes)
- You are charged for the stack resources for the time they were operating (even if you deleted the stack right away)
Explanation:
A stack is a collection of AWS resources that you can manage as a single unit. In other words, you can create, update, or delete a collection of resources by creating, updating, or deleting stacks. All the resources in a stack are defined by the stack’s AWS CloudFormation template. A stack, for instance, can include all the resources required to run a web application, such as a web server, a database, and networking rules. If you no longer require that web application, you can simply delete the stack, and all of its related resources are deleted. You are charged for the stack resources for the time they were operating (even if you deleted the stack right away). -
In an AWS CloudFormation template, each resource declaration includes:
- a logical ID, a resource type, and resource properties
- a variable resource name and resource attributes
- an IP address and resource entities
- a physical ID, a resource file, and resource data
Explanation:
In AWS CloudFormation, each resource declaration includes three parts: a logical ID that is unique within the template, a resource type, and resource properties. -
For AWS CloudFormation, which stack state refuses UpdateStack calls?
- UPDATE_ROLLBACK_FAILED
- UPDATE_ROLLBACK_COMPLETE
- UPDATE_COMPLETE
- CREATE_COMPLETE
Explanation:
When a stack is in the UPDATE_ROLLBACK_FAILED state, you can continue rolling it back to return it to a working state (to UPDATE_ROLLBACK_COMPLETE). You cannot update a stack that is in the UPDATE_ROLLBACK_FAILED state. However, if you can continue to roll it back, you can return the stack to its original settings and try to update it again. -
In the context of AWS CloudFormation, which of the following statements is correct?
- Actual resource names are a combination of the resource ID, stack, and logical resource name.
- Actual resource name is the stack resource name.
- Actual resource name is the logical resource name.
- Actual resource names are a combination of the stack and logical resource name.
Explanation:
In AWS CloudFormation, actual resource names are a combination of the stack and logical resource name. This allows multiple stacks to be created from a template without fear of name collisions between AWS resources. -
When using the AWS CLI for AWS CloudFormation, which of the following commands returns a description of the specified resource in the specified stack?
- describe-stack-events
- describe-stack-resource
- create-stack-resource
- describe-stack-returns
Explanation:
awsclicloudformation describe-stack-resource Description
Returns a description of the specified resource in the specified stack. For deleted stacks, describe-stack-resource returns resource information for up to 90 days after the stack has been deleted. -
A user is using CloudFormation to launch an EC2 instance and then configure an application after the instance is launched. The user wants the stack creation of ELB and AutoScaling to wait until the EC2 instance is launched and configured properly.
How can the user configure this?
- The user can use the DependentCondition resource to hold the creation of the other dependent resources.
- It is not possible that the stack creation will wait until one service is created and launched.
- The user can use the HoldCondition resource to wait for the creation of the other dependent resources.
- The user can use the WaitCondition resource to hold the creation of the other dependent resources.
Explanation:
AWS CloudFormation is an application management tool that provides application modeling, deployment, configuration, management, and related activities. AWS CloudFormation provides a WaitCondition resource that acts as a barrier and blocks the creation of other resources until a completion signal is received from an external source, such as a user application or management system. -
AWS ________supports__________ environments as one of the AWS resource types.
- Elastic Beanstalk; Elastic Beanstalk application
- CloudFormation; Elastic Beanstalk application
- Elastic Beanstalk ; CloudFormation application
- CloudFormation; CloudFormation application
Explanation:
AWS CloudFormation and AWS Elastic Beanstalk services are designed to complement each other. AWS CloudFormation supports Elastic Beanstalk application environments as one of the AWS resource types. -
AWS CloudFormation ______ are special actions you use in your template to assign values to properties that are not available until runtime.
- intrinsic functions
- properties declarations
- output functions
- conditions declarations
Explanation:
AWS CloudFormation intrinsic functions are special actions you use in your template to assign values to properties not available until runtime. Each function is declared with a name enclosed in quotation marks (“”), a single colon, and its parameters
Subscribe
0 Comments
Newest