QUESTION 38
Can one instance be registered with two ELBs in the same region?
A. No
B. Yes, provided both ELBs have the same health check configuration
C. Yes, always
D. Yes, provided both ELBs are in the same AZ
Answer: C
Explanation:
Yes, it is possible to have one instance part of two separate ELBs, though both ELBs have
different configurations. ELBs are never launched in specific zones.
http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/enable-disable-az.html
QUESTION 39
What does Amazon SQS provide?
A. An asynchronous message queue service.
B. A Simple Query Server, managed directly by Amazon Web Services.
C. None of these.
D. A synchronous message queue service.
Answer: A
Explanation:
Amazon SQS stands for Simple Queue Services, and provides a cost-effective way to decouple
the components of your application through an asynchronous message queue service
QUESTION 40
A user is trying to create a list of IAM users with the AWS console. When the IAM users are
created which of the below mentioned credentials will be enabled by default for the user?
A. IAM access key and secret access key
B. IAM X.509 certificates
C. Nothing. Everything is disabled by default
D. IAM passwords
Answer: C
Explanation:
Newly created IAM users have no password and no access key (access key ID and secret
access key). If the user needs to administer your AWS resources using the AWS Management
Console, you can create a password for the user. If the user needs to interact with AWS
programmatically (using the command line interface (CLI), the AWS SDK, or service-specific
APIs), you can create an access key for that user. The credentials you create for users are what
they use to uniquely identify themselves to AWS.
http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_WorkingWithGroupsAndUsers.html
QUESTION 41
Bob is an IAM user who has access to the EC2 services. Admin is an IAM user who has access
to all the AWS services including IAM. Can Bob change his password?
A. No, the IAM user can never change the password
B. Yes, provided Admin has given Bob access to change his password
C. Yes, only from AWS CLI
D. Yes, only from the AWS console
Answer: B
Explanation:
The IAM users by default cannot change their password. The root owner or IAM administrator
needs to set the policy in the password policy page, which should allow the user to change their
password. Once it is enabled, the IAM user can always change their passwords from the AWS
console or CLI.
http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_ManagingUserPwdSelf.html
QUESTION 42
A user has created photo editing software and hosted it on EC2. The software accepts requests
from the user about the photo format and resolution and sends a message to S3 to enhance the
picture accordingly. Which of the below mentioned AWS services will help make a scalable
software with the AWS infrastructure in this scenario?
A. AWS Elastic Transcoder
B. AWS Simple Notification Service
C. AWS Simple Queue Service
D. AWS Glacier
Answer: C
Explanation:
Amazon Simple Queue Service (SQS) is a fast, reliable, scalable, and fully managed message
queuing service. SQS provides a simple and cost-effective way to decouple the components of
an application. The user can configure SQS, which will decouple the call between the EC2
application and S3. Thus, the application does not keep waiting for S3 to provide the data.
http://aws.amazon.com/sqs/faqs/
QUESTION 43
A user has created a blank EBS volume in the US-East-1 region. The user is unable to attach the
volume to a running instance in the same region. What could be the possible reason for this?
A. The instance must be in a running state. It is required to stop the instance to attach volume
B. The AZ for the instance and volume are different
C. The instance is from an instance store backed AMI
D. The instance has enabled the volume attach protection
Answer: B
Explanation:
An EBS volume provides persistent data storage. The user can attach a volume to any instance
provided they are both in the same AZ. Even if they are in the same region but in a different AZ, it
will not be able to attach the volume to that instance.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AmazonEBS.html
QUESTION 44
In DynamoDB, could you use IAM to grant access to Amazon DynamoDB resources and API
actions?
A. Yes
B. Depended to the type of access
C. In DynamoDB there is no need to grant access
D. No
Answer: A
Explanation:
Amazon DynamoDB integrates with AWS Identity and Access Management (IAM).
You can use AWS IAM to grant access to Amazon DynamoDB resources and API actions.
To do this, you first write an AWS IAM policy, which is a document that explicitly lists the
permissions you want to grant. You then attach that policy to an AWS IAM user or role.
http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/UsingIAMWithDDB.html
QUESTION 45
A user is planning to host a mobile game on EC2 which sends notifications to active users on
either high score or the addition of new features. The user should get this notification when he is
online on his mobile device. Which of the below mentioned AWS services can help achieve this
functionality?
A. AWS Simple Notification Service.
B. AWS Simple Queue Service.
C. AWS Mobile Communication Service.
D. AWS Simple Email Service.
Answer: A
Explanation:
Amazon Simple Notification Service (Amazon SNS) is a fast, flexible, and fully managed push
messaging service. Amazon SNS makes it simple and cost-effective to push to mobile devices,
such as iPhone, iPad, Android, Kindle Fire, and internet connected smart devices, as well as
pushing to other distributed services.
QUESTION 46
An organization is setting up their website on AWS. The organization is working on various
security measures to be performed on the AWS EC2 instances. Which of the below mentioned
security mechanisms will not help the organization to avoid future data leaks and identify security
weaknesses?
A. Perform SQL injection for application testing.
B. Run penetration testing on AWS with prior approval from Amazon.
C. Perform a hardening test on the AWS instance.
D. Perform a Code Check for any memory leaks.
Answer: D
Explanation:
AWS security follows the shared security model where the user is as much responsible as
Amazon. Since Amazon is a public cloud it is bound to be targeted by hackers. If an organization
is planning to host their application on AWS EC2, they should perform the below mentioned
security checks as a measure to find any security weakness/data leaks:
Perform penetration testing as performed by attackers to find any vulnerability. The organization
must take an approval from AWS before performing penetration testing Perform hardening testing
to find if there are any unnecessary ports open Perform SQL injection to find any DB security
issues
The code memory checks are generally useful when the organization wants to improve the
application performance.
http://aws.amazon.com/security/penetration-testing/
QUESTION 47
A root account owner is trying to setup an additional level of security for all his IAM users. Which
of the below mentioned options is a recommended solution for the account owner?
A. Enable access key and secret access key for all the IAM users
B. Enable MFA for all IAM users
C. Enable the password for all the IAM users
D. Enable MFA for the root account
Answer: B
Explanation:
Multi-Factor Authentication adds an extra level of security for all the users. The user can enable
MFA for all IAM users which ensures that each user has to provide an extra six digit code for
authentication.
http://docs.aws.amazon.com/IAM/latest/UserGuide/Using_ManagingMFA.html
QUESTION 48
Regarding Amazon SQS, what happens if there is no activity against a queue for more than 30
consecutive days?
A. Your account will be suspended
B. The queue may be deleted
C. Nothing
D. The queue will be deleted
Answer: B
Explanation:
AWS reserve the right to delete a queue if none of the following requests have been issued
against the queue for more than 30 consecutive days:
SendMessage
ReceiveMessage
DeleteMessage
GetQueueAttributes
SetQueueAttributes
You should design your application with this in mind.
https://aws.amazon.com/sqs/faqs/
QUESTION 49
Which of the below mentioned options is a must to have an element as a part of the IAM policy?
A. Condition
B. ID
C. Statement
D. Version
Answer: C
Explanation:
The statement is the main element of the IAM policy and it is a must for a policy.
Elements such as condition, version and ID are not required.
http://docs.aws.amazon.com/IAM/latest/UserGuide/AccessPolicyLanguage_ElementDescriptions.
html
QUESTION 50
Which of the below mentioned commands allows the user to share the AMI with his peers using
the AWS EC2 CLI?
A. ec2-share-image-public
B. ec2-share-image-account
C. ec2-share-image
D. ec2-modify-image-attribute
Answer: D
Explanation:
A user can share an AMI with another user / peer using the command:
ec2-modify-image-attribute <AMI-ID> -l -a <AWS Account ID>
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/sharingamis-explicit.html
QUESTION 51
ExamKiller (with AWS account ID 111122223333) has created 50 IAM users for its organization's
employees. ExamKiller wants to make the AWS console login URL for all IAM users like:
https://examkiller.signin.aws.amazon.com/console/. How can this be configured?
A. The user needs to use Route 53 to map the examkiller domain and IAM URL
B. Create an IAM AWS account alias with the name examkiller
C. It is not possible to have a personalized IAM login URL
D. Create an IAM hosted zone Identity for the domain examkiller
Answer: B
Explanation:
If a user wants the URL of the AWS IAM sign-in page to have a company name instead of the
AWS account ID, he can create an alias for his AWS account ID.
http://docs.aws.amazon.com/IAM/latest/UserGuide/AccountAlias.html
QUESTION 52
A user has created a new EBS volume from an existing snapshot.
The user mounts the volume on the instance to which it is attached.
Which of the below mentioned options is a required step before the user can mount the volume?
A. Run a cyclic check on the device for data consistency
B. Create the file system of the volume
C. Resize the volume as per the original snapshot size
D. No step is required. The user can directly mount the device
Answer: D
Explanation:
When a user is trying to mount a blank EBS volume, it is required that the user first creates a file
system within the volume. If the volume is created from an existing snapshot then the user needs
not to create a file system on the volume as it will wipe out the existing data.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-using-volumes.html
QUESTION 53
A user is creating multiple IAM users. What advice should be given to him to enhance the
security?
A. Grant least privileges to the individual user
B. Grant all higher privileges to the group
C. Grant less privileges for user, but higher privileges for the group
D. Grant more privileges to the user, but least privileges to the group
Answer: A
Explanation:
It is a recommended rule that the root user should grant the least privileges to the IAM user or the
group. The higher the privileges, the more problems it can create.
http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html
QUESTION 54
In regards to Amazon SQS how many times will you receive each message?
A. At least twice
B. Exactly once
C. As many times as you want
D. At least once
Answer: D
Explanation:
Amazon SQS is engineered to provide "at least once" delivery of all messages in its queues.
Although most of the time, each message will be delivered to your application exactly once, you
should design your system so that processing a message more than once does not create any
errors or inconsistencies.
https://aws.amazon.com/sqs/faqs/
QUESTION 55
A user has set an IAM policy where it allows all requests if a request from IP 10.10.10.1/32.
Another policy allows all the requests between 5 PM to 7 PM. What will happen when a user is
requesting access from IP 10.10.10.1/32 at 6 PM?
A. IAM will throw an error for policy conflict
B. It is not possible to set a policy based on the time or IP
C. It will deny access
D. It will allow access
Answer: D
Explanation:
With regard to IAM, when a request is made, the AWS service decides whether a given request
should be allowed or denied. The evaluation logic follows these rules:
By default, all requests are denied. (In general, requests made using the account credentials for
resources in the account are always allowed.)
An explicit allow policy overrides this default.
An explicit deny policy overrides any allows.
http://docs.aws.amazon.com/IAM/latest/UserGuide/AccessPolicyLanguage_EvaluationLogic.html
QUESTION 56
A user is enabling logging on a particular bucket. Which of the below mentioned options may be
best suitable to allow access to the log bucket?
A. Create an IAM policy and allow log access
B. It is not possible to enable logging on the S3 bucket
C. Create an IAM Role which has access to the log bucket
D. Provide ACL for the logging group
Answer: D
Explanation:
The only recommended use case for the S3 bucket ACL is to grant the write permission to the
Amazon S3 Log Delivery group to write access log objects to the user's bucket.
http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-alternatives-guidelines.html
QUESTION 56
A user is enabling logging on a particular bucket. Which of the below mentioned options may be
best suitable to allow access to the log bucket?
A. Create an IAM policy and allow log access
B. It is not possible to enable logging on the S3 bucket
C. Create an IAM Role which has access to the log bucket
D. Provide ACL for the logging group
Answer: D
Explanation:
The only recommended use case for the S3 bucket ACL is to grant the write permission to the
Amazon S3 Log Delivery group to write access log objects to the user's bucket.
http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-alternatives-guidelines.html
QUESTION 57
A user is running a webserver on EC2. The user wants to receive the SMS when the EC2
instance utilization is above the threshold limit. Which AWS services should the user configure in
this case?
A. AWS CloudWatch + AWS SES.
B. AWS CloudWatch + AWS SNS.
C. AWS CloudWatch + AWS SQS.
D. AWS EC2 + AWS Cloudwatch.
Answer: B
Explanation:
Amazon SNS makes it simple and cost-effective to push to mobile devices, such as iPhone, iPad,
Android, Kindle Fire, and internet connected smart devices, as well as pushing to other
distributed services. In this case, the user can configure that Cloudwatch sends an alarm on
when the threshold is crossed to SNS which will trigger an SMS.
QUESTION 58
Can a user associate and use his own DNS with ELB instead of the DNS provided by AWS ELB?
A. Yes, by creating a CNAME with the existing domain name provider
B. Yes, by configuring DNS in the AWS Console
C. No
D. Yes, only through Route 53 by mapping ELB and DNS
Answer: A
Explanation:
The AWS ELB allows mapping a custom domain name with ELB. The user can map ELB with
DNS in two ways: 1) By creating CNAME with the existing domain name service provider or 2) By
creating a record with Route 53.
QUESTION 59
_____________ can be used to bootstrap both the Chef Server and Chef Client software on your
EC2 instances.
A. AWS CloudFormation
B. AWS Elastic Beanstalk
C. AWS OpsWorks
D. Amazon Glacier
Answer: A
Explanation:
AWS CloudFormation can be used to bootstrap both the Chef Server and Chef Client software on
your EC2 instances.
http://aws.amazon.com/cloudformation/faqs/
QUESTION 60
In relation to Amazon Simple Workflow Service (Amazon SWF),what is an "Activity Worker"?
A. An individual task undertaken by a workflow
B. The automation of a business process
C. A piece of software that implements tasks
D. All answers listed are correct
Answer: C
Explanation:
In relation to Amazon Simple Workflow Service (Amazon SWF), an activity worker is a program
that receives activity tasks, performs them, and provides results back.
Which translates to a piece of software that implements tasks.
http://docs.aws.amazon.com/amazonswf/latest/developerguide/swf-dg-develop-activity.html
QUESTION 61
A user has launched a MySQL RDS. The user wants to plan for the DR and automate the
snapshot. Which of the below mentioned functionality offers this option with RDS?
A. Copy snapshot
B. Automated synchronization
C. Snapshot
D. Automated backup
Answer: D
Explanation:
Amazon RDS provides two different methods for backing up and restoring the Amazon DB
instances:
automated backups and DB snapshots. Automated backups automatically back up the DB
instance during a specific, user-definable backup window, and keep the backups for a limited,
user-specified period of time.
QUESTION 62
You cannot access your AWS console, so you revert to using the CLI that you are not familiar
with. Which of the following commands is not a valid CLI command for EC2 instances?
A. ec2-allocate-address
B. ec2-attach-internet-gateway
C. ec2-associate-route-table
D. ec2-allocate-interface
Answer: D
Explanation:
You can use the CLI tools to manage your Amazon EC2 resources (such as instances, security
groups, and volumes) and your Amazon VPC resources (such as VPCs, subnets, route tables,
and Internet gateways). Before you can start using the tools, you must download and configure
them.
The following are valid CLI commands for EC2 instances:
ec2-accept-vpc-peering-connection
ec2-allocate-address
ec2-assign-private-ip-addresses
ec2-associate-address
ec2-associate-dhcp-options
ec2-associate-route-table
ec2-attach-internet-gateway
ec2-attach-network-interface (not ec2-allocate-interface)
QUESTION 63
An organization has 20 employees. The organization wants to give all the users access to the
organization AWS account. Which of the below mentioned options is the right solution?
A. Share the root credentials with all the users
B. Create an IAM user for each employee and provide access to them
C. It is not advisable to give AWS access to so many users
D. Use the IAM role to allow access based on STS
Answer: B
Explanation:
AWS Identity and Access Management is a web service that enables the AWS customers to
manage users and user permissions in AWS. The IAM is targeted at organizations with multiple
users or systems that use AWS products such as Amazon EC2, Amazon RDS, and the AWS
Management Console. With IAM, the organizaiton can centrally manage users, security
credentials such as access keys, and permissions that control which AWS resources users can
access.
http://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_Introduction.html
QUESTION 64
When AutoScaling is launching a new instance based on condition, which of the below mentioned
policies will it follow?
A. Based on the criteria defined with cross zone Load balancing
B. Launch an instance which has the highest load distribution
C. Launch an instance in the AZ with the fewest instances
D. Launch an instance in the AZ which has the highest instances
Answer: C
Explanation:
AutoScaling attempts to distribute instances evenly between the Availability Zones that are
enabled for the user's AutoScaling group. Auto Scaling does this by attempting to launch new
instances in the Availability Zone with the fewest instances.
http://docs.aws.amazon.com/AutoScaling/latest/DeveloperGuide/AS_Concepts.html
QUESTION 65
In regards to Amazon SQS how can you secure the messages in your queues?
A. You can't
B. Amazon SQS uses either your Access Key ID or an X.509 certificate to authenticate your
identity
C. Through your IAM access keys
D. Don't use root access
Answer: B
Explanation:
Authentication mechanisms are provided to ensure that messages stored in Amazon SQS
queues are secured against unauthorized access. Only the AWS account owners can access the
queues they create. Amazon SQS uses proven cryptographic methods to authenticate your
identity, either through the use of your Access Key ID and request signature, or through the use
of an X.509 certificate.
https://aws.amazon.com/sqs/faqs/
QUESTION 66
Which Amazon service is not used by Elastic Beanstalk?
A. Amazon S3
B. Amazon ELB
C. Auto scaling
D. Amazon EMR
Answer: D
Explanation:
Elastic Beanstalk leverages AWS services such as Amazon Elastic Cloud Compute (Amazon
EC2), Amazon Simple Storage Service (Amazon S3), Amazon Simple Notification Service
(Amazon SNS), Elastic Load Balancing and Auto Scaling to deliver the same highly reliable,
scalable, and cost-effective infrastructure that hundreds of thousands of businesses depend on
today.
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/Welcome.html
QUESTION 67
In AWS Elastic Beanstalk, if the application returns any response other than 200 ,OK or there is
no response within the configured InactivityTimeout period, __________________.
A. SQS once again makes the message visible in the queue and available for another attempt at
processing
B. SQS waits for another timeout
C. SQS run DeleteMessagecall and deletes the message from the queue
D. SQS sends a message to the application with the MessageID and pending status
Answer: A
Explanation:
In AWS Elastic Beanstalk, if the application returns any response other than 200, OK or there is
no response within the configured InactivityTimeout period, SQS once again makes the message
visible in the queue and available for another attempt at processing.
QUESTION 68
Which of the below mentioned options can be a good use case for storing content in AWS RRS?
A. Storing mission critical data Files
B. Storing infrequently used log files
C. Storing a video file which is not reproducible
D. Storing image thumbnails
Answer: D
Explanation:
AWS RRS provides the same functionality as AWS S3, but at a cheaper rate. It is ideally suited
for non-mission, critical applications, such as files which can be reproduced.
http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingRRS.html
QUESTION 69
Which header received at the EC2 instance identifies the port used by the client while requesting
ELB?
A. X-Forwarded-Proto
B. X-Requested-Proto
C. X-Forwarded-Port
D. X-Requested-Port
Answer: C
Explanation:
The X-Forwarded-Port request header helps the user identify the port used by the client while
sending a request to ELB.
QUESTION 70
When you register an activity in Amazon SWF, you provide the following information, except:
A. a name
B. timeout values
C. a domain
D. version
Answer: C
Explanation:
When designing an Amazon SWF workflow, you precisely define each of the required activities.
You then register each activity with Amazon SWF as an activity type. When you register the
activity, you provide information such as a name and version, and some timeout values based on
how long you expect the activity to take.
http://docs.aws.amazon.com/amazonswf/latest/developerguide/swf-dg-intro-to-swf.html
QUESTION 71
A user is using an EBS backed instance. Which of the below mentioned statements is true?
A. The user will be charged for volume and instance only when the instance is running
B. The user will be charged for the volume even if the instance is stopped
C. The user will be charged only for the instance running cost
D. The user will not be charged for the volume if the instance is stopped
Answer: B
Explanation:
If a user has launched an EBS backed instance, the user will be charged for the EBS volume
even though the instance is in a stopped state. The instance will be charged for the EC2 hourly
cost only when it is running.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-detaching-volume.html
QUESTION 72
A user is trying to create a policy for an IAM user from the AWS console. Which of the below
mentioned options is not available to the user while configuring policy?
A. Use policy generator to create policy
B. Use custom policy to create policy
C. Use policy simulator to create policy
D. Assign No permission
Answer: C
Explanation:
When a user is trying to create a policy from the AWS console, it will have options such as create
policy from templates or use a policy generator. The user can also define a custom policy or
chose the option to have no permission. The policy simulator is not available in the console.
http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html
QUESTION 73
A user has an S3 object in the US Standard region with the content "color=red". The user
updates the object with the content as "color="white". If the user tries to read the value 1 minute
after it was uploaded, what will S3 return?
A. It will return "color=white"
B. It will return "color=red"
C. It will return an error saying that the object was not found
D. It may return either "color=red" or "color=white" i.e. any of the value
Answer: D
Explanation:
AWS S3 follows the eventual consistent model in the US Standard Region. Once the object is
updated it may return the new value or the old value based on whether all the content is
replicated across multiple servers until it becomes consistent (eventual).
http://docs.aws.amazon.com/AmazonS3/latest/dev/Introduction.html
QUESTION 74
AWS Elastic Beanstalk will change the health status of a web server environment tier to gray
color when:
A. AWS Elastic Beanstalk detects other problems with the environment that are known to make
the application unavailable
B. Your application hasn't responded to the application health check URL within the last one hour.
C. Your application hasn't responded to the application health check URL within the last five
minutes.
D. Your application's health status is unknown because status is reported when the application is
not in the ready state.
Answer: D
Explanation:
AWS Elastic Beanstalk will change the health status of a web server environment tier to gray
color when your application's health status is unknown (because status is reported when the
application is not in the ready state).
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/using-features.healthstatus.html