QUESTION 216
What type of block cipher does Amazon S3 offer for server side encryption?
A. Triple DES
B. Advanced Encryption Standard
C. Blowfish
D. RC5
Answer: B
QUESTION 217
A user has setup an application on EC2 which uses the IAM user access key and secret access
key to make secure calls to S3. The user wants to temporarily stop the access to S3 for that IAM
user. What should the root owner do?
A. Delete the IAM user
B. Change the access key and secret access key for the users
C. Disable the access keys for the IAM user
D. Stop the instance
Answer: C
Explanation:
If the user wants to temporarily stop the access to S3 the best solution is to disable the keys.
Deleting the user will result in a loss of all the credentials and the app will not be useful in the
future. If the user stops the instance IAM users can still access S3. The change of the key does
not help either as they are still active. The best possible solution is to disable the keys.
http://docs.aws.amazon.com/IAM/latest/UserGuide/ManagingCredentials.html
QUESTION 218
When should a user try to Force Detach an EBS volume?
A. If the volume is stuck in a detaching state
B. If the volume is not accessible from the instance
C. If the volume is not unmounted and the user still wants to detach
D. If the volume is a root volume
Answer: A
Explanation:
If an EBS volume stays in the detaching state, the user can force the detachment by clicking
Force Detach. Forcing the detachment can lead to either data loss or a corrupted file system.
The user should use this option only as a last resort to detach a volume from a failed instance or
if he is detaching a volume with the intention of deleting it.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-detaching-volume.html
QUESTION 219
How can a user configure three termination policies for the AutoScaling group?
A. Define multiple policies in random order
B. Define multiple policies in the ordered list
C. Keep updating the AutoScaling group with each policy
D. The user cannot specify more than two policies for AutoScaling
Answer: B
Explanation:
To configure the Auto Scaling termination policy, the user can either specify any one of the
policies as a standalone policy or list multiple policies in an ordered list.
The policies are executed in the order that they are listed.
http://docs.aws.amazon.com/AutoScaling/latest/DeveloperGuide/us-termination-policy.html
QUESTION 220
A user wants to configure AutoScaling which scales up when the CPU utilization is above 70%
and scales down when the CPU utilization is below 30%. How can the user configure AutoScaling
for the above mentioned condition?
A. Use AutoScaling with a schedule
B. Configure ELB to notify AutoScaling on load increase or decrease
C. Use dynamic AutoScaling with a policy
D. Use AutoScaling by manually modifying the desired capacity during a condition
Answer: C
Explanation:
The user can configure the AutoScaling group to automatically scale up and then scale down
based on the specified conditions. To configure this, the user must setup policies which will get
triggered by the CloudWatch alarms.
http://docs.aws.amazon.com/AutoScaling/latest/DeveloperGuide/as-scale-based-on-demand.html
QUESTION 221
A user has created an application which sends data to a log file. The server hosting the log files
can be unavailable due to any reason. The user wants to make it so that whenever the log server
is up it should be receiving the messages. Which of the below mentioned AWS services helps
achieve this functionality?
A. AWS Simple Workflow
B. AWS Simple Task Service
C. AWS Simple Notification Service
D. AWS Simple Queue Service
Answer: D
Explanation:
Amazon Simple Queue Service (SQS) is a fast, reliable, scalable, and fully managed message
queuing service. SQS provides a simple and cost-effective way to decouple the components of
an application. The user can use SQS to transmit any volume of data without losing messages or
requiring other services to always be available. Using SQS, the application has to just send the
data to SQS and SQS transmits it to the log file whenever it is available.
QUESTION 222
Is there a limit to how much throughput you can get out of a single table in DynamoDB?
A. Yes, not more than 1,000 writes/second or 1,000 reads/second
B. No
C. Yes, not more than 10,000 writes/second or 10,000 reads/second
D. No, but If you wish to exceed throughput rates of 10,000 writes/second or 10,000 reads/second,
you must first contact AWS.
Answer: D
Explanation:
In DynamoDB, you can increase the throughput you have provisioned for your table using
UpdateTable API or in the AWS Management Console. If you wish to exceed throughput rates of
10,000 writes/second or 10,000 reads/second, you must first contact AWS.
http://aws.amazon.com/dynamodb/
QUESTION 223
In AWS Elastic Beanstalk, you can update your deployed application even while it is part of a
running environment. For a Java application, you can also use ___________ to update your
deployed application.
A. the AWS Toolkit for Eclipse
B. the AWS Toolkit for Visual Studio
C. the AWS Toolkit for JVM
D. the AWS Toolkit for Netbeans
Answer: A
Explanation:
In AWS Elastic Beanstalk, you can update your deployed application, even while it is part of a
running environment. For a Java application, you can also use the AWS Toolkit for Eclipse to
update your deployed application.
http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/GettingStarted.Walkthrough.html
QUESTION 224
You have a number of image files to encode. In an Amazon SQS worker queue, you create an
Amazon SQS message for each file specifying the command (jpeg-encode) and the location of
the file in Amazon S3. Which of the following statements best describes the functionality of
Amazon SQS?
A. Amazon SQS is for single-threaded sending or receiving speeds.
B. Amazon SQS is a non-distributed queuing system.
C. Amazon SQS is a distributed queuing system that is optimized for horizontal scalability, not for
single-threaded sending or receiving speeds.
D. Amazon SQS is a distributed queuing system that is optimized for vertical scalability and for
single-threaded sending or receiving speeds.
Answer: C
Explanation:
Amazon SQS is a distributed queuing system that is optimized for horizontal scalability, not for
single-threaded sending or receiving speeds. A single client can send or receive Amazon SQS
messages at a rate of about 5 to 50 messages per second. Higher receive performance can be
achieved by requesting multiple messages (up to 10) in a single call. It may take several seconds
before a message that has been to a queue is available to be received.
http://media.amazonwebservices.com/AWS_Storage_Options.pdf
QUESTION 225
Can you configure an RDS Read Replica using CloudFormation templates?
A. Yes, provided that you have root access.
B. Yes, when you create a new CloudFormation template
C. Yes, but not for all Regions.
D. No, you can add the ReadReplica only when the resource is made available by CloudFormation
Answer: B
Explanation:
AWS CloudFormation gives developers and systems administrators an easy way to create and
manage collections of AWS resources. You can now set Read Replicas for your databases with
RDS when you create a new CloudFormation template.
You can start using it with the sample template of CloudFormation.
QUESTION 226
A user is creating an ELB with VPC. Which of the following options is available as a part of the
"Add EC2 instances" page?
A. Select Subnet
B. Select IAM
C. Select ENI
D. Select VPC
Answer: A
Explanation:
When a user is launching an ELB with VPC, he/she has to select the options, such as subnet and
security group before selecting the instances part of that subnet.
http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/elb-getting-started.html
QUESTION 227
A user has setup Multi AZ with the MS SQL RDS instance.
Which of the below mentioned functionalities can be achieved by the user?
A. High availability
B. Scalability
C. MS SQL does not support Multi AZ
D. Disaster recovery
Answer: C
Explanation:
The Multi AZ feature allows the user to achieve High Availability.
MS SQL does not support Multi AZ.
https://aws.amazon.com/rds/faqs/#36
QUESTION 228
An organization is having an application which can start and stop an EC2 instance as per
schedule. The organization needs the MAC address of the instance to be registered with its
software. The instance is launched in EC2-CLASSIC.
How can the organization update the MAC registration every time an instance is booted?
A. The instance MAC address never changes.
Thus, it is not required to register the MAC address every time.
B. The organization should write a boot strapping script which will get the MAC address from the
instance metadata and use that script to register with the application.
C. AWS never provides a MAC address to an instance; instead the instance ID is used for
identifying the instance for any software registration.
D. The organization should provide a MAC address as a part of the user data. Thus, whenever the
instance is booted the script assigns the fixed MAC address to that instance.
Answer: B
Explanation:
AWS provides an on demand, scalable infrastructure. AWS EC2 allows the user to launch OnDemand
instances. AWS does not provide a fixed MAC address to the instances launched in
EC2-CLASSIC. If the instance is launched as a part of EC2-VPC, it can have an ENI which can
have a fixed MAC. However, with EC2-CLASSIC, every time the instance is started or stopped it
will have a new MAC address. To get this MAC, the organization can run a script on boot which
can fetch the instance metadata and get the MAC address from that instance metadata.
Once the MAC is received, the organization can register that MAC with the software.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AESDG-chapter-instancedata.html
QUESTION 229
A user is trying to share a video file with all his friends. Which of the below mentioned AWS
services will be cheapest and easy to use?
A. AWS S3
B. AWS EC2
C. AWS RRS
D. AWS Glacier
Answer: C
Explanation:
AWS RRS provides the same functionality as AWS S3, but at a cheaper rate. It is ideally suited
for non mission critical applications. It provides less durability than S3, but is a cheaper option.
http://docs.aws.amazon.com/AmazonS3/latest/dev/UsingRRS.html
QUESTION 230
A user has configured ELB. Which of the below mentioned protocols the user can configure for
ELB health checks while setting up ELB?
A. All of the options
B. TCP
C. HTTPS
D. SSL
Answer: A
Explanation:
An ELB performs a health check on its instances to ensure that it diverts traffic only to healthy
instances. The ELB can perform a health check on HTTP, HTTPS, TCP and SSL protocols.
http://docs.aws.amazon.com/ElasticLoadBalancing/latest/DeveloperGuide/Welcome.html
QUESTION 231
Is it possible to create an S3 bucket accessible only by a certain IAM user, using policies in a
CloudFormation template?
A. No, you can only create the S3 bucket but not the IAM user.
B. S3 is not supported by CloudFormation.
C. Yes, all these resources can be created using a CloudFormation template
D. No, in the same template you can only create the S3 bucket and the realtive policy.
Answer: C
Explanation:
With AWS Identity and Access Management (IAM), you can create IAM users to control who has
access to which resources in your AWS account.
You can use IAM with AWS CloudFormation to control what AWS CloudFormation actions users
can perform, such as view stack templates, create stacks, or delete stacks.
In addition to AWS CloudFormation actions, you can manage what AWS services and resources
are available to each user.
QUESTION 232
A user has created an EBS instance in the US-East-1a AZ. The user has a volume of 30 GB in
the US-East-1b zone. How can the user attach the volume to an instance?
A. Since both the volume and the instance are in the same region, the user can attach the volume
B. Use the volume migrate function to move the volume from one AZ to another and attach to the
instance
C. Take a snapshot of the volume. Create a new volume in the USEast-1a and attach that to the
instance
D. Use the volume replicate function to create a new volume in the US-East-1a and attach that to
the volume
Answer: C
Explanation:
If an EBS volume is not in the same AZ of an EC2 instance, it cannot be attached to the instance.
The only option is to take a snapshot of the volume and create a new volume in the instance's
AZ. http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSSnapshots.html
QUESTION 233
A user is part of a group which has a policy allowing him just read only access to EC2. The user
is part of another group which has full access to EC2. What happens when the user tries to
launch an instance?
A. It will allow the user to launch the instance
B. It will fail since the user has just read only access
C. It will allow or deny based on the group under which the user has logged into EC2
D. It will not allow the user to add to the conflicting groups
Answer: A
Explanation:
The IAM group policy is always aggregated. In this case, if the user does not have permission for
one group, but has permission for another group, he will have full access to EC2.
Unless there is specific deny policy, the user will be able to access EC2.
http://docs.aws.amazon.com/IAM/latest/UserGuide/PoliciesOverview.html
QUESTION 234
A user has launched an RDS instance. The user has created 3 databases on the same server.
What can the maximum size be for each database?
A. The size of each DB cannot be more than 3 TB
B. It is not possible to have more than one DB on a single instance
C. The total instance storage size cannot be more than 3 TB
D. The size of each DB cannot be more than 1 TB
Answer: C
Explanation:
The AWS RDS DB instance is an isolated DB environment provided by AWS in which the user
can create more than 1 database. The maximum size of the instance should be between 5 GB
and 3 TB. The size of each DB can be anything in this range.
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html
QUESTION 235
A user has created an RDS instance with MySQL. The user is using the HeidiSQL client to
connect with the RDS DB. The client is unable to connect to DB from his home machine. What is
a possible reason for the failure?
A. The user has to open port 80 in the RDS security group to connect with RDS DNS
B. The security group is not configured to allow a request from the user's IP on port 3306
C. You can never connect to RDS from your desktop
D. The user has to open port 22 in the RDS security group to connect with RDS DNS
Answer: B
Explanation:
If the user needs to connect to RDS then he has to open port 3306 in the RDS security group for
his IP address.
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html
QUESTION 236
A user is creating a new EBS volume from an existing snapshot. The snapshot size shows 10
GB. Can the user create a volume of 30 GB from that snapshot?
A. Provided the original volume has set the change size attribute to true
B. Yes
C. Provided the snapshot has the modify size attribute set as true
D. No
Answer: B
Explanation:
A user can always create a new EBS volume of a higher size than the original snapshot size.
The user cannot create a volume of a lower size. When the new volume is created the size in the
instance will be shown as the original size. The user needs to change the size of the device with
resize2fs or other OS specific commands.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-expand-volume.html
QUESTION 237
An organization has 10000 employees. The organization wants to give restricted AWS access to
each employee. How can the organization achieve this?
A. Create an IAM user for each employee and make them a part of the group
B. It is not recommended to support 10000 users with IAM
C. Use STS and create the users' run time
D. Use Identity federation with SSO
Answer: D
Explanation:
Identity federation enables users from an existing directory to access resources within your AWS
account, making it easier to manage your users by maintaining their identities in a single place.
In this case, the federated user is the only solution since AWS does not allow creating more than
5000 IAM users.
http://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html
QUESTION 238
In Amazon SNS, to send push notifications to mobile devices using Amazon SNS and ADM, you
need to obtain the following, except:
A. Client secret
B. Client ID
C. Device token
D. Registration ID
Answer: C
Explanation:
To send push notifications to mobile devices using Amazon SNS and ADM, you need to obtain
the following: Registration ID and Client secret.
http://docs.aws.amazon.com/sns/latest/dg/SNSMobilePushPrereq.html
QUESTION 239
Regarding Amazon SNS, to begin using Amazon SNS mobile push notifications, you first need
__________that uses one of the supported push notification services: APNS, GCM, or ADM.
A. an access policy for the mobile endpoints
B. to active push notification service of Amazon SNS
C. to know the type of mobile device operating system
D. an app for the mobile endpoints
Answer: D
Explanation:
In Amazon SNS, to begin using Amazon SNS mobile push notifications, you first need an app for
the mobile endpoints that uses one of the supported push notification services: APNS, GCM, or
ADM. After you've registered and configured the app to use one of these services, you configure
Amazon SNS to send push notifications to the mobile endpoints.
http://docs.aws.amazon.com/sns/latest/dg/SNSMobilePush.html
QUESTION 240
How many types of block devices does Amazon EC2 support?
A. 5
B. 1
C. 2
D. 4
Answer: C
Explanation:
Amazon EC2 supports 2 types of block devices.
QUESTION 241
ExamKiller (with AWS account ID 111122223333) has created 50 IAM users for its organization's
employees. ExamKiller wants to make the AWS console login URL for all IAM users as: https://
examkiller.signin.aws.amazon.com/console/. How can this be configured?
A. Create a bucket with the name ExamKiller and map it with the IAM alias
B. It is not possible to have capital letters as a part of the alias name
C. The user needs to use Route 53 to map the ExamKiller domain and IAM URL
D. For the AWS account, create an alias ExamKiller for the IAM login
Answer: B
Explanation:
If a user wants the URL of the AWS IAM sign-in page to have the company name instead of the
AWS account ID, he can create an alias for his AWS account ID. The alias must be unique
across all Amazon Webservices products and contain only digits, lowercase letters, and hyphens.
http://docs.aws.amazon.com/IAM/latest/UserGuide/AccountAlias.html
QUESTION 242
Can a user get a notification of each instance start / terminate configured with Auto Scaling?
A. Yes, always
B. No
C. Yes, if configured with the Auto Scaling group
D. Yes, if configured with the Launch Config
Answer: C
Explanation:
The user can get notifications using SNS if he has configured the notifications while creating the
Auto Scaling group.
http://docs.aws.amazon.com/AutoScaling/latest/DeveloperGuide/GettingStartedTutorial.html
QUESTION 243
AutoScaling is configured with 3 AZs. Each zone has 5 instances running. If AutoScaling wants to
terminate an instance based on the policy action, which instance will it terminate first?
A. Terminate the first launched instance
B. Randomly select the instance for termination
C. Terminate the instance from the AZ which does not have a high AWS load
D. Terminate the instance from the AZ which has instances running near to the billing hour
Answer: B
Explanation:
Before Auto Scaling selects an instance to terminate, it first identifies the Availability Zone that
has more instances than the other Availability Zones used by the group. If all the Availability
Zones have the same number of instances, it identifies a random Availability Zone.
http://docs.aws.amazon.com/AutoScaling/latest/DeveloperGuide/us-termination-policy.html
QUESTION 244
In regard to DynamoDB, can I delete local secondary indexes?
A. Yes, if it is a primary hash key index
B. No
C. Yes, if it is a local secondary indexes
D. Yes, if it is a Global secondary indexes
Answer: B
Explanation:
In DynamoDB, an index cannot be modified once it is created.
http://aws.amazon.com/dynamodb/faqs/#security_anchor
QUESTION 245
You need to develop and run some new applications on AWS and you know that Elastic
Beanstalk and CloudFormation can both help as a deployment mechanism for a broad range of
AWS resources. Which of the following statements best describes the differences between
Elastic Beanstalk and CloudFormation?
A. Elastic Beanstalk uses Elastic load balancing and CloudFormation doesn't.
B. CloudFormation is faster in deploying applications than Elastic Beanstalk.
C. CloudFormation is much more powerful than Elastic Beanstalk, because you can actually
design and script custom resources
D. Elastic Beanstalk is faster in deploying applications than CloudFormation.
Answer: C
Explanation:
These services are designed to complement each other. AWS Elastic Beanstalk provides an
environment to easily develop and run applications in the cloud. It is integrated with developer
tools and provides a one-stop experience for you to manage the lifecycle of your applications.
AWS CloudFormation is a convenient deployment mechanism for a broad range of AWS
resources. It supports the infrastructure needs of many different types of applications such as
existing enterprise applications, legacy applications, applications built using a variety of AWS
resources and container-based solutions (including those built using AWS Elastic Beanstalk).
AWS CloudFormation introduces two new concepts: The template, a JSON-format, text-based file
that describes all the AWS resources you need to deploy to run your application and the stack,
the set of AWS resources that are created and managed as a single unit when AWS
CloudFormation instantiates a template.
http://aws.amazon.com/cloudformation/faqs/
QUESTION 246
Can you SSH to your private machines that reside in a VPC from outside without elastic IP?
A. Yes, but only if you have direct connect or vpn
B. Only if you are using a non-US region
C. Only if you are using a US region
D. No
Answer: A
Explanation:
The instances that reside in the private subnets of your VPC are not reachable from the Internet,
meaning that is not possible to ssh into them. To interact with them you can use a bastion server,
located in a public subnet, that will act as a proxy for them.
You can also connect if you have direct connect or vpn.
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_Scenario2.html
QUESTION 247
Does AWS CloudFormation support Amazon EC2 tagging?
A. It depends if the Amazon EC2 tagging has been defined in the template.
B. No, it doesn't support Amazon EC2 tagging.
C. No, CloudFormation doesn't support any tagging
D. Yes, AWS CloudFormation supports Amazon EC2 tagging
Answer: D
Explanation:
In AWS CloudFormation, Amazon EC2 resources that support the tagging feature can also be
tagged in an AWS template. The tag values can refer to template parameters, other resource
names, resource attribute values (e.g. addresses), or values computed by simple functions (e.g.,
a concatenated list of strings).
http://aws.amazon.com/cloudformation/faqs/
QUESTION 248
A user has created a MySQL RDS instance. Which of the below mentioned options is mandatory
to configure while creating an instance?
A. Multi AZ deployment setup
B. Automated backup window
C. Availability Zone
D. Maintenance window
Answer: A
Explanation:
When creating an RDS instance, the user needs to specify whether it is Multi AZ or not. If the
user does not provide the value for the zone, the maintenance window or automated backup
window, RDS will automatically select the value.
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.MultiAZ.html
QUESTION 249
A user has enabled the automated backup, but not specified the backup window. What will RDS
do in this case?
A. Will throw an error on instance launch
B. RDS will take 3 AM ?3:30 AM as the default window
C. RDS assigns a random time period based on the region
D. Will not allow to launch a DB instance
Answer: C
Explanation:
If the user does not specify a preferred backup window while enabling an automated backup,
Amazon RDS assigns a default 30-minute backup window which is selected at random from an 8-
hour block of time per region.
QUESTION 250
True or False: In DynamoDB, Scan operations are always eventually consistent.
A. No, scan is like Query operation
B. Yes
C. No, scan is strongly consistent by default
D. No, you can optionally request strongly consistent scan.
Answer: B
Explanation:
In DynamoDB, Scan operations are always eventually consistent.
http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/APISummary.html
QUESTION 251
Regarding Amazon SNS, when you want to subscribe to a topic and receive notifications to your
email, in the Protocol drop-down box, you should select _______.
A. Email
B. Message
C. SMTP
D. IMAP
Answer: A
Explanation:
In Amazon SNS, when you want to subscribe to a topic and receive notifications to your email,
select Email in the Protocol drop-down box. Enter an email address you can use to receive the
notification in the Endpoint field.
http://docs.aws.amazon.com/sns/latest/dg/SubscribeTopic.html
QUESTION 252
When a user is detaching an EBS volume from a running instance and attaching it to a new
instance, which of the below mentioned options should be followed to avoid file system damage?
A. Unmount the volume first
B. Stop all the I/O of the volume before processing
C. Take a snapshot of the volume before detaching
D. Force Detach the volume to ensure that all the data stays intact
Answer: A
Explanation:
When a user is trying to detach an EBS volume, the user can either terminate the instance or
explicitly remove the volume. It is a recommended practice to unmount the volume first to avoid
any file system damage.
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-detaching-volume.html
QUESTION 253
A user is planning to host a scalable dynamic web application on AWS. Which of the services
may not be required by the user to achieve automated scalability?
A. CloudWatch
B. S3
C. AutoScaling
D. AWS EC2 instances
Answer: B
Explanation:
The user can achieve automated scaling by launching different EC2 instances and making them
a part of an ELB. Cloudwatch will be used to monitor the resources and based on the scaling
need it will trigger policies. AutoScaling is then used to scale up or down the instances.
http://docs.aws.amazon.com/AutoScaling/latest/DeveloperGuide/WhatIsAutoScaling.html
QUESTION 254
Which one of the following data types does Amazon DynamoDB not support?
A. Arrays
B. String
C. Binary
D. Number Set
Answer: A
Explanation:
Amazon DynamoDB supports the following data types:
Scalar data types (like Number, String, and Binary)
Multi-valued types (like String Set, Number Set, and Binary Set).
QUESTION 255
Regarding Amazon SNS, you can send notification messages to mobile devices through any of
the following supported push notification services, EXCEPT:
A. Google Cloud Messaging for Android (GCM)
B. Apple Push Notification Service (APNS)
C. Amazon Device Messaging (ADM)
D. Microsoft Windows Mobile Messaging (MWMM)
Answer: D
Explanation:
In Amazon SNS, you have the ability to send notification messages directly to apps on mobile
devices. Notification messages sent to a mobile endpoint can appear in the mobile app as
message alerts, badge updates, or even sound alerts. Microsoft Windows Mobile Messaging
(MWMM) doesn't exist and is not supported by Amazon SNS.
http://docs.aws.amazon.com/sns/latest/dg/SNSMobilePush.html
QUESTION 256
How can software determine the public and private IP addresses of the Amazon EC2 instance
that it is running on?
A. Query the appropriate Amazon CloudWatch metric.
B. Use ipconfig or ifconfig command.
C. Query the local instance userdata.
D. Query the local instance metadata.
Answer: D
QUESTION 257
A corporate web application is deployed within an Amazon VPC, and is connected to the
corporate data center via IPSec VPN. The application must authenticate against the on-premise
LDAP server. Once authenticated, logged-in users can only access an S3 keyspace specific to
the user. Which two approaches can satisfy the objectives? Choose 2 answers
A. The application authenticates against LDAP. The application then calls the IAM Security
Service to login to IAM using the LDAP credentials. The application can use the IAM temporary
credentials to access the appropriate S3 bucket.
B. The application authenticates against LDAP, and retrieves the name of an IAM role associated
with the user. The application then calls the IAM Security Token Service to assume that IAM
Role. The application can use the temporary credentials to access the appropriate S3 bucket.
C. The application authenticates against IAM Security Token Service using the LDAP credentials.
The application uses those temporary AWS security credentials to access the appropriate S3
bucket.
D. Develop an identity broker which authenticates against LDAP, and then calls IAM Security
Token Service to get IAM federated user credentials. The application calls the identity broker to
get IAM federated user credentials with access to the appropriate S3 bucket.
E. Develop an identity broker which authenticates against IAM Security Token Service to assume
an IAM Role to get temporary AWS security credentials. The application calls the identity broker
to get AWS temporary security credentials with access to the appropriate S3 bucket.
Answer: BD
QUESTION 258
Which of these is not a Pseudo Parameter in AWS CloudFormation?
A. AWS::StackName
B. AWS::AccountId
C. AWS::StackArn
D. AWS::NotificationARNs
Answer: C
Explanation:
This is the complete list of Pseudo Parameters: AWS::AccountId, AWS::NotificationARNs,
AWS::NoValue, AWS::Region, AWS::StackId, AWS::StackName
http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/pseudo-parameterreference.html QUESTION 259
What is the scope of an EBS volume?
A. VPC
B. Region
C. Placement Group
D. Availability Zone
Answer: D
Explanation:
An Amazon EBS volume is tied to its Availability Zone and can be attached only to instances in
the same Availability Zone.
QUESTION 260
What is the scope of AWS IAM?
A. Global
B. Availability Zone
C. Region
D. Placement Group
Answer: A
Explanation:
IAM resources are all global; there is not regional constraint.