NEW QUESTION 1
Your organization's security policy requires that all privileged users either use frequently rotated passwords or one-time access credentials in addition to username/password.
Which two of the following options would allow an organization to enforce this policy for AWS users?
Choose 2 answers

• A. Configure multi-factor authentication for privileged 1AM users
• B. Create 1AM users for privileged accounts
• C. Implement identity federation between your organization's Identity provider leveraging the 1AM Security Token Service
• D. Enable the 1AM single-use password policy option for privileged users

Answer: CD

NEW QUESTION 2
A user has a refrigerator plant. The user is measuring the temperature of the plant every 15 minutes. If the user wants to send the data to CloudWatch to view the data visually, which of the below mentioned statements is true with respect to the information given above?

• A. The user needs to use AWS CLI or API to upload the data
• B. The user can use the AWS Import Export facility to import data to CloudWatch
• C. The user will upload data from the AWS console
• D. The user cannot upload data to CloudWatch since it is not an AWS service metric

Answer: A

Explanation:
AWS CloudWatch supports the custom metrics. The user can always capture the custom data and upload the data to CloudWatch using CLI or APIs. While sending the data the user has to include the metric name, namespace and timezone as part of the request.

NEW QUESTION 3
A user has enabled the Multi AZ feature with the MS SQL RDS database server. Which of the below
mentioned statements will help the user understand the Multi AZ feature better?

• A. In a Multi AZ, AWS runs two DBs in parallel and copies the data asynchronously to the replica copy
• B. In a Multi AZ, AWS runs two DBs in parallel and copies the data synchronously to the replica copy
• C. In a Multi AZ, AWS runs just one DB but copies the data synchronously to the standby replica
• D. AWS MS SQL does not support the Multi AZ feature

Answer: C

Explanation:
Amazon RDS provides high availability and failover support for DB instances using Multi-AZ deployments. In a Multi-AZ deployment, Amazon RDS automatically provisions and maintains a synchronous standby replica in a different Availability Zone. The primary DB instance is synchronously replicated across Availability Zones to a standby replica to provide data redundancy, eliminate I/O freezes, and minimize latency spikes during system backups. Running a DB instance with high availability can enhance availability during planned system maintenance, and help protect your databases against DB instance failure and Availability Zone disruption.Note that the high-availability feature is not a scaling solution for read-only scenarios; you cannot use a standby replica to serve read traffic. To service read-only traffic, you should use a read replica.

NEW QUESTION 4
A user is receiving a notification from the RDS DB whenever there is a change in the DB security group. The user does not want to receive these notifications for only a month. Thus, he does not want to delete the notification. How can the user configure this?

• A. Change the Disable button for notification to “Yes” in the RDS console
• B. Set the send mail flag to false in the DB event notification console
• C. The only option is to delete the notification from the console
• D. Change the Enable button for notification to “No” in the RDS console

Answer: D

Explanation:
Amazon RDS uses the Amazon Simple Notification Service to provide a notification when an Amazon RDS event occurs. Event notifications are sent to the addresses that the user has provided while creating the subscription. The user can easily turn off the notification without deleting a subscription by setting the Enabled radio button to No in the Amazon RDS console or by setting the Enabled parameter to false using the CLI or Amazon RDS API.

NEW QUESTION 5
An application that you are managing has EC2 instances & Dynamo OB tables deployed to several AWS Regions In order to monitor the performance of the application globally, you would like to see two graphs 1) Avg CPU Utilization across all EC2 instances and 2) Number of Throttled Requests for all DynamoDB tables.
How can you accomplish this?

• A. Tag your resources with the application name, and select the tag name as the dimension in the Cloudwatch Management console to view the respective graphs
• B. Use the Cloud Watch CLI tools to pull the respective metrics from each regional endpoint Aggregate the data offline & store it for graphing in CloudWatc
• C. Add SNMP traps to each instance and DynamoDB table Leverage a central monitoring server to capture data from each instance and table Put the aggregate data into Cloud Watch for graphin
• D. Add a CloudWatch agent to each instance and attach one to each DynamoDB tabl
• E. When configuring the agent set the appropriate application name & view the graphs in CloudWatc

Answer: C

NEW QUESTION 6
You are designing a system that has a Bastion host. This component needs to be highly available without human intervention.
Which of the following approaches would you select?

• A. Run the bastion on two instances one in each AZ
• B. Run the bastion on an active Instance in one AZ and have an AMI ready to boot up in the event of failure
• C. Configure the bastion instance in an Auto Scaling group Specify the Auto Scaling group to include multiple AZs but have a min-size of 1 and max-size of 1
• D. Configure an ELB in front of the bastion instance

Answer: C

NEW QUESTION 7
A user has enabled versioning on an S3 bucket. The user is using server side encryption for data at Rest. If the user is supplying his own keys for encryption (SSE-C., which of the below mentioned statements is true?

• A. The user should use the same encryption key for all versions of the same object
• B. It is possible to have different encryption keys for different versions of the same object
• C. AWS S3 does not allow the user to upload his own keys for server side encryption
• D. The SSE-C does not work when versioning is enabled

Answer: B

Explanation:
AWS S3 supports client side or server side encryption to encrypt all data at rest. The server side encryption can either have the S3 supplied AES-256 encryption key or the user can send the key along with each API call to supply his own encryption key (SSE-C.. If the bucket is versioning-enabled, each object version uploaded by the user using the SSE-C feature can have its own encryption key. The user is responsible for tracking which encryption key was used for which object's version

NEW QUESTION 8
You are creating an Auto Scaling group whose Instances need to insert a custom metric into CloudWatch.
Which method would be the best way to authenticate your CloudWatch PUT request?

• A. Create an IAM role with the Put MetricData permission and modify the Auto Scaling launch configuration to launch instances in that role
• B. Create an IAM user with the PutMetricData permission and modify the Auto Scaling launch configuration to inject the userscredentials into the instance User Data
• C. Modify the appropriate Cloud Watch metric policies to allow the Put MetricData permission to instances from the Auto Scaling group
• D. Create an IAM user with the PutMetricData permission and put the credentials in a private repository and have applications on the server pull the credentials as needed

Answer: A

NEW QUESTION 9
A user is displaying the CPU utilization, and Network in and Network out CloudWatch metrics data of a single instance on the same graph. The graph uses one Y-axis for CPU utilization and Network in and another Y-axis for Network out. Since Network in is too high, the CPU utilization data is not visible clearly on graph to the user. How can the data be viewed better on the same graph?

• A. It is not possible to show multiple metrics with the different units on the same graph
• B. Add a third Y-axis with the console to show all the data in proportion
• C. Change the axis of Network by using the Switch command from the graph
• D. Change the units of CPU utilization so it can be shown in proportion with Network

Answer: C

Explanation:
Amazon CloudWatch provides the functionality to graph the metric data generated either by the AWS services or the custom metric to make it easier for the user to analyse. It is possible to show the multiple metrics with different units on the same graph. If the graph is not plotted properly due to a difference in the unit data over two metrics, the user can change the Y-axis of one of the graph by selecting that graph and clicking on the Switch option.

NEW QUESTION 10
An organization has configured the custom metric upload with CloudWatch. The organization has given permission to its employees to upload data using CLI as well SDK. How can the user track the calls made to CloudWatch?

• A. The user can enable logging with CloudWatch which logs all the activities
• B. Use CloudTrail to monitor the API calls
• C. Create an IAM user and allow each user to log the data using the S3 bucket
• D. Enable detailed monitoring with CloudWatch

Answer: B

Explanation:
AWS CloudTrail is a web service which will allow the user to monitor the calls made to the Amazon CloudWatch API for the organization’s account, including calls made by the AWS Management Console, Command Line Interface (CLI., and other services. When CloudTrail logging is turned on, CloudWatch will write log files into the Amazon S3 bucket, which is specified during the CloudTrail configuration.

NEW QUESTION 11
A user is planning to use AWS Cloudformation. Which of the below mentioned functionalities does not help him to correctly understand Cloudfromation?

• A. Cloudformation follows the DevOps model for the creation of Dev & Test
• B. AWS Cloudfromation does not charge the user for its service but only charges for the AWS resources created with it
• C. Cloudformation works with a wide variety of AWS services, such as EC2, EBS, VPC, IAM, S3, RDS, ELB, etc
• D. CloudFormation provides a set of application bootstrapping scripts which enables the user to install Software

Answer: A

Explanation:
AWS Cloudformation is an application management tool which provides application modelling, deployment, configuration, management and related activities. It supports a wide variety of AWS services, such as EC2, EBS, AS, ELB, RDS, VPC, etc. It also provides application bootstrapping scripts which enable the user to install software packages or create folders. It is free of the cost and only charges the user for the services created with it. The only challenge is that it does not follow any model, such as DevOps; instead customers can define templates and use them to provision and manage the AWS resources in an orderly way.

NEW QUESTION 12
A sys admin has created the below mentioned policy and applied to an S3 object named aws.jpg. The aws.jpg is inside a bucket named cloudacademy. What does this policy define?
"Statement": [{
"Sid": "Stmt1388811069831",
"Effect": "Allow",
"Principal": { "AWS": "*"},
"Action": [ "s3:GetObjectAcl", "s3:ListBucket", "s3:GetObject"],
"Resource": [ "arn:aws:s3:::cloudacademy/*.jpg"]
}]

• A. It is not possible to define a policy at the object level
• B. It will make all the objects of the bucket cloudacademy as public
• C. It will make the bucket cloudacademy as public
• D. the aws.jpg object as public

Answer: A

Explanation:
A system admin can grant permission to the S3 objects or buckets to any user or make objects public using the bucket policy and user policy. Both use the JSON-based access policy language. Generally if the user is defining the ACL on the bucket, the objects in the bucket do not inherit it and vice a versa. The bucket policy can be defined at the bucket level which allows the objects as well as the bucket to be public with a single policy applied to that bucket. It cannot be applied at the object level.

NEW QUESTION 13
A user has configured ELB with two EBS backed instances. The user has stopped the instances for 1 week to save costs. The user restarts the instances after 1 week. Which of the below mentioned statements will help the user to understand the ELB and instance registration better?

• A. There is no way to register the stopped instances with ELB
• B. The user cannot stop the instances if they are registered with ELB
• C. If the instances have the same Elastic IP assigned after reboot they will be registered with ELB
• D. The instances will automatically get registered with ELB

Answer: C

Explanation:
Elastic Load Balancing registers the user’s load balancer with his EC2 instance using the associated IP address. When the instances are stopped and started back they will have a different IP address. Thus, they will not get registered with ELB unless the user manually registers them. If the instances are assigned the same Elastic IP after reboot they will automatically get registered with ELB.

NEW QUESTION 14
Your EC2-Based Multi-tier application includes a monitoring instance that periodically makes application -level read only requests of various application components and if any of those fail more than three times 30 seconds calls CloudWatch lo fire an alarm, and the alarm notifies your operations team by email and SMS of a possible application health problem. However, you also need to watch the watcher -the monitoring instance itself - and be notified if it becomes unhealthy.
Which of the following is a simple way to achieve that goal?

• A. Run another monitoring instance that pings the monitoring instance and fires a could watch alarm mat notifies your operations teamshould the primary monitoring instance become unhealth
• B. Set a CloudWatch alarm based on EC2 system and instance status checks and have the alarm notify your operations team of any detected problem with the monitoring instanc
• C. Set a CloudWatch alarm based on the CPU utilization of the monitoring instance and nave the alarm notify your operations team if C r the CPU usage exceeds 50% few more than one minute: then have your monitoring application go into a CPU-bound loop should it Detect any application problem
• D. Have the monitoring instances post messages to an SOS queue and then dequeue those messages on another instance should the queue cease to have new messages, the second instance should first terminate the original monitoring instance start anotherbackup monitoring instance and assume (he role of the previous monitoring instance and beginning adding messages to the SQSqueu

Answer: D

NEW QUESTION 15
What are characteristics of Amazon S3? Choose 2 answers

• A. Objects are directly accessible via a URL
• B. S3 should be used to host a relational database
• C. S3 allows you to store objects or virtually unlimited size
• D. S3 allows you to store virtually unlimited amounts of data
• E. S3 offers Provisioned IOPS

Answer: AD

NEW QUESTION 16
An organization wants to move to Cloud. They are looking for a secure encrypted database storage option. Which of the below mentioned AWS functionalities helps them to achieve this?

• A. AWS MFA with EBS
• B. AWS EBS encryption
• C. Multi-tier encryption with Redshift
• D. AWS S3 server side storage

Answer: B

Explanation:
AWS EBS supports encryption of the volume while creating new volumes. It also supports creating volumes from existing snapshots provided the snapshots are created from encrypted volumes. The data at rest, the I/O as well as all the snapshots of EBS will be encrypted. The encryption occurs on the servers that host the EC2 instances, providing encryption of data as it moves between the EC2 instances and EBS storage. EBS encryption is based on the AES-256 cryptographic algorithm, which is the industry standard

NEW QUESTION 17
A user has granted read/write permission of his S3 bucket using ACL. Which of the below mentioned options is a valid ID to grant permission to other AWS accounts (grantee. using ACL?

• A. IAM User ID
• B. S3 Secure ID
• C. Access ID
• D. Canonical user ID

Answer: D

Explanation:
An S3 bucket ACL grantee can be an AWS account or one of the predefined Amazon S3 groups. The user can grant permission to an AWS account by the email address of that account or by the canonical user ID. If the user provides an email in the grant request, Amazon S3 finds the canonical user ID for that account and adds it to the ACL. The resulting ACL will always contain the canonical user ID for the AWS account, and not the AWS account's email address.

NEW QUESTION 18
An organization is planning to create 5 different AWS accounts considering various security requirements. The organization wants to use a single payee account by using the
consolidated billing option. Which of the below mentioned statements is true with respect to the above information?

• A. Master (Paye
• B. account will get only the total bill and cannot see the cost incurred by each account
• C. Master (Paye
• D. account can view only the AWS billing details of the linked accounts
• E. It is not recommended to use consolidated billing since the payee account will have access to the linked accounts
• F. Each AWS account needs to create an AWS billing policy to provide permission to the payee account

Answer: B

Explanation:
AWS consolidated billing enables the organization to consolidate payments for multiple Amazon Web Services (AWS. accounts within a single organization by making a single paying account. Consolidated billing enables the organization to see a combined view of the AWS charges incurred by each account as well as obtain a detailed cost report for each of the individual AWS accounts associated with the paying account. The payee account will not have any other access than billing data of linked accounts.