NEW QUESTION 1
A user has created a VPC with CIDR 20.0.0.0/16 with only a private subnet and VPN connection using the VPC wizard. The user wants to connect to the instance in a private subnet over SSH. How should the user define the security rule for SSH?

• A. Allow Inbound traffic on port 22 from the user??s network
• B. The user has to create an instance in EC2 Classic with an elastic IP and configure the security group of a private subnet to allow SSH from that elastic IP
• C. The user can connect to a instance in a private subnet using the NAT instance
• D. Allow Inbound traffic on port 80 and 22 to allow the user to connect to a private subnet over the Internet

Answer: A

Explanation:
The user can create subnets as per the requirement within a VPC. If the user wants to connect VPC from his own data center, the user can setup a case with a VPN only subnet (private. which uses VPN access to connect with his data center. When the user has configured this setup with Wizard, all network connections to the instances in the subnet will come from his data center. The user has to configure the security group of the private subnet which allows the inbound traffic on SSH (port 22. from the data center??s network range.

NEW QUESTION 2
Your business is building a new application that will store its entire customer database on a RDS MySQL database, and will have various applications and users that will query that data for different purposes.
Large analytics jobs on the database are likely to cause other applications to not be able to get the query results they need to, before time out. Also, as your data grows, these analytics jobs will start to take more time, increasing the negative effect on the other applications.
How do you solve the contention issues between these different workloads on the same data?

• A. Enable Multi-AZ mode on the RDS instance
• B. Use ElastiCache to offload the analytics job data
• C. Create RDS Read-Replicas for the analytics work
• D. Run the RDS instance on the largest size possible

Answer: B

Explanation:
Amazon ElastiCache is a web service that makes it easy to deploy and run Memcached or Redis protocol-compliant server nodes in the cloud. Amazon ElastiCache improves the performance of web applications by allowing you to retrieve information from a fast, managed, in-memory caching system, instead of relying entirely on slower disk-based databases. The service simplifies and offloads the management, monitoring and operation of in-memory cache environments, enabling your engineering resources to focus on developing applications. Using Amazon ElastiCache, you can not only improve load and response times to user actions and queries, but also reduce the cost associated with scaling web applications.
Amazon ElastiCache automates common administrative tasks required to operate a distributed cache environment. Using Amazon ElastiCache, you can add a caching layer to your application architecture in a matter of minutes via a few clicks of the AWS Management Console. Once a cache cluster is provisioned, Amazon ElastiCache automatically detects and replaces failed cache nodes, providing a resilient system that mitigates the risk of overloaded databases, which slow website and application load times. Through integration with Amazon CloudWatch monitoring, Amazon ElastiCache provides enhanced visibility into key performance metrics associated with your cache nodes. Amazon ElastiCache is protocol-compliant with Memcached and Redis, so code, applications, and popular tools that you use today with your existing Memcached or Redis environments will work seamlessly with the service. As with all Amazon Web Services,

NEW QUESTION 3
You have a web-style application with a stateless but CPU and memory-intensive web tier running on
a cc2 8xlarge EC2 instance inside of a VPC The instance when under load is having problems returning requests within the SLA as defined by your business The application maintains its state in a DynamoDB table, but the data tier is properly provisioned and responses are consistently fast.
How can you best resolve the issue of the application responses not meeting your SLA?

• A. Add another cc2 8xlarge application instance, and put both behind an Elastic Load Balancer
• B. Move the cc2 8xlarge to the same Availability Zone as the DynamoDB table
• C. Cache the database responses in ElastiCache for more rapid access
• D. Move the database from DynamoDB to RDS MySQL in scale-out read-replica configuration

Answer: C

Explanation:
But it is possibly A as DynamoDB is automatically available across three facilities in an AWS Region. So moving in to a same AZ is not possible / necessary.
In this case the DB layer is not the issue, the EC2 8xlarge is the issue; so add another one with a ELB in-frond of it.
See also: https://aws.amazon.com/dynamodb/faqs/

NEW QUESTION 4
What is a placement group?

• A. A collection of Auto Scaling groups in the same Region
• B. Feature that enables EC2 instances to interact with each other via nigh bandwidth, low latency connections
• C. A collection of Elastic Load Balancers in the same Region or Availability Zone
• D. A collection of authorized Cloud Front edge locations for a distribution

Answer: B

Explanation:
Reference:
http://aws.amazon.com/ec2/faqs/
A placement group is a logical grouping of instances within a single Availability Zone. Using placement groups enables applications to participate in a low-latency, 10 Gigabits per second (Gbps) network. Placement groups are recommended for applications that benefit from low network latency, high network throughput, or both

NEW QUESTION 5
A user is planning to setup notifications on the RDS DB for a snapshot. Which of the below mentioned event categories is not supported by RDS for this snapshot source type?

• A. Backup
• B. Creation
• C. Deletion
• D. Restoration

Answer: A

Explanation:
Amazon RDS uses the Amazon Simple Notification Service to provide a notification when an Amazon RDS event occurs. Event categories for a snapshot source type include: Creation, Deletion, and Restoration. The Backup is a part of DB instance source type.

NEW QUESTION 6
An organization (Account ID 123412341234. has attached the below mentioned IAM policy to a user. What does this policy statement entitle the user to perform?
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "AllowUsersAllActionsForCredentials", "Effect": "Allow",
"Action": [ "iam:*LoginProfile", "iam:*AccessKey*",
"iam:*SigningCertificate*"
],
"Resource": ["arn:aws:iam:: 123412341234:user/${aws:username}"]
}]
}

• A. The policy allows the IAM user to modify all IAM user??s credentials using the console, SDK, CLI or APIs
• B. The policy will give an invalid resource error
• C. The policy allows the IAM user to modify all credentials using only the console
• D. The policy allows the user to modify all IAM user??s password, sign in certificates and access keys using only CLI, SDK or APIs

Answer: D

Explanation:
AWS Identity and Access Management is a web service which allows organizations to manage users and user permissions for various AWS services. If the organization (Account ID 123412341234. wants some of their users to manage credentials (access keys, password, and sing in certificates. of all IAM users, they should set an applicable policy to that user or group of users. The below mentioned policy allows the IAM user to modify the credentials of all IAM user??s using only CLI, SDK or APIs. The user cannot use the AWS console for this activity since he does not have list permission for the IAM users.
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "AllowUsersAllActionsForCredentials", "Effect": "Allow"
"Action": [ "iam:*LoginProfile", "iam:*AccessKey*", "iam:*SigningCertificate*"
],
"Resource": ["arn:aws:iam::123412341234:user/${aws:username}"]
}]
}

NEW QUESTION 7
A user has setup a CloudWatch alarm on the EC2 instance for CPU utilization. The user has setup to receive a notification on email when the CPU utilization is higher than 60%. The user is running a virus scan on the same instance at a particular time. The user wants to avoid receiving an email at this time. What should the user do?

• A. Remove the alarm
• B. Disable the alarm for a while using CLI
• C. Modify the CPU utilization by removing the email alert
• D. Disable the alarm for a while using the console

Answer: B

Explanation:
Amazon CloudWatch alarm watches a single metric over a time period that the user specifies and performs one or more actions based on the value of the metric relative to a given threshold over a number of time periods. When the user has setup an alarm and it is know that for some unavoidable event the status may change to Alarm, the user can disable the alarm using the DisableAlarmActions API or from the command line mon-disable-alarm-actions.

NEW QUESTION 8
A user is trying to create an EBS volume with the highest PIOPS supported by EBS. What is the minimum size of EBS required to have the maximum IOPS?

• A. 124
• B. 150
• C. 134
• D. 128

Answer: C

Explanation:
A provisioned IOPS EBS volume can range in size from 10 GB to 1 TB and the user can provision up to 4000 IOPS per volume. The ratio of IOPS provisioned to the volume size requested should be a maximum of 30.

NEW QUESTION 9
A user is planning to set up the Multi AZ feature of RDS. Which of the below mentioned conditions won't take advantage of the Multi AZ feature?

• A. Availability zone outage
• B. A manual failover of the DB instance using Reboot with failover option
• C. Region outage
• D. When the user changes the DB instance??s server type

Answer: C

Explanation:
Amazon RDS when enabled with Multi AZ will handle failovers automatically. Thus, the user can resume database operations as quickly as possible without administrative intervention. The primary DB instance switches over automatically to the standby replica if any of the following conditions occur:
An Availability Zone outage The primary DB instance fails
The DB instance's server type is changed
The DB instance is undergoing software patching
A manual failover of the DB instance was initiated using Reboot with failover

NEW QUESTION 10
A system admin is planning to setup event notifications on RDS. Which of the below mentioned services will help the admin setup notifications?

• A. AWS SES
• B. AWS Cloudtrail
• C. AWS Cloudwatch
• D. AWS SNS

Answer: D

Explanation:
Amazon RDS uses the Amazon Simple Notification Service to provide a notification when an Amazon RDS event occurs. These notifications can be in any notification form supported by Amazon SNS for an AWS region, such as an email, a text message or a call to an HTTP endpoint

NEW QUESTION 11
A root account owner is trying to understand the S3 bucket ACL. Which of the below mentioned options cannot be used to grant ACL on the object using the authorized predefined group?

• A. Authenticated user group
• B. All users group
• C. Log Delivery Group
• D. Canonical user group

Answer: D

Explanation:
An S3 bucket ACL grantee can be an AWS account or one of the predefined Amazon S3 groups. Amazon S3 has a set of predefined groups. When granting account access to a group, the user can specify one of the URLs of that group instead of a canonical user ID. AWS S3 has the following predefined groups:
Authenticated Users group: It represents all AWS accounts. All Users group: Access permission to this group allows anyone to access the resource. Log Delivery group: WRITE permission on a bucket enables this group to write server access logs to the bucket.

NEW QUESTION 12
An organization is trying to create various IAM users. Which of the below mentioned options is not a valid IAM username?

• A. John.cloud
• B. john@cloud
• C. John=cloud
• D. john#cloud

Answer: D

Explanation:
AWS Identity and Access Management is a web service which allows organizations to manage users and user permissions for various AWS services. Whenever the organization is creating an IAM user, there should be a unique ID for each user. The names of users, groups, roles, instance profiles must be alphanumeric, including the following common characters: plus (+., equal (=., comma (,., period (.., at (@., and dash (-..

NEW QUESTION 13
A sys admin is maintaining an application on AWS. The application is installed on EC2 and user has configured ELB and Auto Scaling. Considering future load increase, the user is planning to launch new servers proactively so that they get registered with ELB. How can the user add these instances with Auto Scaling?

• A. Increase the desired capacity of the Auto Scaling group
• B. Increase the maximum limit of the Auto Scaling group
• C. Launch an instance manually and register it with ELB on the fly
• D. Decrease the minimum limit of the Auto Scaling grou

Answer: A

Explanation:
A user can increase the desired capacity of the Auto Scaling group and Auto Scaling will launch a new instance as per the new capacity. The newly launched instances will be registered with ELB if Auto Scaling group is configured with ELB. If the user decreases the minimum size the instances will be removed from Auto Scaling. Increasing the maximum size will not add instances but only set the maximum instance cap.

NEW QUESTION 14
A system admin wants to add more zones to the existing ELB. The system admin wants to perform this activity from CLI. Which of the below mentioned command helps the system admin to add new zones to the existing ELB?

• A. elb-enable-zones-for-lb
• B. elb-add-zones-for-lb
• C. It is not possible to add more zones to the existing ELB
• D. elb-configure-zones-for-lb

Answer: A

Explanation:
The user has created an Elastic Load Balancer with the availability zone and wants to add more zones to the existing ELB. The user can do so in two ways:
From the console or CLI, add new zones to ELB;

NEW QUESTION 15
A photo-sharing service stores pictures in Amazon Simple Storage Service (S3) and allows application sign-in using an OpenID Connect-compatible identity provider. Which AWS Security Token Service approach to temporary access should you use for the Amazon S3 operations?

• A. SAML-based Identity Federation
• B. Cross-Account Access
• C. AWS Identity and Access Management roles
• D. Web Identity Federation

Answer: D

NEW QUESTION 16
An Organization has been backing up their database backup to Amazon S3. A lifecycle rule has been created to transition these backups to Amazon Glacier storage class. The application development now to restore a backup.
Which step can an Administrator take to restore the backup to Amazon S3 storage?

• A. Create a new lifecycle rule to restore the backup from GLACIER storage class to Amazon S3 storage.
• B. Use the Amazon Glacier console to restore the backup from CLACIER storage class to Amazon S3 storage.
• C. Modify the existing lifecycle rule to restore the backup GKACIER storage class to Amazon S3 storage.
• D. Use the Amazon S3 console to restore the backup from CLACIER storage class to Amazon storage.

Answer: D

Explanation:
Restoring an Archived S3 Object
This topic explains how to use the Amazon S3 console to restore an object that has been archived to Glacier.
To restore archived S3 objects
Sign in to the AWS Management Console and open the Amazon S3 console at https://console.aws.amazon.com/s3/.
In the Bucket name list, choose the name of the bucket that contains the objects that you want to restore.

In the Name list, select the objects that you want to restore, choose Actions, and then choose Restore from Glacier.

In the Initiate restore dialog box, type the number of days that you want your archived data to be
accessible.
Choose one of the following retrieval options from the Retrieval options menu. Choose Bulk retrieval or Standard retrieval, and then choose Restore.
Choose Expedited retrieval.

If you have provisioned capacity, choose Restore to start a provisioned retrieval. If you have provisioned capacity, all of your expedited retrievals are served by your provisioned capacity. For more information about provisioned capacity, see Provisioned Capacity.
If you don't have provisioned capacity and you don't want to buy it, choose Restore.
If you don't have provisioned capacity, but you want to buy it, choose Add capacity unit, and then choose Buy. When you get the Purchase succeeded message, choose Restore to start provisioned retrieval.

NEW QUESTION 17
A user has granted read/write permission of his S3 bucket using ACL. Which of the below mentioned options is a valid ID to grant permission to other AWS accounts (grantee. using ACL?

• A. IAM User ID
• B. S3 Secure ID
• C. Access ID
• D. Canonical user ID

Answer: D

Explanation:
An S3 bucket ACL grantee can be an AWS account or one of the predefined Amazon S3 groups. The user can grant permission to an AWS account by the email address of that account or by the canonical user ID. If the user provides an email in the grant request, Amazon S3 finds the canonical user ID for that account and adds it to the ACL. The resulting ACL will always contain the canonical user ID for the AWS account, and not the AWS account's email address.

NEW QUESTION 18
Which services allow the customer to retain run administrative privileges or the undertying EC2 instances? Choose 2 answers

• A. AWS Elastic Beanstalk
• B. Amazon Elastic Map Reduce
• C. Elastic Load Balancing
• D. Amazon Relational Database Service
• E. Amazon Elasti Cache

Answer: AB

NEW QUESTION 19
An organization has configured Auto Scaling with ELB. One of the instance health check returns the status as Impaired to Auto Scaling. What will Auto Scaling do in this scenario?

• A. Perform a health check until cool down before declaring that the instance has failed
• B. Terminate the instance and launch a new instance
• C. Notify the user using SNS for the failed state
• D. Notify ELB to stop sending traffic to the impaired instance

Answer: B

Explanation:
The Auto Scaling group determines the health state of each instance periodically by checking the results of the Amazon EC2 instance status checks. If the instance status description shows any other state other than ??running?? or the system status description shows impaired, Auto Scaling considers the instance to be
unhealthy. Thus, it terminates the instance and launches a replacement.

NEW QUESTION 20
A sys admin is trying to understand EBS snapshots. Which of the below mentioned statements will not be useful to the admin to understand the concepts about a snapshot?

• A. The snapshot is synchronous
• B. It is recommended to stop the instance before taking a snapshot for consistent data
• C. The snapshot is incremental
• D. The snapshot captures the data that has been written to the hard disk when the snapshot command was executed

Answer: A

Explanation:
The AWS snapshot is a point in time backup of an EBS volume. When the snapshot command is executed it will capture the current state of the data that is written on the drive and take a backup. For a better and consistent snapshot of the root EBS volume, AWS recommends stopping the instance. For additional volumes it is recommended to unmount the device. The snapshots are asynchronous and incremental.

NEW QUESTION 21
A user has launched multiple EC2 instances for the purpose of development and testing in the same region. The user wants to find the separate cost for the production and development instances. How can the user find the cost distribution?

• A. The user should download the activity report of the EC2 services as it has the instance ID wise data
• B. It is not possible to get the AWS cost usage data of single region instances separately
• C. The user should use Cost Distribution Metadata and AWS detailed billing
• D. The user should use Cost Allocation Tags and AWS billing reports

Answer: D

Explanation:
AWS provides cost allocation tags to categorize and track the AWS costs. When the user applies tags to his AWS resources (such as Amazon EC2 instances or Amazon S3 buckets., AWS generates a cost allocation report as a comma-separated value (CSV file. with the usage and costs aggregated by those tags. The user can apply tags which represent business categories (such as cost centres, application names, or instance type ?V Production/Dev. to organize usage costs across multiple services.

NEW QUESTION 22
You have private video content in S3 that you want to serve to subscribed users on the Internet. User IDs, credentials, and subscriptions are stored in an Amazon RDS database.
Which configuration will allow you to securely serve private content to your users?

• A. Generate pre-signed URLs for each user as they request access to protected S3 content
• B. Create an IAM user for each subscribed user and assign the GetObject permission to each IAM user
• C. Create an S3 bucket policy that limits access to your private content to only your subscribed users' credentials
• D. Create a CloudFront Origin Identity user for your subscribed users and assign the GetObject permission to this user

Answer: D

Explanation:
Reference:
https://java.awsblog.com/post/Tx1VE22EWFR4H86/Accessing-Private-Content-in-Amazon- CloudFront

NEW QUESTION 23
A user has configured Elastic Load Balancing by enabling a Secure Socket Layer (SSL. negotiation configuration known as a Security Policy. Which of the below mentioned options is not part of this secure policy while negotiating the SSL connection between the user and the client?

• A. SSL Protocols
• B. Client Order Preference
• C. SSL Ciphers
• D. Server Order Preference

Answer: B

Explanation:
Elastic Load Balancing uses a Secure Socket Layer (SSL. negotiation configuration which is known as a Security Policy. It is used to negotiate the SSL connections between a client and the load balancer. A security policy is a combination of SSL Protocols, SSL Ciphers, and the Server Order Preference option.

NEW QUESTION 24
......