NEW QUESTION 1
A user has created a subnet with VPC and launched an EC2 instance in that subnet with only default settings. Which of the below mentioned options is ready to use on the EC2 instance as soon as it is launched?

• A. Elastic IP
• B. Private IP
• C. Public IP
• D. Internet gateway

Answer: B

Explanation:
A Virtual Private Cloud (VPC. is a virtual network dedicated to a user??s AWS account? A subnet is a range of IP addresses in the VPC. The user can launch the AWS resources into a subnet. There are two supported platforms into which a user can launch instances: EC2-Classic and EC2-VPC. When the user launches an instance which is not a part of the non-default subnet, it will only have a private IP assigned to it. The instances part of a subnet can communicate with each other but cannot communicate over the internet or to the AWS services, such as RDS / S3.

NEW QUESTION 2
An AWS root account owner is trying to create a policy to access RDS. Which of the below mentioned statements is true with respect to the above information?

• A. Create a policy which allows the users to access RDS and apply it to the RDS instances
• B. The user cannot access the RDS database if he is not assigned the correct IAM policy
• C. The root account owner should create a policy for the IAM user and give him access to the RDS services
• D. The policy should be created for the user and provide access for RDS

Answer: C

Explanation:
AWS Identity and Access Management is a web service which allows organizations to manage users and user permissions for various AWS services. If the account owner wants to create a policy for RDS, the owner has to create an IAM user and define the policy which entitles the IAM user with various RDS services such as Launch Instance, Manage security group, Manage parameter group etc.

NEW QUESTION 3
A user has launched an EC2 instance from an instance store backed AMI. If the user restarts the instance, what will happen to the ephermal storage data?

• A. All the data will be erased but the ephermal storage will stay connected
• B. All data will be erased and the ephermal storage is released
• C. It is not possible to restart an instance launched from an instance store backed AMI
• D. The data is preserved

Answer: D

Explanation:
A user can reboot an EC2 instance using the AWS console, the Amazon EC2 CLI or the Amazon EC2 API. Rebooting an instance is equivalent to rebooting an operating system. However, it is recommended that the user use Amazon EC2 to reboot the instance instead of running the operating system reboot command from the instance. When an instance launched from an instance store backed AMI is rebooted all the ephermal storage data is still preserved.

NEW QUESTION 4
A user has created a VPC with public and private subnets. The VPC has CIDR 20.0.0.0/16. The private subnet uses CIDR 20.0.1.0/24 and the public subnet uses CIDR 20.0.0.0/24. The user is planning to host a web server in the public subnet (port 80. and a DB server in the private subnet (port 3306.. The user is configuring a security group of the NAT instance. Which of the below mentioned entries is not required for the NAT security group?

• A. For Inbound allow Source: 20.0.1.0/24 on port 80
• B. For Outbound allow Destination: 0.0.0.0/0 on port 80
• C. For Inbound allow Source: 20.0.0.0/24 on port 80
• D. For Outbound allow Destination: 0.0.0.0/0 on port 443

Answer: C

Explanation:
A user can create a subnet with VPC and launch instances inside that subnet. If the user has created a public private subnet to host the web server and DB server respectively, the user should configure that the instances in the private subnet can connect to the internet using the NAT instances. The user should first configure that NAT can receive traffic on ports 80 and 443 from the private subnet. Thus, allow ports 80 and 443 in Inbound for the private subnet 20.0.1.0/24. Now to route this traffic to the internet configure ports 80 and 443 in Outbound with destination 0.0.0.0/0. The NAT should not have an entry for the public subnet CIDR.

NEW QUESTION 5
A company operate a secure website running an Amazon EC2 instance behind a Classic Load Balancer. An SSL certificate from AWS Certificate Manager is deployment on the load balancer. The company's Marketing team has determined that too many customer using older browser are experiencing issues with the website has asked a SysOps Administrator to fix this issue.
What course of action should the administrator take?

• A. Update the SSL negotiation configuration of the load balancer by creating a custom security polic
• B. Ensure the appropriate cipher has been enabled so that the web application can support the webbrowser.
• C. Create a separate Classic Load Balancer and install custom SSL certificate with a different domain name on it that support the web browse
• D. Ask customer with the affected browser to use this domain name instead of the one they are accustomed to using.
• E. Create a new SSL certificate in Certificate Manager and install this certificate on each of the servers to accommodates the web browsers.
• F. Remove the load balancer from the configuration and instead install a custom SSL certificate on each of the web servers.

Answer: A

Explanation:
Update the SSL Negotiation Configuration of Your Classic Load Balancer
Elastic Load Balancing provides security policies that have predefined SSL negotiation configurations to use to negotiate SSL connections between clients and your load balancer. If you are using the HTTPS/SSL protocol for your listener, you can use one of the predefined security policies, or use your own custom security policy.
For more information about the security policies, see SSL Negotiation Configurations for Classic Load Balancers. For information about the configurations of the security policies provided by Elastic Load Balancing, see Predefined SSL Security Policies.
If you create an HTTPS/SSL listener without associating a security policy, Elastic Load Balancing associates the default predefined security policy, ELBSecurityPolicy-2016-08, with your load balancer. If you have an existing load balancer with an SSL negotiation configuration that does not use the latest protocols and ciphers, we recommend that you update your load balancer to use ELBSecurityPolicy-2016-08. If you prefer, you can create a custom configuration. We strongly recommend that you test the new security policies before you upgrade your load balancer configuration.
The following examples show you how to update the SSL negotiation configuration for an HTTPS/SSL listener. Note that the change does not affect requests that were received by a load balancer node and are pending routing to a healthy instance, but the updated configuration will be used with new requests that are received.

NEW QUESTION 6
A user has configured ELB with Auto Scaling. The user suspended the Auto Scaling terminate process only for a while. What will happen to the availability zone rebalancing process (AZRebalance. during this period?

• A. Auto Scaling will not launch or terminate any instances
• B. Auto Scaling will allow the instances to grow more than the maximum size
• C. Auto Scaling will keep launching instances till the maximum instance size
• D. It is not possible to suspend the terminate process while keeping the launch active

Answer: B

Explanation:
Auto Scaling performs various processes, such as Launch, Terminate, Availability Zone Rebalance (AZRebalance. etc. The AZRebalance process type seeks to maintain a balanced number of instances across Availability Zones within a region. If the user suspends the Terminate process, the AZRebalance process can cause the Auto Scaling group to grow up to ten percent larger than the maximum size. This is because Auto Scaling allows groups to temporarily grow larger than the maximum size during rebalancing activities. If Auto Scaling cannot terminate instances, the Auto Scaling group could remain up to ten percent larger than the maximum size until the user resumes the Terminate process type.

NEW QUESTION 7
When creation of an EBS snapshot Is initiated but not completed the EBS volume?

• A. Cannot be detached or attached to an EC2 instance until me snapshot completes
• B. Can be used in read-only mode while me snapshot is in progress
• C. Can be used while me snapshot Is in progress
• D. Cannot be used until the snapshot completes

Answer: C

Explanation:
Snapshots occur asynchronously; the point-in-time snapshot is created immediately, but the status of the snapshot is pending until the snapshot is complete (when all of the modified blocks have been transferred to Amazon S3), which can take several hours for large initial snapshots or subsequent snapshots where many blocks have changed. http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-creating-snapshot.html

NEW QUESTION 8
A SysOps Administrator must monitor a fleet of Amazon EC2 Linux instance with the constraint that no agent be installed. The SysOps administrator Chooses Amazon CloudWatch as the monitoring tool.
Which metrics can be measured given the constraints? (Select THREE.)

• A. CPU Utilization
• B. Disk Read Operations
• C. Memory Utilization
• D. Network Packets in
• E. Network Packets Dropped
• F. CPU Ready Time

Answer: ABD

Explanation:
https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/viewing_metrics_with_cloudwatch.html

NEW QUESTION 9
A SysOps Administrator needs a report of all IAM users and the status of MFA for each user. Which IAM feature would meet this requirement?

• A. IAM Rotes report
• B. IAM MFA report
• C. IAM User Policies report
• D. IAM Credential report

Answer: D

Explanation:
Getting Credential Reports for Your AWS Account
You can generate and download a credential report that lists all users in your account and the status of their various credentials, including passwords, access keys, and MFA devices. You can get a credential report from the AWS Management Console, the AWS SDKs and Command Line Tools, or the IAM API.
You can use credential reports to assist in your auditing and compliance efforts. You can use the report to audit the effects of credential lifecycle requirements, such as password and access key rotation. You can provide the report to an external auditor, or grant permissions to an auditor so that he or she can download the report directly.
You can generate a credential report as often as once every four hours. When you request a report, IAM first checks whether a report for the AWS account has been generated within the past four hours. If so, the most recent report is downloaded. If the most recent report for the account is older than four hours, or if there are no previous reports for the account, IAM generates and downloads a new report.

NEW QUESTION 10
A user has configured ELB with SSL using a security policy for secure negotiation between the client and load balancer. The ELB security policy supports various ciphers. Which of the below mentioned options helps identify the matching cipher at the client side to the ELB cipher list when client is requesting ELB DNS over SSL?

• A. Cipher Protocol
• B. Client Configuration Preference
• C. Server Order Preference
• D. Load Balancer Preference

Answer: C

Explanation:
Elastic Load Balancing uses a Secure Socket Layer (SSL. negotiation configuration which is known as a Security Policy. It is used to negotiate the SSL connections between a client and the load balancer. When client is requesting ELB DNS over SSL and if the load balancer is configured to support the Server Order Preference, then the load balancer gets to select the first cipher in its list that matches any one of the ciphers in the client's list. Server Order Preference ensures that the load balancer determines which cipher is used for the SSL connection.

NEW QUESTION 11
Your entire AWS infrastructure lives inside of one Amazon VPC You have an Infrastructure monitoring application running on an Amazon instance in Availability Zone (AZ) A of the region, and another application instance running in AZ B. The monitoring application needs to make use of ICMP ping to confirm network reachability of the instance hosting the application.
Can you configure the security groups for these instances to only allow the ICMP ping to pass from the monitoring instance to the application instance and nothing else'' If so how?

• A. N
• B. Two instances in two different AZ's can't talk directly to each other via ICMP ping as that protocol is not allowed across subnet (i.e., broadcast) boundaries
• C. Ye
• D. Both the monitoring instance and the application instance have to be a part of the same security group, and that security group needs to allow inbound ICMP
• E. Ye
• F. The security group for the monitoring instance needs to allow outbound ICMP and the application instance's security group needs to allow Inbound ICMP
• G. Yes, Both the monitoring instance's security group and the application instance's security group need to allow both inbound and outbound ICMP ping packets since ICMP is not a connection- oriented protocol

Answer: C

NEW QUESTION 12
A company uses AWS Organization with a multi-account structure. A Syslog Administrator was notified that an IAM user with the System Administrator policy applied was not able to launch any Amazon EC2 instance using a public?
Why is this occurring?

• A. The account is an AWS Organization master account, and by default it cannot provision EC2 instances.
• B. The account is an AWS Organization member account, and a service control policy is denying provisioning of EC2 instances.
• C. The account AWS Organization master account, and it does not have an access key activated for the IAM account.
• D. The account is an AWS Organization master account, and it does not have an access key activated for the IAM account.

Answer: B

Explanation:
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scp.html

NEW QUESTION 13
An organization is generating digital policy files which are required by the admins for verification. Once the files are verified they may not be required in the future unless there is some compliance issue. If the organization wants to save them in a cost effective way, which is the best possible solution?

• A. AWS RRS
• B. AWS S3
• C. AWS RDS
• D. AWS Glacier

Answer: D

Explanation:
Amazon S3 stores objects according to their storage class. There are three major storage classes: Standard, Reduced Redundancy and Glacier. Standard is for AWS S3 and provides very high durability. However, the costs are a little higher. Reduced redundancy is for less critical files. Glacier is for archival and the files which are accessed infrequently. It is an extremely low-cost storage service that provides secure and durable storage for data archiving and backup.

NEW QUESTION 14
An application that you are managing has EC2 instances & Dynamo OB tables deployed to several AWS Regions. In order to monitor the performance of the application globally, you would like to see two graphs: 1) Avg CPU Utilization across all EC2 instances and 2) Number of Throttled Requests for all DynamoDB tables.
How can you accomplish this?

• A. Tag your resources with the application name, and select the tag name as the dimension in the CloudWatch Management console to view the respective graphs
• B. Use the Cloud Watch CLI tools to pull the respective metrics from each regional endpoint Aggregate the data offline & store it for graphing in CloudWatch.
• C. Add SNMP traps to each instance and DynamoDB table Leverage a central monitoring server to capture data from each instance and table Put the aggregate data into Cloud Watch for graphing.
• D. Add a CloudWatch agent to each instance and attach one to each DynamoDB tabl
• E. When configuring the agent set the appropriate application name & view the graphs in CloudWatch.

Answer: A

Explanation:
Correct answer should be A. When you turn on detailed monitoring in CloudWatch, you can get 1) Avg CPU Utilization across all EC2 instances and 2) Number of Throttled Requests for all DynamoDB tables
Reference: http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/GetSingleMetricAllDimen sions.html

NEW QUESTION 15
A user is trying to delete an Auto Scaling group from CLI. Which of the below mentioned steps are to be performed by the user?

• A. Terminate the instances with the ec2-terminate-instance command
• B. Terminate the Auto Scaling instances with the as-terminate-instance command
• C. Set the minimum size and desired capacity to 0
• D. There is no need to change the capacit
• E. Run the as-delete-group command and it will reset all values to 0

Answer: C

Explanation:
If the user wants to delete the Auto Scaling group, the user should manually set the values of the minimum and desired capacity to 0. Otherwise Auto Scaling will not allow for the deletion of the group from CLI. While trying from the AWS console, the user need not set the values to 0 as the Auto Scaling console will automatically do so.

NEW QUESTION 16
An organization has configured two single availability zones. The Auto Scaling groups are configured in separate zones. The user wants to merge the groups such that one group spans across multiple zones. How can the user configure this?

• A. Run the command as-join-auto-scaling-group to join the two groups
• B. Run the command as-update-auto-scaling-group to configure one group to span across zones and delete the other group
• C. Run the command as-copy-auto-scaling-group to join the two groups
• D. Run the command as-merge-auto-scaling-group to merge the groups

Answer: B

Explanation:
If the user has configured two separate single availability zone Auto Scaling groups and wants to merge them then he should update one of the groups and delete the other one. While updating the first group it is recommended that the user should increase the size of the minimum, maximum and desired capacity as a summation of both the groups.

NEW QUESTION 17
A user wants to upload a complete folder to AWS S3 using the S3 Management console. How can the user perform this activity?

• A. Just drag and drop the folder using the flash tool provided by S3
• B. Use the Enable Enhanced Folder option from the S3 console while uploading objects
• C. The user cannot upload the whole folder in one go with the S3 management console
• D. Use the Enable Enhanced Uploader option from the S3 console while uploading objects

Answer: D

Explanation:
AWS S3 provides a console to upload objects to a bucket. The user can use the file upload screen to upload the whole folder in one go by clicking on the Enable Enhanced Uploader option. When the
user uploads afolder, Amazon S3 uploads all the files and subfolders from the specified folder to the user??s bucket. It then assigns a key value that is a combination of the uploaded file name and the folder name.

NEW QUESTION 18
How can the domain's zone apex for example "myzoneapexdomain.com" be pointed towards an Elastic Load Balancer?

• A. By using an AAAA record
• B. By using an A record
• C. By using an Amazon Route 53 CNAME record
• D. By using an Amazon Route 53 Alias record

Answer: D

Explanation:
Reference:
http://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-choosing-alias- non-alias.html

NEW QUESTION 19
When an EC2 instance mat is backed by an S3-Dased AMI is terminated, what happens to the data on the root volume?

• A. Data is automatically deleted
• B. Data is automatically saved as an EBS snapshot.
• C. Data is unavailable until the instance is restarted
• D. Data is automatically saved as an EBS volume.

Answer: A

NEW QUESTION 20
A sys admin has enabled a log on ELB. Which of the below mentioned activities are not captured by the log?

• A. Response processing time
• B. Front end processing time
• C. Backend processing time
• D. Request processing time

Answer: B

Explanation:
Elastic Load Balancing access logs capture detailed information for all the requests made to the load balancer. Each request will have details, such as client IP, request path, ELB IP, time, and latencies. The time will have information, such as Request Processing time, Backend Processing time and Response Processing time.

NEW QUESTION 21
A user has launched an ELB which has 5 instances registered with it. The user deletes the ELB by mistake. What will happen to the instances?

• A. ELB will ask the user whether to delete the instances or not
• B. Instances will be terminated
• C. ELB cannot be deleted if it has running instances registered with it
• D. Instances will keep running

Answer: D

Explanation:
When the user deletes the Elastic Load Balancer, all the registered instances will be deregistered. However, they will continue to run. The user will incur charges if he does not take any action on those instances.

NEW QUESTION 22
A syslog Administrator is created additional Amazon EC2 instances and receive an Instancelimitexceeded error.
What is the cause of the issue and how can it be resolve?

• A. The Administrator has requested too many instances at once and must request fewer instances in batches
• B. The concurrent running instance limit has been reached and an EC2 limit increase request must be filed with AWS Support
• C. AWS does not currently nave enough available capacity and a different instance type must be used
• D. The Administrator must specify the maximum number of instances to be ?V created provisioning EC stances

Answer: B

Explanation:
EC2 Service Limits: AWS sets limits for these resources on a per-region basis.
If you are getting an InstanceLimitExceeded error when you try to launch an instance, you have reached your concurrent running instance limit. For new AWS accounts, the default limit is 20. If you need additional running instances, complete the form at Request to Increase Amazon EC2 Instance Limit.
By default, all AWS accounts have a limit of 20 running instances at any time per region. If you attempt to start another one, even if it already existed in the stopped state, you will receive this error message.
To resolve this issue, you can do any of the following: Stop one of your other running instances
Contact AWS support and request your running EC2 instances quota limit be raised.

NEW QUESTION 23
A user is planning to scale up an application by 8 AM and scale down by 7 PM daily using Auto Scaling. What should the user do in this case?

• A. Setup the scaling policy to scale up and down based on the CloudWatch alarms
• B. The user should increase the desired capacity at 8 AM and decrease it by 7 PM manually
• C. The user should setup a batch process which launches the EC2 instance at a specific time
• D. Setup scheduled actions to scale up or down at a specific time

Answer: A

Explanation:
Auto Scaling based on a schedule allows the user to scale the application in response to predictable load changes. To configure the Auto Scaling group to scale based on a schedule, the user needs to create scheduled actions. A scheduled action tells Auto Scaling to perform a scaling action at a
certain time in the future.

NEW QUESTION 24
......