NEW QUESTION 1
A sys admin is trying to understand the sticky session algorithm. Please select the correct sequence of steps, both when the cookie is present and when it is not, to help the admin understand the implementation of the sticky session:
ELB inserts the cookie in the response
ELB chooses the instance based on the load balancing algorithm Check the cookie in the service request
The cookie is found in the request
The cookie is not found in the request

• A. 3,1,4,2 [Cookie is not Present] & 3,1,5,2 [Cookie is Present]
• B. 3,4,1,2 [Cookie is not Present] & 3,5,1,2 [Cookie is Present]
• C. 3,5,2,1 [Cookie is not Present] & 3,4,2,1 [Cookie is Present]
• D. 3,2,5,4 [Cookie is not Present] & 3,2,4,5 [Cookie is Present]

Answer: C

Explanation:
Generally AWS ELB routes each request to a zone with the minimum load. The Elastic Load Balancer provides a feature called sticky session which binds the user??s session with a specific EC2 instance. The load balancer uses a special load-balancer-generated cookie to track the application instance for each request. When the load balancer receives a request, it first checks to see if this cookie is present in the request. If so, the request is sent to the application instance specified in the cookie. If there is no cookie, the load balancer chooses an application instance based on the existing load balancing algorithm. A cookie is inserted into the response for binding subsequent requests from the same user to that application instance.

NEW QUESTION 2
A user runs the command ??dd if=/dev/xvdf of=/dev/null bs=1M?? on an EBS volume created from a snapshot and attached to a Linux instance. Which of the below mentioned activities is the user performing with the step given above?

• A. Pre warming the EBS volume
• B. Initiating the device to mount on the EBS volume
• C. Formatting the volume
• D. Copying the data from a snapshot to the device

Answer: A

Explanation:
When the user creates an EBS volume and is trying to access it for the first time it will encounter reduced IOPS due to wiping or initiating of the block storage. To avoid this as well as achieve the best performance it is required to pre warm the EBS volume. For a volume created from a snapshot and attached with a Linux OS, the ??dd?? command pre warms the existing data on EBS and any restored snapshots of volumes that have been previously fully pre warmed. This command maintains incremental snapshots; however, because this operation is read-only, it does not pre warm unused space that has never been written to on the original volume. In the command ??dd if=/dev/xvdf of=/dev/null bs=1M?? , the parameter ??if=input file?? should be set to the drive that the user wishes to warm. The ??of=output file?? parameter should be set to the Linux null virtual device, /dev/null. The ??bs?? parameter sets the block size of the read operation; for optimal performance, this should be set to 1 MB.

NEW QUESTION 3
A user has configured ELB with two EBS backed instances. The user has stopped the instances for 1 week to save costs. The user restarts the instances after 1 week. Which of the below mentioned statements will help the user to understand the ELB and instance registration better?

• A. There is no way to register the stopped instances with ELB
• B. The user cannot stop the instances if they are registered with ELB
• C. If the instances have the same Elastic IP assigned after reboot they will be registered with ELB
• D. The instances will automatically get registered with ELB

Answer: C

Explanation:
Elastic Load Balancing registers the user??s load balancer with his EC2 instance using the associated IP address. When the instances are stopped and started back they will have a different IP address. Thus, they will not get registered with ELB unless the user manually registers them. If the instances are assigned the same Elastic IP after reboot they will automatically get registered with ELB.

NEW QUESTION 4
Exhibit:

Based on the information provided what is causing the lack of access to S3 from the instance?

• A. The instance profile does not have explicit permissions to write objects to the S3 bucket.
• B. The route table does not have a rule tor all traffic to pass through a NAT gateway.
• C. The route table does not have a rule for all traffic to pass through an internet gateway
• D. The security group does not allow all TCP and all UDP traffic.

Answer: C

Explanation:
In practice, to cover the different types of clients that might initiate traffic to public-facing instances in your VPC, you can open ephemeral ports 1024-65535. However, you can also add rules to the ACL to deny traffic on any malicious ports within that range. Ensure that you place the DENY rules earlier in the table than the ALLOW rules that open the wide range of ephemeral ports.

NEW QUESTION 5
A user is trying to send custom metrics to CloudWatch using the PutMetricData APIs. Which of the below mentioned points should the user needs to take care while sending the data to CloudWatch?

• A. The size of a request is limited to 8KB for HTTP GET requests and 40KB for HTTP POST requests
• B. The size of a request is limited to 128KB for HTTP GET requests and 64KB for HTTP POST requests
• C. The size of a request is limited to 40KB for HTTP GET requests and 8KB for HTTP POST requests
• D. The size of a request is limited to 16KB for HTTP GET requests and 80KB for HTTP POST requests

Answer: A

Explanation:
With AWS CloudWatch, the user can publish data points for a metric that share not only the same time stamp, but also the same namespace and dimensions. CloudWatch can accept multiple data points in the same PutMetricData call with the same time stamp. The only thing that the user needs to take care of is that the size of a PutMetricData request is limited to 8KB for HTTP GET requests and 40KB for HTTP POST requests.

NEW QUESTION 6
A user is trying to setup a recurring Auto Scaling process. The user has setup one process to scale up every day at 8 am and scale down at 7 PM. The user is trying to setup another recurring process which scales up on the 1st of every month at 8 AM and scales down the same day at 7 PM. What will Auto Scaling do in this scenario?

• A. Auto Scaling will execute both processes but will add just one instance on the 1st
• B. Auto Scaling will add two instances on the 1st of the month
• C. Auto Scaling will schedule both the processes but execute only one process randomly
• D. Auto Scaling will throw an error since there is a conflict in the schedule of two separate Auto Scaling Processes

Answer: D

Explanation:
Auto Scaling based on a schedule allows the user to scale the application in response to predictable load changes. The user can also configure the recurring schedule action which will follow the Linux cron format. As per Auto Scaling, a scheduled action must have a unique time value. If the user attempts to schedule an activity at a time when another existing activity is already scheduled, the call will be rejected with an error message noting the conflict.

NEW QUESTION 7
A system admin is managing buckets, objects and folders with AWS S3. Which of the below mentioned statements is true and should be taken in consideration by the sysadmin?

• A. The folders support only ACL
• B. Both the object and bucket can have an Access Policy but folder cannot have policy
• C. Folders can have a policy
• D. Both the object and bucket can have ACL but folders cannot have ACL

Answer: A

Explanation:
A sysadmin can grant permission to the S3 objects or the buckets to any user or make objects public using the bucket policy and user policy. Both use the JSON-based access policy language. Generally if user is defining the ACL on the bucket, the objects in the bucket do not inherit it and vice a versa. The bucket policy can be defined at the bucket level which allows the objects as well as the bucket to be public with a single policy applied to that bucket. It cannot be applied at the object level. The folders are similar to objects with no content. Thus, folders can have only ACL and cannot have a policy.

NEW QUESTION 8
An organization, which has the AWS account ID as 999988887777, has created 50 IAM users. All the users are added to the same group cloudacademy. If the organization has enabled that each IAM user can login with the AWS console, which AWS login URL will the IAM users use?

• A. https://999988887777.signin.aws.amazon.com/console/
• B. https:// signin.aws.amazon.com/cloudacademy/
• C. https:// cloudacademy.signin.aws.amazon.com/999988887777/console/
• D. https:// 999988887777.aws.amazon.com/ cloudacademy/

Answer: A

Explanation:
AWS Identity and Access Management is a web service which allows organizations to manage users and user permissions for various AWS services. Once the organization has created the IAM users, they will have a separate AWS console URL to login to the AWS console. The console login URL for the IAM user will be https:// AWS_Account_ID.signin.aws.amazon.com/console/. It uses only the AWS account ID and does not depend on the group or user ID.

NEW QUESTION 9
George has shared an EC2 AMI created in the US East region from his AWS account with Stefano. George copies the same AMI to the US West region. Can Stefano access the copied AMI of George??s account from the US West region?

• A. No, copy AMI does not copy the permission
• B. It is not possible to share the AMI with a specific account
• C. Yes, since copy AMI copies all private account sharing permissions
• D. Yes, since copy AMI copies all the permissions attached with the AMI

Answer: A

Explanation:
Within EC2, when the user copies an AMI, the new AMI is fully independent of the source AMI; there is no link to the original (source. AMI. AWS does not copy launch the permissions, user-defined tags or the Amazon S3 bucket permissions from the source AMI to the new AMI. Thus, in this case by default Stefano will not have access to the AMI in the US West region.

NEW QUESTION 10
Which of the below mentioned AWS RDS logs cannot be viewed from the console for MySQL?

• A. Error Log
• B. Slow Query Log
• C. Transaction Log
• D. General Log

Answer: C

Explanation:
The user can view, download, and watch the database logs using the Amazon RDS console, the Command Line Interface (CLI., or the Amazon RDS API. For the MySQL RDS, the user can view the error log, slow querylog, and general logs. RDS does not support viewing the transaction logs.

NEW QUESTION 11
A user has created an ELB with Auto Scaling. Which of the below mentioned offerings from ELB helps the user to stop sending new requests traffic from the load balancer to the EC2 instance when the instance is being deregistered while continuing in-flight requests?

• A. ELB sticky session
• B. ELB deregistration check
• C. ELB connection draining
• D. ELB auto registration Off

Answer: C

Explanation:
The Elastic Load Balancer connection draining feature causes the load balancer to stop sending new requests to the back-end instances when the instances are deregistering or become unhealthy, while ensuring that inflight requests continue to be served.

NEW QUESTION 12
A user is trying to launch an EBS backed EC2 instance under free usage. The user wants to achieve encryption of the EBS volume. How can the user encrypt the data at rest?

• A. Use AWS EBS encryption to encrypt the data at rest
• B. The user cannot use EBS encryption and has to encrypt the data manually or using a third party tool
• C. The user has to select the encryption enabled flag while launching the EC2 instance
• D. Encryption of volume is not available as a part of the free usage tier

Answer: B

Explanation:
AWS EBS supports encryption of the volume while creating new volumes. It supports encryption of the data at rest, the I/O as well as all the snapshots of the EBS volume. The EBS supports encryption for the selected instance type and the newer generation instances, such as m3, c3, cr1, r3, g2. It is not supported with a micro instance.

NEW QUESTION 13
A company has created a separate AWS account for all development work to protect the production environment in this development account, developers have permission to manipulate IAM policies and roles. Corporate policies require that developers and blocked from accessing some services. What is the BEST way to grant the developers privileges in the development account while still complying with corporate policies?

• A. Create a service control policy in AWS Organizations and apply it to the development account
• B. Create a customer managed policy in IAM and apply it to all users within the development account
• C. Create a job function policy in IAM and apply it to all users within the development account
• D. Create an IAM policy and apply it in API Gateway to restrict the development account

Answer: A

Explanation:
https://aws.amazon.com/blogs/security/how-to-use-service-control-policies-in-aws-organizations/

NEW QUESTION 14
A user has configured an HTTPS listener on an ELB. The user has not configured any security policy which can help to negotiate SSL between the client and ELB. What will ELB do in this scenario?

• A. By default ELB will select the first version of the security policy
• B. By default ELB will select the latest version of the policy
• C. ELB creation will fail without a security policy
• D. It is not required to have a security policy since SSL is already installed

Answer: B

Explanation:
Elastic Load Balancing uses a Secure Socket Layer (SSL. negotiation configuration which is known as a Security Policy. It is used to negotiate the SSL connections between a client and the load balancer. If
the user has created an HTTPS/SSL listener without associating any security policy, Elastic Load Balancing will, by default, associate the latest version of the ELBSecurityPolicy-YYYY-MM with the load balancer.

NEW QUESTION 15
A company wants to send 70% of its inbound traffic to the us-east-1 region and 30% to the us-east region under normal; conditions. If all the servers go down in one of the regions, the company wants all the traffic to be re-routed to the other region.

• A. Configure an Application Load Balancer Target Group with weighted rules and a health check enabled
• B. Use a Network Load Balancer with sticky sessions enabled and weighted round room with a 70/30 ratio
• C. Create two CNAMF records in Amazon Route R3 enable dynamic traffic shaping with a 7G730 ratio
• D. Use a Route 53 weighted routing policy with a 70 /30 ratio and configure a heath check

Answer: D

Explanation:
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-values- weighted-alias.html

NEW QUESTION 16
A user is planning to schedule a backup for an EBS volume. The user wants security of the snapshot data. How can the user achieve data encryption with a snapshot?

• A. Use encrypted EBS volumes so that the snapshot will be encrypted by AWS
• B. While creating a snapshot select the snapshot with encryption
• C. By default the snapshot is encrypted by AWS
• D. Enable server side encryption for the snapshot using S3

Answer: A

Explanation:
AWS EBS supports encryption of the volume. It also supports creating volumes from existing snapshots provided the snapshots are created from encrypted volumes. The data at rest, the I/O as well as all the snapshots of the encrypted EBS will also be encrypted. EBS encryption is based on the AES-256 cryptographic algorithm, which is the industry standard.

NEW QUESTION 17
A user has launched two EBS backed EC2 instances in the US-East-1a region. The user wants to change the zone of one of the instances. How can the user change it?

• A. Stop one of the instances and change the availability zone
• B. The zone can only be modified using the AWS CLI
• C. From the AWS EC2 console, select the Actions - > Change zones and specify new zone
• D. Create an AMI of the running instance and launch the instance in a separate AZ

Answer: D

Explanation:
With AWS EC2, when a user is launching an instance he can select the availability zone (AZ. at the time of launch. If the zone is not selected, AWS selects it on behalf of the user. Once the instance is launched, the user cannot change the zone of that instance unless he creates an AMI of that instance and launches a new instance from it.

NEW QUESTION 18
A user has created a VPC with the public subnet. The user has created a security group for that VPC. Which of the below mentioned statements is true when a security group is created?

• A. It can connect to the AWS services, such as S3 and RDS by default
• B. It will have all the inbound traffic by default
• C. It will have all the outbound traffic by default
• D. It will by default allow traffic to the internet gateway

Answer: C

Explanation:
A Virtual Private Cloud (VPC. is a virtual network dedicated to the user??s AWS account. AWS provides two features the user can use to increase security in VPC: security groups and network ACLs. Security groups work at the instance level while ACLs work at the subnet level. When a user creates a security group with AWS VPC, by default it will allow all the outbound traffic but block all inbound traffic.

NEW QUESTION 19
A user is displaying the CPU utilization, and Network in and Network out CloudWatch metrics data of a single instance on the same graph. The graph uses one Y-axis for CPU utilization and Network in and another Y-axis for Network out. Since Network in is too high, the CPU utilization data is not visible clearly on graph to the user. How can the data be viewed better on the same graph?

• A. It is not possible to show multiple metrics with the different units on the same graph
• B. Add a third Y-axis with the console to show all the data in proportion
• C. Change the axis of Network by using the Switch command from the graph
• D. Change the units of CPU utilization so it can be shown in proportion with Network

Answer: C

Explanation:
Amazon CloudWatch provides the functionality to graph the metric data generated either by the AWS services or the custom metric to make it easier for the user to analyse. It is possible to show the multiple metrics with different units on the same graph. If the graph is not plotted properly due to a difference in the unit data over two metrics, the user can change the Y-axis of one of the graph by selecting that graph and clicking on the Switch option.

NEW QUESTION 20
An Application team is using Remote Desktop to connect to its application server and perform administrative tasks. After deployment a Windows service a existing subnets, the team discovers that it is unable to communicate with the new servers. A SysOps Administrative has obtained the VPC logs as shown in the table) related to the communication to help troubleshooting the problem.

How can this issue be resolved?

• A. Check the route Tables to validate that the Remote Desktop and return traffic is allowed to and from the new servers.
• B. Check the security groups to validate that Remote Desktop is allowed into the new servers.
• C. Check the network access control lists to validate that the Remote Desktop and return traffic is allowed to and from the new servers.
• D. Ensures that the RDP service and Windows firewall are open and listening on Port 3389 TCP.

Answer: D

NEW QUESTION 21
You have a Linux EC2 web server instance running inside a VPC The instance is In a public subnet and has an EIP associated with it so you can connect to It over the Internet via HTTP or SSH The instance was also fully accessible when you last logged in via SSH. and was also serving web requests on port 80.
Now you are not able to SSH into the host nor does it respond to web requests on port 80 that were working fine last time you checked You have double-checked that all networking configuration parameters (security groups route tables. IGW'EIP. NACLs etc) are properly configured {and you haven??t made any changes to those anyway since you were last able to reach the Instance). You look at the EC2 console and notice that system status check shows "impaired."
Which should be your next step in troubleshooting and attempting to get the instance back to a healthy state so that you can log in again?

• A. Stop and start the instance so that it will be able to be redeployed on a healthy host system that most likely will fix the "impaired" system status
• B. Reboot your instance so that the operating system will have a chance to boot in a clean healthy state that most likely will fix the 'impaired" system status
• C. Add another dynamic private IP address to me instance and try to connect via mat new path, since the networking stack of the OS may be locked up causing the ??impaired?? system status.
• D. Add another Elastic Network Interface to the instance and try to connect via that new path since the networking stack of the OS may be locked up causing the "impaired" system status
• E. un-map and then re-map the EIP to the instance, since the IGWVNAT gateway may not be working properly, causing the "impaired" system status

Answer: A

NEW QUESTION 22
A user has created a VPC with CIDR 20.0.0.0/24. The user has created a public subnet with CIDR 20.0.0.0/25 and a private subnet with CIDR 20.0.0.128/25. The user has launched one instance each in the private and public subnets. Which of the below mentioned options cannot be the correct IP address (private IP. assigned to an instance in the public or private subnet?

• A. 20.0.0.255
• B. 20.0.0.132
• C. 20.0.0.122
• D. 20.0.0.55

Answer: A

Explanation:
When the user creates a subnet in VPC, he specifies the CIDR block for the subnet. In this case the user has created a VPC with the CIDR block 20.0.0.0/24, which supports 256 IP addresses (20.0.0.0 to 20.0.0.255.. The public subnet will have IP addresses between 20.0.0.0 - 20.0.0.127 and the private subnet will have IP addresses between 20.0.0.128 - 20.0.0.255. AWS reserves the first four IP addresses and the last IP address in each subnet??s CIDR block. These are not available for the user to use. Thus, the instance cannot have an IP address of 20.0.0.255

NEW QUESTION 23
A user is trying to connect to a running EC2 instance using SSH. However, the user gets a Host key not found error. Which of the below mentioned options is a possible reason for rejection?

• A. The user has provided the wrong user name for the OS login
• B. The instance CPU is heavily loaded
• C. The security group is not configured properly
• D. The access key to connect to the instance is wrong

Answer: A

Explanation:
If the user is trying to connect to a Linux EC2 instance and receives the Host Key not found error the probable reasons are:
The private key pair is not right The user name to login is wrong

NEW QUESTION 24
......