Q301. An organization hosts an app on EC2 instances which multiple developers need access to in order to perform updates.
The organization plans to implement some security best practices related to instance access.
Which one of the following recommendations will not help improve its security in this way?
A. Disable the password based login for all the users. All the users should use their own keys to connect with the instance securely.
B. Create an IAM policy allowing only IAM users to connect to the EC2 instances with their own SSH key.
C. Create a procedure to revoke the access rights of the individual user when they are not required to connect to EC2 instance anymore for the purpose of application configuration.
D. Apply the latest patch of OS and always keep it updated.
Answer: B
Q302. A user has configured two security groups which allow traffic as given below:
1: SecGrp1:
Inbound on port 80 for 0.0.0.0/0
Inbound on port 22 for 0.0.0.0/0
2: SecGrp2:
Inbound on port 22 for 10.10.10.1/32
If both the security groups are associated with the same instance, which of the below mentioned statements is true?
A. It is not possible to have more than one security group assigned to a single instance
B. It is not possible to create the security group with conflicting rules. AWS will reject the request
C. It allows inbound traffic for everyone on both ports 22 and 80
D. It allows inbound traffic on port 22 for IP 10.10.10.1 and for everyone else on port 80
Answer: C
Q303. You have a website which requires international presence and consequently you have set it up as follows.
It is hosted on 30 EC2 instances.
It is on in 15 regions around the globe.
Each region has 2 instances.
All the instances are a public hosted zone.
Which of the following is the best way to configure your site to maintain availability with minimum downtime if one of the 15 regions was to lose network connectivity for an extended period?
(Choose 2 answers)
A. Create a Route 53 Latency Based Routing Record set that resolves to an Elastic Load Balancer in each region and has the Evaluate Target Health flag set to true.
B. Create a Route 53 failover routing policy and configure an active-passive failover.
C. Create a Route 53 Failover Routing Policy and assign each resource record set a unique identifier and a relative weight.
D. Create a Route 53 Geolocation Routing Policy that resolves to an Elastic Load Balancer in each region and has the Evaluate Target Health flag set to false.
Answer: AB
Q304. A user is accessing an EC2 instance on the SSH port for IP 10.20.30.40/32. Which one is a secure way to configure that the instance can be accessed only from this IP?
A. In the security group, open port 22 for IP 10.20.30.40
B. In the security group, open port 22 for IP 10.20.30.0
C. In the security group, open port 22 for IP 10.20.30.40/32
D. In the security group, open port 22 for IP 10.20.30.40/0
Answer: C
Q305. While assigning a tag to an instance, which of the below mentioned options is not a valid tag key/value pair?
A. Key : "aws" Value:"aws"
B. Key: "aws:name" Value: "instanceAnswer: Aws"
C. Key: "Name :aws" Value: "instanceAnswer: Aws"
D. Key : "nameAnswer: Aws" Value:"aws:instance"
Answer: B
Q306. Will you be able to access EC2 snapshots using the regular Amazon S3 APIs?
A. Yes, you will be able to access using S3 APIs if you have chosen the snapshot to be stored in S3.
B. No, snapshots are only available through the Amazon EBS APIs.
C. Yes, you will be able to access them using S3 APIs as all snapshots are stored in S3.
D. No, snapshots are only available through the Amazon EC2 APIs.
Answer: D
Q307. A user has created an AWS AMI. The user wants the AMI to be available only to his friend and not anyone else. How can the user manage this?
A. Share the AMI with the community and setup the approval workflow before anyone launches it.
B. It is not possible to share the AMI with the selected user.
C. Share the AMI with a friend's AWS account ID.
D. Share the AMI with a friend's AWS login ID.
Answer: C
Q308. A user is planning to launch multiple EC2 instance same as current running instance.
Which of the below mentioned parameters is not copied by Amazon EC2 in the launch wizard when the user has selected the option "Launch more like this"?
A. Termination protection
B. Tenancy setting
C. Storage
D. Shutdown behaviour
Answer: C
Q309. A user has launched an EBS optimized instance with EC2. Which of the below mentioned options is the correct statement?
A. It provides additional dedicated capacity for EBS IO
B. The attached EBS will have greater storage capacity
C. The user will have a PIOPS based EBS volume
D. It will be launched on dedicated hardware in VPC
Answer: A
Q310. Which status represents a failure state in AWS CloudFormation?
A. ROLLBACK_IN_PROGRESS
B. DELETE_IN_PROGRESS
C. UPDATE_COMPLETE_CLEANUP_IN_PROGRESS
D. REVIEW_IN_PROGRESS
Answer: A
Q311. You are playing around with setting up stacks using JSON templates in CloudFormation to try and understand them a little better. You have set up about 5 or 6 but now start to wonder if you are being charged for these stacks. What is AWS's billing policy regarding stack resources?
A. You are not charged for the stack resources if they are not taking any traffic.
B. You are charged for the stack resources for the time they were operating (but not if you deleted the stack within 30 minutes)
C. You are charged for the stack resources for the time they were operating (but not if you deleted the stack within 60 minutes)
D. You are charged for the stack resources for the time they were operating (even if you deleted the stack right away)
Answer: D
Q312. In an AWS CloudFormation template, each resource declaration includes:
A. a logical ID, a resource type, and resource properties
B. a variable resource name and resource attributes
C. an IP address and resource entities
D. a physical ID, a resource file, and resource data
Answer: A
Q313. For AWS CloudFormation, which stack state refuses UpdateStack calls?
A. UPDATE_ROLLBACK_FAILED
B. UPDATE_ROLLBACK_COMPLETE
C. UPDATE_COMPLETE
D. CREATE_COMPLETE
Answer: A
Q314. In the context of AWS CloudFormation, which of the following statements is correct?
A. Actual resource names are a combination of the resource ID, stack, and logical resource name.
B. Actual resource name is the stack resource name.
C. Actual resource name is the logical resource name.
D. Actual resource names are a combination of the stack and logical resource name.
Answer: D
Q315. When using the AWS CLI for AWS CloudFormation, which of the following commands returns a description of the specified resource in the specified stack?
A. describe-stack-events
B. describe-stack-resource
C. create-stack-resource
D. describe-stack-returns
Answer: B
Q316. A user is using CloudFormation to launch an EC2 instance and then configure an application after the instance is launched. The user wants the stack creation of ELB and AutoScaling to wait until the EC2 instance is launched and configured properly. How can the user configure this?
A. The user can use the DependentCondition resource to hold the creation of the other dependent resources.
B. It is not possible that the stack creation will wait until one service is created and launched.
C. The user can use the HoldCondition resource to wait for the creation of the other dependent resources.
D. The user can use the WaitCondition resource to hold the creation of the other dependent resources.
Answer: D
Q317. AWS _______ supports __________ environments as one of the AWS resource types.
A. Elastic Beanstalk; Elastic Beanstalk application
B. CloudFormation; Elastic Beanstalk application
C. Elastic Beanstalk ; CloudFormation application
D. CloudFormation; CloudFormation application
Answer: B
Q318. AWS CloudFormation ______ are special actions you use in your template to assign values to properties that are not available until runtime.
A. intrinsic functions
B. properties declarations
C. output functions
D. conditions declarations
Answer: A
Q319. For Amazon EC2 issues, while troubleshooting AWS CloudFormation, you need to view the cloud-init and cfn logs for more information. Identify a directory to which these logs are published.
A. /var/opt/log/ec2
B. /var/log/lastlog
C. /var/log/
D. /var/log/ec2
Answer: C
Q320. True or false: In a CloudFormation template, you can reuse the same logical ID several times to reference the resources in other parts of the template.
A. True, a logical ID can be used several times to reference the resources in other parts of the template.
B. False, a logical ID must be unique within the template.
C. False, you can mention a resource only once and you cannot reference it in other parts of a template.
D. False, you cannot reference other parts of the template.
Answer: B
Q321. True or false: In CloudFormation, you cannot create an Amazon RDS DB instance from a snapshot.
A. False, you can specify it in attributes
B. False, you can specify it in condition
C. False, you can specify it in resource propertiesD. True
Answer: C
Q322. How can you check the operational validity of your AWS CloudFormation template?
A. To check the operational validity, you need to attempt to create the stack.
B. There is no way to check the operational validity of your AWS CloudFormation template.
C. To check the operational validity, you need a sandbox or test area for AWS CloudFormation stacks.
D. To check the operational validity, you need to use the aws cloudformation validate-template command.
Answer: A
Q323. What is a circular dependency in AWS CloudFormation?
A. When Nested Stacks depend on each other.
B. When Resources form a DependOn loop.
C. When a Template references an earlier version of itself.
D. When a Template references a region, which references the original Template.
Answer: B
Q324. You need to develop and run some new applications on AWS and you know that Elastic Beanstalk and CloudFormation can both help as a deployment mechanism for a broad range of AWS resources. Which of the following is TRUE statements when describing the differences between Elastic Beanstalk and CloudFormation?
A. AWS Elastic Beanstalk introduces two concepts: The template, a JSON or YAML-format, text based file
B. Elastic Beanstalk supports AWS CloudFormation application environments as one of the AWS resource types.
C. Elastic Beanstalk automates and simplifies the task of repeatedly and predictably creating groups of related resources that power your applications. CloudFormation does not.
D. You can design and script custom resources in CloudFormation
Answer: D
Q325. An elastic network interface (ENI) is a virtual network interface that you can attach to an instance in a VPC. An ENI can include one public IP address, which can be auto-assigned to the elastic network interface for eth0 when you launch an instance, but only when you _____.
A. create an elastic network interface for eth1
B. include a MAC address
C. use an existing network interface
D. create an elastic network interface for eth0
Answer: D
Q326. After setting an AWS Direct Connect, which of the following cannot be done with an AWS Direct Connect Virtual Interface?
A. You can exchange traffic between the two ports in the same region connecting to different Virtual Private Gateways (VGWs) if you have more than one virtual interface.
B. You can change the region of your virtual interface.C. You can delete a virtual interface; if its connection has no other virtual interfaces, you can delete the connection.
D. You can create a hosted virtual interface.
Answer: A
Q327. Identify a correct statement about the expiration date of the "Letter of Authorization and Connecting Facility Assignment (LOA-CFA)," which lets you complete the Cross Connect step of setting up your AWS Direct Connect.
A. If the cross connect is not completed within 90 days, the authority granted by the LOA-CFA expires.
B. If the virtual interface is not created within 72 days, the LOA-CFA becomes outdated.
C. If the cross connect is not completed within a user-defined time, the authority granted by the LOA- CFA expires.
D. If the cross connect is not completed within the specified duration from the appropriate provider, the LOA-CFA expires.
Answer: A
Q328. Which of the following is the final step that should be completed to start using AWS Direct Connect?
A. Creating your Virtual Interface
B. Configuring your router
C. Completing the Cross Connect
D. Verifying your Virtual Interface
Answer: D
Q329. A user has created a VPC with CIDR 20.0.0.0/16. The user has created one subnet with CIDR 20.0.0.0/16 by mistake. The user is trying to create another subnet of CIDR 20.0.1.0/24.
How can the user create the second subnet?
A. The user can modify the first subnet CIDR with AWS CLI
B. The user can modify the first subnet CIDR from the console
C. There is no need to update the subnet as VPC automatically adjusts the CIDR of the first subnet based on the second subnet's CIDR
D. It is not possible to create a second subnet with overlapping IP CIDR without deleting the first subnet.
Answer: D
Q330. Which of the following should be followed before connecting to Amazon Virtual Private Cloud (Amazon VPC) using AWS Direct Connect?
A. Provide a public Autonomous System Number (ASN) to identify your network on the Internet.
B. Create a virtual private gateway and attach it to your Virtual Private Cloud (VPC).
C. Allocate a private IP address to your network in the 122.x.x.x range.
D. Provide a public IP address for each Border Gateway Protocol (BGP) session.
Answer: B
Q331. Your supervisor has given you the task of creating an elastic network interface on each of your web servers that connect to a mid-tier network where an application server resides. He also wants this set up as a Dual-homed Instance on Distinct Subnets. Instead of routing network packets through the dual-homed instances, where should each dual-homed instance receive and process requests to fulfil his criteria?
A. On one of the web servers
B. On the front end
C. On the back end
D. Through a security group
Answer: B
Q332. A user has created a VPC with CIDR 20.0.0.0/16 using the wizard. The user has created a public subnet CIDR (20.0.0.0/24) and VPN only subnets CIDR (20.0.1.0/24) along with the VPN gateway (vgw-123456) to connect to the user's data centre. The user's data centre has CIDR 172.28.0.0/12. The user has also setup a NAT instance (i-123456) to allow traffic to the internet from the VPN subnet. Which of the below mentioned options is not a valid entry for the main route table in this scenario?
A. Destination: 20.0.0.0/16 and Target: local
B. Destination: 0.0.0.0/0 and Target: i-123456
C. Destination: 172.28.0.0/12 and Target: vgw-123456
D. Destination: 20.0.1.0/24 and Target: i-123456
Answer: D
Q333. While implementing the policy keys in AWS Direct Connect, if you use _____ key and the request comes from an Amazon EC2 instance, the instance's public IP address is evaluated to determine if access is allowed.
A. aws:SourceIp
B. aws:EpochTime
C. aws:CurrentTime
D. aws:SecureTransport
Answer: A
Q334. In which step of "start using AWS Direct Connect" steps is the virtual interface you created tagged with a customer-provided tag that complies with the Ethernet 802.1Q standard?
A. Download Router Configuration.
B. Complete the Cross Connect.
C. Configure Redundant Connections with AWS Direct Connect.
D. Create a Virtual Interface.
Answer: D
Q335. A user has created a VPC with CIDR 20.0.0.0/16 using the VPC wizard. The user has created public and VPN only subnets along with hardware VPN access to connect to the user's data centre. The user has not yet launched any instance as well as modified or deleted any setup. He wants to delete this VPC from the console. Will the console allow the user to delete the VPC?
A. Yes, the user can detach the virtual private gateway and then use the VPC console to delete the VPC.
B. No, since the NAT instance is running, the user cannot delete the VPC.
C. Yes, the user can use the CLI to delete the VPC that will detach the virtual private gateway automatically.
D. No, the VPC console needs to be accessed using an administrator account to delete the VPC.
Answer: A
Q336. You have been asked to set up a public website on AWS with the following criteria: You want the database and the application server running on an Amazon VPC. You want the database to be able to connect to the Internet so that it can be automatically updated to the
correct patch level.
You do not want to receive any incoming traffic from the Internet to the database. Which solutions would be the best to satisfy all the above requirements for your planned public website on AWS?
(Choose 2 answers)
A. Set up both the public website and the database on a public subnet and block all incoming requests from the Internet with a Network Access Control List (NACL)
B. Set up both the public website and the database on a public subnet, and block all incoming requests from the Internet with a security group which only allows access from the IP of the public website.
C. Set up the public website on a public subnet and set up the database in a private subnet which connects to the Internet via a NAT instance.
D. Set up both the public website and the database on a private subnet and block all incoming requests from the Internet with a Network Access Control List (NACL). Set up a Security group between the public website and the database which only allows access via port 80.
Answer: BC
Q337. Which statement is NOT true about accessing remote AWS region in the US by your AWS Direct Connect which is located in the US?
A. AWS Direct Connect locations in the United States can access public resources in any US region.
B. You can use a single AWS Direct Connect connection to build multi-region services.
C. Any data transfer out of a remote region is billed at the location of your AWS Direct Connect data transfer rate.
D. To connect to a VPC in a remote region, you can use a virtual private network (VPN) connection over your public virtual interface.
Answer: C
Q338. Which of the following statements is NOT correct when working with your AWS Direct Connect connection after it is set up completely?
A. You can manage your AWS Direct Connect connections and view the connection details.
B. You can delete a connection as long as there are no virtual interfaces attached to it.
C. You cannot view the current connection ID and verify if it matches the connection ID on the Letter of Authorization (LOA).
D. You can accept a host connection by purchasing a hosted connection from the partner (APN).
Answer: C
Q339. Over which of the following Ethernet standards does AWS Direct Connect link your internal network to an AWS Direct Connect location?
A. Single mode fiber-optic cable
B. Multi mode fiber-optic cable
C. Shielded balanced copper cable
D. Twisted pair cable
Answer: A
Q340. Your supervisor has given you the task of creating an elastic network interface on each of your web servers that connect to a mid-tier network where an application server resides. He also wants this set up as a Dual-homed Instance on Distinct Subnets. Instead of routing network packets through the dual-homed instances, where should each dual-homed instance receive and process requests to fulfil his criteria?
A. On the front end
B. On one of the web servers
C. Through a security group
D. On the back end
Answer: A
Q341. One of the components that is part of ec2-net-utils used with ENI's is ec2ifscan. Which of the following is not correct about ec2-net-utils?
A. ec2-net-utils generates an interface configuration file suitable for use with DHCP.
B. ec2-net-utils extends the functionality of the standard ifup.
C. ec2-net-utils detaches a primary network interface from an instance.
D. ec2-net-utils identifies network interfaces when they are attached, detached, or reattached to a running instance.
Answer: C
Q342. A user wants to create a public subnet in VPC and launch an EC2 instance within it. The user has not selected the option to assign a public IP address while launching the instance.
Which of the below mentioned statements is true with respect to this scenario?
A. The instance will always have a public DNS attached to the instance by default
B. The user would need to create a default route to IGW in subnet's route table and then attach an elastic IP to the instance to connect from the internet
C. The user can directly attach an elastic IP to the instance
D. The instance will never launch if the public IP is not assigned
Answer: B
Q343. A user has created a VPC with a public subnet. The user has terminated all the instances which are part of the subnet. Which of the below mentioned statements is true with respect to this scenario?
A. The subnet to which the instances were launched with will be deleted
B. When the user launches a new instance it cannot use the same subnet
C. The user cannot delete the VPC since the subnet is not deleted
D. Secondary network interfaces attached to the terminated instances may persist.
Answer: D
Q344. When configuring your customer gateway to connect to your VPC, the ______ Association is established first between the virtual private gateway and customer gateway using the Pre Shared Key as the authenticator.
A. Ipsec
B. BGP
C. IKE Security
D. Tunnel
Answer: C
Q345. An organization is trying to setup a VPC with Auto Scaling. Which configuration steps below is not required to setup AWS VPC with Auto Scaling?
A. Configure the Auto Scaling group with the VPC ID in which instances will be launched.
B. Configure the Auto Scaling Launch configuration with multiple subnets of the VPC to enable the Multi AZ feature.
C. Configure the Auto Scaling Launch configuration which does not allow assigning a public IP to instances.
D. Configure the Auto Scaling Launch configuration with the VPC security group.
Answer: B
Q346. An organization is planning to host a Wordpress blog as well as joomla CMS on a single instance launched with VPC. The organization wants to create separate domains for each application using Route 53. The organization may have about ten instances each with these two applications. While launching each instance, the organization configured two separate network interfaces (primary + secondary ENI) with their own Elastic IPs to the instance. The suggestion was to use a public IP from AWS instead of an Elastic IP as the number of elastic IPs allocation per region is restricted in the account. What action will you recommend to the organization?
A. Only Elastic IP can be used by requesting limit increase, since AWS does not assign a public IP to an instance with multiple ENIs.
B. AWS VPC does not attach a public IP to an ENI; so the only way is to use an Elastic IP.
C. I agree with the suggestion but will prefer that the organization should use separate subnets with each ENI for different public IPs.
D. I agree with the suggestion and it is recommended to use a public IP from AWS since the organization is going to use DNS with Route 53.
Answer: A
Q347. A user has created a VPC with public and private subnets. The VPC has CIDR 20.0.0.0/16.
The private subnet uses CIDR 20.0.1.0/24 and the public subnet uses CIDR 20.0.0.0/24. The user is planning to host a web server in the public subnet (port 80) and a DB server in the private subnet (port 3306). The user is configuring a security group of the NAT instance. Which of the below mentioned entries is not required in NAT's security group for the database servers to connect to the Internet for software updates ?
A. For Outbound allow Destination: 0.0.0.0/0 on port 443
B. For Inbound allow Source: 20.0.1.0/24 on port 80
C. For Inbound allow Source: 20.0.0.0/24 on port 80
D. For Outbound allow Destination: 0.0.0.0/0 on port 80
Answer: C
Q348. A user has created a VPC with public and private subnets using the VPC wizard. Which of the below mentioned statements is true in this scenario?
A. The user has to manually create a NAT instance
B. The Amazon VPC will automatically create a NAT instance with the micro size only
C. VPC updates the main route table used with the private subnet, and creates a custom route table with a public subnetD. VPC updates the main route table used with a public subnet, and creates a custom route table with a private subnet
Answer: C
Q349. A user has created a VPC with two subnets: one public and one private. The user is planning to run the patch update for the instances in the private subnet. How can the instances in the private subnet connect to the internet?
A. The private subnet can never connect to the internet
B. Use NAT with an elastic IP
C. Use the internet gateway with a private IP
D. Allow outbound traffic in the security group for port 80 to allow internet updates
Answer: B
Q350. A user has created a VPC with public and private subnets using the VPC Wizard. The VPC has CIDR 20.0.0.0/16. The private subnet uses CIDR 20.0.0.0/24. Which of the below mentioned entries are required in the main route table to allow the instances in VPC to communicate with each other?
A. Destination : 20.0.0.0/0 and Target : ALL
B. Destination : 20.0.0.0/16 and Target : Local
C. Destination : 20.0.0.0/24 and Target : Local
D. Destination : 20.0.0.0/16 and Target : ALL
Answer: B