NEW QUESTION 1
A SysOps Administrator must take a team's single existing AWS CloudFormation template and split it into smaller, service specific template. All of the service in the template reference a single, shared Amazon S3 bucket.
What should the Administrator do to ensure that this S3 bucket can be referenced by all the service templates?

• A. Include the S3 bucket as a mapping in each template
• B. Add the S3 bucket as a resource in each template
• C. Create the S3 bucket in its own template and export it
• D. Generate the S3 bucket using StackSets

Answer: D

NEW QUESTION 2
A user has launched an EC2 instance from an instance store backed AMI. If the user restarts the instance, what will happen to the ephermal storage data?

• A. All the data will be erased but the ephermal storage will stay connected
• B. All data will be erased and the ephermal storage is released
• C. It is not possible to restart an instance launched from an instance store backed AMI
• D. The data is preserved

Answer: D

Explanation:
A user can reboot an EC2 instance using the AWS console, the Amazon EC2 CLI or the Amazon EC2 API. Rebooting an instance is equivalent to rebooting an operating system. However, it is recommended that the user use Amazon EC2 to reboot the instance instead of running the operating system reboot command from the instance. When an instance launched from an instance store backed AMI is rebooted all the ephermal storage data is still preserved.

NEW QUESTION 3
A root AWS account owner is trying to understand various options to set the permission to AWS S3. Which of the below mentioned options is not the right option to grant permission for S3?

• A. User Access Policy
• B. S3 Object Access Policy
• C. S3 Bucket Access Policy
• D. S3 ACL

Answer: B

Explanation:
Amazon S3 provides a set of operations to work with the Amazon S3 resources. Managing S3 resource access refers to granting others permissions to work with S3. There are three ways the root account owner can define access with S3:
S3 ACL: The user can use ACLs to grant basic read/write permissions to other AWS accounts.
S3 Bucket Policy: The policy is used to grant other AWS accounts or IAM users permissions for the bucket and the objects in it.
User Access Policy: Define an IAM user and assign him the IAM policy which grants him access to S3.

NEW QUESTION 4
A Sysops Administrator Amazon EC2 instance in two different VPS in private subnets to be able communication. A peering connection between the two VPCs has been created using the AWS Management Console and shows a status of active. The instance are still to send traffic to each other. Why are the EC2 instance unable to communicate?

• A. One or both of the VPCs do not have an internet gateway attached.
• B. The route tables are not been updated.
• C. The peering connection has not been properly tagged.
• D. One or both of the instances do not have an Elastic IP address assigned.

Answer: C

Explanation:
https://docs.aws.amazon.com/vpc/latest/peering/vpc-peering-routing.html

NEW QUESTION 5
An organization is planning to create 5 different AWS accounts considering various security requirements. The organization wants to use a single payee account by using the consolidated billing option. Which of the below mentioned statements is true with respect to the above information?

• A. Master (Paye
• B. account will get only the total bill and cannot see the cost incurred by each account
• C. Master (Paye
• D. account can view only the AWS billing details of the linked accounts
• E. It is not recommended to use consolidated billing since the payee account will have access to the linked accounts
• F. Each AWS account needs to create an AWS billing policy to provide permission to the payee account

Answer: B

Explanation:
AWS consolidated billing enables the organization to consolidate payments for multiple Amazon Web Services (AWS. accounts within a single organization by making a single paying account. Consolidated billing enables the organization to see a combined view of the AWS charges incurred by each account as well as obtain a detailed cost report for each of the individual AWS accounts associated with the paying account. The payee account will not have any other access than billing data of linked accounts.

NEW QUESTION 6
An organization is using AWS since a few months. The finance team wants to visualize the pattern of AWS spending. Which of the below AWS tool will help for this requirement?

• A. AWS Cost Manager
• B. AWS Cost Explorer
• C. AWS CloudWatch
• D. AWS Consolidated Billing

Answer: B

Explanation:
The AWS Billing and Cost Management console includes the Cost Explorer tool for viewing AWS cost
data as a graph. It does not charge extra to user for this service. With Cost Explorer the user can filter graphs using resource tags or with services in AWS. If the organization is using Consolidated Billing it helps generate report based on linked accounts. This will help organization to identify areas that require further inquiry. The organization can view trends and use that to understand spend and to predict future costs.

NEW QUESTION 7
A user is trying to connect to a running EC2 instance using SSH. However, the user gets a connection time out error. Which of the below mentioned options is not a possible reason for rejection?

• A. The access key to connect to the instance is wrong
• B. The security group is not configured properly
• C. The private key used to launch the instance is not correct
• D. The instance CPU is heavily loaded

Answer: A

Explanation:
If the user is trying to connect to a Linux EC2 instance and receives the connection time out error the probable reasons are:
Security group is not configured with the SSH port The private key pair is not right
The user name to login is wrong
The instance CPU is heavily loaded, so it does not allow more connections

NEW QUESTION 8
An organization is planning to use AWS for their production roll out. The organization wants to implement automation for deployment such that it will automatically create a LAMP stack, download the latest PHP installable from S3 and setup the ELB. Which of the below mentioned AWS services meets the requirement for making an orderly deployment of the software?

• A. AWS Elastic Beanstalk
• B. AWS CloudFront
• C. AWS CloudFormation
• D. AWS DevOps

Answer: C

Explanation:
AWS CloudFormation is an application management tool which provides application modelling, deployment, configuration, management and related activities. CloudFormation provides an easy way to create and delete the collection of related AWS resources and provision them in an orderly way. AWS CloudFormation automates and simplifies the task of repeatedly and predictably creating groups of related resources that power the user??s applications. AWS CloudFront is a CDN; Elastic Beanstalk does quite a few of the required tasks. However, it is a PAAS which uses a ready AMI. AWS Elastic Beanstalk provides an environment to easily develop and run applications in the cloud.

NEW QUESTION 9
A sysadmin has created the below mentioned policy on an S3 bucket named cloudacademy. What does this policy define?
"Statement": [{
"Sid": "Stmt1388811069831",
"Effect": "Allow", "Principal": { "AWS": "*"},
"Action": [ "s3:GetObjectAcl", "s3:ListBucket"], "Resource": [ "arn:aws:s3:::cloudacademy]
}]

• A. It will make the cloudacademy bucket as well as all its objects as public
• B. It will allow everyone to view the ACL of the bucket
• C. It will give an error as no object is defined as part of the policy while the action defines the rule aboutthe object
• D. It will make the cloudacademy bucket as public

Answer: D

Explanation:
A sysadmin can grant permission to the S3 objects or the buckets to any user or make objects public using the bucket policy and user policy. Both use the JSON-based access policy language. Generally if the user is defining the ACL on the bucket, the objects in the bucket do not inherit it and vice a versa. The bucket policy can be defined at the bucket level which allows the objects as well as the bucket to be public with a single policy applied to that bucket. In the sample policy the action says ??S3:ListBucket?? for effect Allow on Resource arn:aws:s3:::cloudacademy. This will make the cloudacademy bucket public.
"Statement": [{
"Sid": "Stmt1388811069831",
"Effect": "Allow", "Principal": { "AWS": "*" },
"Action": [ "s3:GetObjectAcl", "s3:ListBucket"], "Resource": [ "arn:aws:s3:::cloudacademy]
}]

NEW QUESTION 10
Which of the following requires a custom CloudWatch metric to monitor?

• A. Data transfer of an EC2 instance
• B. Disk usage activity of an EC2 instance
• C. Memory Utilization of an EC2 instance
• D. CPU Utilization of an EC2 instance

Answer: C

Explanation:
Reference:
http://aws.amazon.com/cloudwatch/

NEW QUESTION 11
A user has enabled versioning on an S3 bucket. The user is using server side encryption for data at Rest. If the user is supplying his own keys for encryption (SSE-C., which of the below mentioned statements is true?

• A. The user should use the same encryption key for all versions of the same object
• B. It is possible to have different encryption keys for different versions of the same object
• C. AWS S3 does not allow the user to upload his own keys for server side encryption
• D. The SSE-C does not work when versioning is enabled

Answer: B

Explanation:
AWS S3 supports client side or server side encryption to encrypt all data at rest. The server side encryption can either have the S3 supplied AES-256 encryption key or the user can send the key along with each API call to supply his own encryption key (SSE-C.. If the bucket is versioning-enabled, each object version uploaded by the user using the SSE-C feature can have its own encryption key. The user is responsible for tracking which encryption key was used for which object's version

NEW QUESTION 12
A user has created an Auto Scaling group with default configurations from CLI. The user wants to setup the CloudWatch alarm on the EC2 instances, which are launched by the Auto Scaling group. The user has setup an alarm to monitor the CPU utilization every minute. Which of the below mentioned statements is true?

• A. It will fetch the data at every minute but the four data points [corresponding to 4 minutes] will not have value since the EC2 basic monitoring metrics are collected every five minutes
• B. It will fetch the data at every minute as detailed monitoring on EC2 will be enabled by the default launch configuration of Auto Scaling
• C. The alarm creation will fail since the user has not enabled detailed monitoring on the EC2 instances
• D. The user has to first enable detailed monitoring on the EC2 instances to support alarm monitoring at every minute

Answer: B

Explanation:
CloudWatch is used to monitor AWS as well as the custom services. To enable detailed instance monitoring for a new Auto Scaling group, the user does not need to take any extra steps. When the user creates an Auto Scaling launch config using CLI, each launch configuration contains a flag named InstanceMonitoring.Enabled. The default value of this flag is true. Thus, by default detailed monitoring will be enabled for Auto Scaling as well as for all the instances launched by that Auto Scaling group.

NEW QUESTION 13
When preparing for a compliance assessment of your system built inside of AWS. what are three best-practices for you to prepare for an audit?
Choose 3 answers

• A. Gather evidence of your IT operational controls
• B. Request and obtain applicable third-party audited AWS compliance reports and certifications
• C. Request and obtain a compliance and security tour of an AWS data center for a pre-assessment security review
• D. Request and obtain approval from AWS to perform relevant network scans and in-depth penetration tests of your system's Instances and endpoints
• E. Schedule meetings with AWS's third-party auditors to provide evidence of AWS compliance that maps to your control objectives

Answer: ABD

NEW QUESTION 14
The CFO of a company wants to allow one of his employees to view only the AWS usage report page. Which of the below mentioned IAM policy statements allows the user to have access to the AWS usage report page?

• A. "Effect": "Allow", "Action": [??Describe??], "Resource": "Billing"
• B. "Effect": "Allow", "Action": ["AccountUsage], "Resource": "*"
• C. "Effect": "Allow", "Action": ["aws-portal:ViewUsage"], "Resource": "*"
• D. "Effect": "Allow", "Action": ["aws-portal: ViewBilling"], "Resource": "*"

Answer: C

Explanation:
AWS Identity and Access Management is a web service which allows organizations to manage users and user permissions for various AWS services. If the CFO wants to allow only AWS usage report page access, the policy for that IAM user will be as given below:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow", "Action": [
"aws-portal:ViewUsage"
],
"Resource": "*"
}
]
}

NEW QUESTION 15
A user has setup a web application on EC2. The user is generating a log of the application performance at every second. There are multiple entries for each second. If the user wants to send that data to CloudWatch every minute, what should he do?

• A. The user should send only the data of the 60th second as CloudWatch will map the receive data timezone with the sent data timezone
• B. It is not possible to send the custom metric to CloudWatch every minute
• C. Give CloudWatch the Min, Max, Sum, and SampleCount of a number of every minute
• D. Calculate the average of one minute and send the data to CloudWatch

Answer: C

Explanation:
Amazon CloudWatch aggregates statistics according to the period length that the user has specified
while getting data from CloudWatch. The user can publish as many data points as he wants with the same or similartime stamps. CloudWatch aggregates them by the period length when the user calls get statistics about those data points. CloudWatch records the average (sum of all items divided by the number of items. of the values received for every 1-minute period, as well as the number of samples, maximum value, and minimum value for the same time period. CloudWatch will aggregate all the data which have time stamps within a one-minute period.

NEW QUESTION 16
A user has created a VPC with CIDR 20.0.0.0/24. The user has used all the IPs of CIDR and wants to increase the size of the VPC. The user has two subnets: public (20.0.0.0/28. and private (20.0.1.0/28.. How can the user change the size of the VPC?

• A. The user can delete all the instances of the subne
• B. Change the size of the subnets to 20.0.0.0/32 and 20.0.1.0/32, respectivel
• C. Then the user can increase the size of the VPC using CLI
• D. It is not possible to change the size of the VPC once it has been created
• E. The user can add a subnet with a higher range so that it will automatically increase the size of the VPC
• F. The user can delete the subnets first and then modify the size of the VPC

Answer: B

Explanation:
Once the user has created a VPC, he cannot change the CIDR of that VPC. The user has to terminate all the instances, delete the subnets and then delete the VPC. Create a new VPC with a higher size and launch instances with the newly created VPC and subnets.

NEW QUESTION 17
An organization has configured Auto Scaling for hosting their application. The system admin wants to understand the Auto Scaling health check process. If the instance is unhealthy, Auto Scaling launches an instance and terminates the unhealthy instance. What is the order execution?

• A. Auto Scaling launches a new instance first and then terminates the unhealthy instance
• B. Auto Scaling performs the launch and terminate processes in a random order
• C. Auto Scaling launches and terminates the instances simultaneously
• D. Auto Scaling terminates the instance first and then launches a new instance

Answer: D

Explanation:
Auto Scaling keeps checking the health of the instances at regular intervals and marks the instance for replacement when it is unhealthy. The ReplaceUnhealthy process terminates instances which are marked as unhealthy and subsequently creates new instances to replace them. This process first terminates the instance and then launches a new instance.

NEW QUESTION 18
A user has setup a VPC with CIDR 20.0.0.0/16. The VPC has a private subnet (20.0.1.0/24. and a public subnet (20.0.0.0/24.. The user??s data centre has CIDR of 20.0.54.0/24 and 20.1.0.0/24. If the private subnet wants to communicate with the data centre, what will happen?

• A. It will allow traffic communication on both the CIDRs of the data centre
• B. It will not allow traffic with data centre on CIDR 20.1.0.0/24 but allows traffic communication on 20.0.54.0/24
• C. It will not allow traffic communication on any of the data centre CIDRs
• D. It will allow traffic with data centre on CIDR 20.1.0.0/24 but does not allow on 20.0.54.0/24

Answer: D

Explanation:
VPC allows the user to set up a connection between his VPC and corporate or home network data centre. If the user has an IP address prefix in the VPC that overlaps with one of the networks' prefixes, any traffic to the network's prefix is dropped. In this case CIDR 20.0.54.0/24 falls in the VPC??s CIDR range of 20.0.0.0/16. Thus, it will not allow traffic on that IP. In the case of 20.1.0.0/24, it does not fall in the VPC??s CIDR range. Thus, traffic will be allowed on it.

NEW QUESTION 19
A user is publishing custom metrics to CloudWatch. Which of the below mentioned statements will help the user understand the functionality better?

• A. The user can use the CloudWatch Import tool
• B. The user should be able to see the data in the console after around 15 minutes
• C. If the user is uploading the custom data, the user must supply the namespace, timezone, and metric name as part of the command
• D. The user can view as well as upload data using the console, CLI and APIs

Answer: B

Explanation:
AWS CloudWatch supports the custom metrics. The user can always capture the custom data and upload the data to CloudWatch using CLI or APIs. The user has to always include the namespace as a part of the request. However, the other parameters are optional. If the user has uploaded data using CLI, he can view it as a graph inside the console. The data will take around 2 minutes to upload but can be viewed only after around 15 minutes.

NEW QUESTION 20
A user has created an ELB with three instances. How many security groups will ELB create by default?

• A. 3
• B. 5
• C. 2
• D. 1

Answer: C

Explanation:
Elastic Load Balancing provides a special Amazon EC2 source security group that the user can use to ensure that back-end EC2 instances receive traffic only from Elastic Load Balancing. This feature needs two security groups: the source security group and a security group that defines the ingress rules for the back-end instances. To ensure that traffic only flows between the load balancer and the back-end instances, the user can add or modify a rule to the back-end security group which can limit the ingress traffic. Thus, it can come only from the source security group provided by Elastic Load Balancing.

NEW QUESTION 21
An organization has configured two single availability zones. The Auto Scaling groups are configured in separate zones. The user wants to merge the groups such that one group spans across multiple zones. How can the user configure this?

• A. Run the command as-join-auto-scaling-group to join the two groups
• B. Run the command as-update-auto-scaling-group to configure one group to span across zones and delete the other group
• C. Run the command as-copy-auto-scaling-group to join the two groups
• D. Run the command as-merge-auto-scaling-group to merge the groups

Answer: B

Explanation:
If the user has configured two separate single availability zone Auto Scaling groups and wants to merge them then he should update one of the groups and delete the other one. While updating the first group it is recommended that the user should increase the size of the minimum, maximum and desired capacity as a summation of both the groups.

NEW QUESTION 22
An organization created an Amazon Elastic File System (Amazon EFS) volume with a file system ID of fs-85baf1fc, and it is actively used by 10 Amazon EC2 hosts.
The organization has become concerned that the file system is not encrypted. How can this be resolved?

• A. Enable encryption on each hosts connection to the Amazon EFS volume Each connection must be recreated for encryption to take effect
• B. Enable encryption on the existing EFS volume by using the AWS Command Line Interface
• C. Enable encryption on each host's local drive Restart each host to encrypt the drive
• D. Enable encryption on a newly created volume and copy all data from the original volume Reconnect each host to the new volume

Answer: A

Explanation:
https://docs.aws.amazon.com/efs/latest/ug/encryption.html https://aws.amazon.com/premiumsupport/knowledge-center/encrypt-data-efs/

NEW QUESTION 23
A user has setup a CloudWatch alarm on the EC2 instance for CPU utilization. The user has setup to receive a notification on email when the CPU utilization is higher than 60%. The user is running a virus scan on the same instance at a particular time. The user wants to avoid receiving an email at this time. What should the user do?

• A. Remove the alarm
• B. Disable the alarm for a while using CLI
• C. Modify the CPU utilization by removing the email alert
• D. Disable the alarm for a while using the console

Answer: B

Explanation:
Amazon CloudWatch alarm watches a single metric over a time period that the user specifies and performs one or more actions based on the value of the metric relative to a given threshold over a number of time periods. When the user has setup an alarm and it is know that for some unavoidable event the status may change to Alarm, the user can disable the alarm using the DisableAlarmActions API or from the command line mon-disable-alarm-actions.

NEW QUESTION 24
An organization has created one IAM user and applied the below mentioned policy to the user. What entitlements do the IAM users avail with this policy?
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:Describe*", "Resource": "*"
},
{
"Effect": "Allow"
"Action": [ "cloudwatch:ListMetrics", "cloudwatch:GetMetricStatistics", "cloudwatch:Describe*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "autoscaling:Describe*", "Resource": "*"
}
]
}

• A. The policy will allow the user to perform all read only activities on the EC2 services
• B. The policy will allow the user to list all the EC2 resources except EBS
• C. The policy will allow the user to perform all read and write activities on the EC2 services
• D. The policy will allow the user to perform all read only activities on the EC2 services except load Balancing

Answer: D

Explanation:
AWS Identity and Access Management is a web service which allows organizations to manage users and user permissions for various AWS services. If an organization wants to setup read only access to EC2 for a particular user, they should mention the action in the IAM policy which entitles the user for Describe rights for EC2, CloudWatch, Auto Scaling and ELB. In the policy shown below, the user will have read only access for EC2 and EBS, CloudWatch and Auto Scaling. Since ELB is not mentioned as a
part of the list, the user will not have access to ELB.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:Describe*", "Resource": "*"
},
{
"Effect": "Allow", "Action": [ "cloudwatch:ListMetrics",
"cloudwatch:GetMetricStatistics", "cloudwatch:Describe*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "autoscaling:Describe*", "Resource": "*"
}
]
}

NEW QUESTION 25
A user has setup an Auto Scaling group. The group has failed to launch a single instance for more than 24 hours. What will happen to Auto Scaling in this condition?

• A. Auto Scaling will keep trying to launch the instance for 72 hours
• B. Auto Scaling will suspend the scaling process
• C. Auto Scaling will start an instance in a separate region
• D. The Auto Scaling group will be terminated automatically

Answer: B

Explanation:
If Auto Scaling is trying to launch an instance and if the launching of the instance fails continuously, it will
suspend the processes for the Auto Scaling groups since it repeatedly failed to launch an instance. This is known as an administrative suspension. It commonly applies to the Auto Scaling group that has no running instances which is trying to launch instances for more than 24 hours, and has not succeeded in that to do so.

NEW QUESTION 26
A sys admin is trying to understand EBS snapshots. Which of the below mentioned statements will not be useful to the admin to understand the concepts about a snapshot?

• A. The snapshot is synchronous
• B. It is recommended to stop the instance before taking a snapshot for consistent data
• C. The snapshot is incremental
• D. The snapshot captures the data that has been written to the hard disk when the snapshot command was executed

Answer: A

Explanation:
The AWS snapshot is a point in time backup of an EBS volume. When the snapshot command is executed it will capture the current state of the data that is written on the drive and take a backup. For a better and consistent snapshot of the root EBS volume, AWS recommends stopping the instance. For additional volumes it is recommended to unmount the device. The snapshots are asynchronous and incremental.

NEW QUESTION 27
......