Amazon Web Services (AWS) - Set #13

Powered by Techhyme.com

You have a total of 130 minutes to finish the practice test of AWS Certified SysOps Administrator to test your knowledge.


1. You’ve created a customer master key in KMS and configured S3-KMS bucket encryption using the key. You then granted a user full access to KMS and S3 using an IAM identity-based permissions policy. The user, however, is unable to view any objects in the bucket. Which of the following could be misconfigured? (Choose three.)
  • A. The user’s IAM permissions boundaries
  • B. The bucket policy
  • C. The object policy
  • D. The user’s IAM permissions policy
  • E. The key policy
Answer - A, B, E
Explanation - There are three possible causes: First, the user may have IAM permissions boundaries set that prevent access to KMS or S3. Second, the S3 bucket policy may not grant the user access to any objects in the bucket. Finally, the key policy may not allow the user to use the key. There’s no such thing as an object policy. The settings in the user’s IAM policy permissions are correct according to the question.
2. Which of the following are options for encrypting data stored in DynamoDB? (Choose two.)
  • A. Use CloudHSM.
  • B. Use a customer managed KMS key.
  • C. Encrypt the data before writing it.
  • D. Use an AWS managed KMS key.
Answer - C, D
Explanation - DynamoDB can encrypt data using only AWS managed KMS keys, which are never stored in CloudHSM. Of course, encrypting data prior to writing to it to DynamoDB is always an option.
3. Which of the following is true regarding KMS?
  • A. KMS keys can be used only with AWS services.
  • B. It uses CloudHSM to store all keys.
  • C. It uses FIPS 140-2 validated hardware security modules.
  • D. KMS is a global service.
Answer - C
Explanation - KMS uses FIPS 140-2 validated hardware security modules. It integrates with CloudHSM but only for custom key stores. KMS keys can be used with any application, not just AWS services. KMS is a regional service, not a global service.
4. Which of the following KMS customer master key (CMK) types is used by multiple AWS customers?
  • A. Customer managed CMK
  • B. AWS owned CMK
  • C. AWS managed CMK
  • D. Data CMK
Answer - B
Explanation - AWS owned CMKs are used by multiple AWS customers. AWS managed CMKs and customer managed CMKs are for use by only one customer. There’s no such thing as a data CMK.
5. How many customer master keys can be stored in KMS per region?
  • A. 10
  • B. 100
  • C. 1000
  • D. 10,000
  • E. 100,000
Answer - D
Explanation - You can have up to 10,000 customer master keys per region.
6. You need to review which EC2 instances have used a particular key stored in a custom KMS store. Where will you find this information?
  • A. CloudWatch Events
  • B. CloudTrail logs
  • C. CloudHSM logs
  • D. VPC Flow Logs
  • E. CloudTrail metrics
Answer - B
Explanation - Usage of KMS keys, whether they’re in a custom store or the default key store, are tracked in CloudTrail logs. They’re not kept in CloudWatch Events or VPC Flow Logs. There are no CloudHSM logs or CloudTrail metrics.
7. What’s the maximum size of a KMS key policy document?
  • A. 1 KB
  • B. 6 KB
  • C. 9 KB
  • D. 32 KB
Answer - D
Explanation - The maximum size of a key policy document is 32 KB (32,768 bytes).
8. Which of the following will provide high availability for keys stored in a CloudHSM cluster? (Choose two.)
  • A. The use of a custom KMS key store
  • B. The use of multiple availability zones
  • C. The use of multiple regions
  • D. The use of duplicate keys
Answer - A, B
Explanation - KMS custom key stores use CloudHSM in different availability zones. Alternatively, you could create your own CloudHSM cluster in multiple availability zones. Using multiple regions wouldn’t provide redundancy for keys since keys are specific to a region. Storing duplicate keys wouldn’t necessarily provide high availability if the keys are stored in a CloudHSM cluster in just one availability zone.
9. You’ve configured an instance profile role but want to make sure other IAM users can’t assume the role. Which of the following actions should you take to ensure this?
  • A. Remove the IAM PassRole permission from users’ permissions policies.
  • B. Remove unnecessary permissions from the role’s permissions policies.
  • C. Ensure the role’s trust policy doesn’t allow users to assume the role.
  • D. Ensure the user’s trust policy doesn’t allow users to assume the role.
Answer - C
Explanation - Whether a principal can assume a role is determined by the role’s trust policy. Removing the IAM PassRole permission from a user might prevent them from launching an instance that uses the role, but it won’t prevent the user from assuming the role themselves. Removing unnecessary permissions from the role, although a good idea, also won’t stop a user from assuming the role. There’s no such thing as a user trust policy.
10. A service-linked role you’re trying to use doesn’t have the policy permissions you need. Which of the following should you do to resolve the problem with the least effort?
  • A. Add the permissions using a managed policy.
  • B. Add the permissions using an inline policy.
  • C. Modify the trust policy.
  • D. Create a new role that duplicates the service linked role and assign the duplicate role the needed permissions.
Answer - D
Explanation - The simplest solution is to duplicate the service linked role, adding the permissions you need. Because service-linked roles are controlled by AWS, you can’t add policy permissions to a service-linked role or modify its trust policy.
11. While using the AWS CLI, you assume a role named Role A. While operating under that role you attempt to assume another role named Role B. Which of the following will occur? (Choose two.)
  • A. You’ll operate with the permissions of Role B.
  • B. You won’t be allowed to assume Role B.
  • C. You will retain the permissions of Role A.
  • D. Your session under Role B will last no longer than one hour.
Answer - A, D
Explanation - The practice of assuming one role and then assuming another role is called role chaining. Role chaining is allowed but limited to a maximum duration of one hour. While operating under a role, you have only the permissions of that role.
12. You’ve configured the AWS CLI with the credentials of root user. Which of the following is true regarding this configuration?
  • A. Your CLI session is limited to one hour.
  • B. You can’t assume an IAM role while operating as root.
  • C. You won’t have access to certain AWS services.
  • D. The root user credentials can’t be used with the CLI.
Answer - B
Explanation - You can’t assume an IAM role while operating as the root user. You must use an IAM user instead. There is no CLI session limit, the root user credentials can be used with the CLI, and the root user has full access to all AWS services.
13. An IAM user needs to be able to assume a role named Role X. Which of the following do you need to do to allow this? (Choose two.)
  • A. Add Role X’s ARN to the user’s permissions policy as a resource.
  • B. Grant the user the sts:AssumeRole permission.
  • C. Grant the user the iam:AssumeRole permission.
  • D. Grant the user the iam:PassRole permission.
Answer - A, B
Explanation - The user needs the sts:AssumeRole permission with Role X’s ARN given as a resource. The user doesn’t need the iam:PassRole permission. There is no iam:AssumeRole API call.
14. Does an IAM trust policy require specifying a principal? Why or why not? (Choose two.)
  • A. A trust policy does not require specifying a principal.
  • B. It’s an identity-based policy.
  • C. It’s a resource-based policy.
  • D. A trust policy does require specifying a principal.
Answer - C, D
Explanation - A trust policy is a resource-based policy and therefore does require specifying a principal.
15. Which of the following is true of an IAM trust policy?
  • A. The principal must be in the same account as the owner of the trust policy.
  • B. The principal can’t be a wildcard.
  • C. The principal can’t be an AWS service.
  • D. The effect in a trust policy statement must always be Allow.
Answer - B
Explanation - The principal can’t be a wildcard in a trust policy. It can be an AWS service or a principal in the same account or another account. The effect in a trust policy statement can be Allow or Deny.
16. Which of the following tasks may require logging in as the root user?
  • A. Viewing the canonical user ID
  • B. Deleting an IAM user
  • C. Sending mass email from an EC2 instance
  • D. Assuming an IAM role that has unrestricted access to all AWS resources
Answer - C
Explanation - EC2 throttles outbound traffic on TCP port 25, the port commonly used for the Simple Mail Transfer Protocol (SMTP). Only the root user can make a request to have this throttle removed. The root user isn’t required to view the canonical user ID or delete an IAM user. The root user can’t assume an IAM role.
17. You’re using a third-party service provider that needs access to your non-public S3 bucket for backup purposes. The provider has asked for your AWS account number and the ARN of a role that will grant them access. This provider provides similar services for other AWS customers. For security, the provider has given you an external ID of 86730. How should you use this external ID?
  • A. Create a CloudWatch Events rule that triggers an alert when anyone assumes the role without specifying the external ID.
  • B. Include it in the Condition element of the role’s trust policy by specifying it as the value of sts:ExternalID.
  • C. Include it as a principal in the role’s trust policy.
  • D. Rename the role 86730.
Answer - B
Explanation - When multiple AWS customers use the same service provider, there’s a possibility that a malicious customer could provide your AWS account number and the ARN of a valid role, thus tricking the service provider into accessing your resources. Configuring the trust policy to require the service provider to also provide a unique external ID when assuming the role can mitigate this. It also eliminates the need to alert when someone assumes the role without specifying the external ID. The external ID is not a principal. There’s no need to rename the role since that would also change the role ARN, which the service provider already knows.
18. You’ve created a custom Linux AMI and used it to launch a fleet of EC2 instances. You want to use AWS Simple Systems Manager to manage these instances, but they’re not showing up in SSM inventory. You’ve verified that the SSM agent is installed and running on the instances. What is the most likely cause of the problem?
  • A. The instances don’t have the proper profile.
  • B. The agent is configured with invalid credentials.
  • C. The instances’ security group don’t allow outbound SSH access.
  • D. The instances’ security group don’t allow inbound SSH access.
  • E. The instances’ security group don’t allow inbound HTTPS access.
Answer - A
Explanation - The instances should be associated with an instance profile role that has the proper permissions. The agent uses STS to obtain temporary credentials to connect to SSM, so there’s no need to configure credentials explicitly. The agent requires outbound, not inbound, HTTPS access and doesn’t require SSH access at all.
19. A custom application uses a DynamoDB table to store data. You want to encrypt only particular attributes in the table while leaving the rest unencrypted. How can you achieve this with the least effort?
  • A. Have the application encrypt only the attributes that need to be encrypted.
  • B. Enable DynamoDB server-side encryption for the table.
  • C. Enable DynamoDB KMS encryption for the table.
  • D. Enable DynamoDB server-side encryption for only the attributes that need to be encrypted.
  • E. Enable DynamoDB KMS encryption for only the attributes that need to be encrypted.
Answer - A
Explanation - DynamoDB server-side and KMS encryption encrypts the entire table. If you want to encrypt only a subset of the table, such encryption must take place outside of DynamoDB.
20. You’re configuring a relational database Service (RDS) instance to host a database. You want to ensure that only a specific EC2 instance in your VPC can connect to the database. Which of the following should you do?
  • A. Place the RDS instance in the same VPC as the EC2 instance.
  • B. Configure the EC2 instance’s security group to allow inbound access from the database instance.
  • C. Configure the database instance’s security group to allow inbound access from the EC2 instance.
  • D. Place the RDS instance in the same subnet as the EC2 instance.
Answer - C
Explanation - The database instance’s security group must allow inbound access from the EC2 instance. The database instance won’t initiate a connection to the EC2 instance. There’s no need for the two instances to be in the same VPC or subnet.
21. You’re building a database-backed application written in Python. You’ve configured an RDS instance with the MariaDB database engine, but your application is unable to connect to the database instance. Which of the following should you check first?
  • A. Ensure the database instance’s security group allows outbound traffic on UDP port 1433.
  • B. Ensure the database instance’s security group allows inbound traffic on TCP port 3306.
  • C. Ensure the database instance’s security group allows inbound traffic on TCP port 1433.
  • D. Ensure the database instance’s security group allows inbound traffic on UDP port 3306.
Answer - B
Explanation - MariaDB listens for incoming connections on TCP port 3306, so the database instance’s security group must be configured accordingly. The database doesn’t need to initiate any outbound connections.
22. Which of the following can log all database queries against an RDS instance running the MySQL database engine?
  • A. The pgaudit plug-in
  • B. CloudTrail logs
  • C. The MySQL audit plug-in
  • D. MySQL Workbench
Answer - C
Explanation - The MySQL audit plug-in can be configured to log all queries. CloudTrail can log only API calls against AWS resources. The pgaudit plug-in is only for the PostgreSQL database engine. MySQL Workbench is a database design tool.
23. What do you need to do to enable SSL encryption for an RDS instance running Oracle? (Choose two.)
  • A. Enable transparent data encryption.
  • B. Disable native network encryption.
  • C. Enable native network encryption.
  • D. Add the Oracle SSL option group to the instance.
Answer - B, D
Explanation - To use SSL with Oracle, you must disable native network encryption and add the Oracle SSL option group to the instance. Transparent data encryption is for encrypting data at rest and has nothing to do with SSL.
24. You’ve created a master RDS instance and a read replica running the MariaDB database engine. Which of the following is true regarding the security of these two instances?
  • A. The data on the read replica is always encrypted.
  • B. AWS handles all aspects of security between the master and the replica.
  • C. If the data on the master is encrypted, the data on the replica can be unencrypted.
  • D. You must configure the read replica’s security group to enable replication from the master.
Answer - B
Explanation - AWS handles all aspects of security between the master and the replica, including security group configurations. The data on a read replica is encrypted only if the master is encrypted. Likewise, if data on the master is encrypted, the data on the replica must also be encrypted.
25. Which of the following is true regarding in-transit data between a master RDS instance and a read replica?
  • A. In-transit data between the master and replica is always encrypted.
  • B. In-transit data between the master and replica is encrypted only if the master is encrypted.
  • C. In-transit data between the master and replica is encrypted only if you enable SSL/TLS on the master and the replica.
  • D. RDS uses KMS to store the encryption keys used to encrypt the in-transit data.
Answer - A
Explanation - AWS handles all security between the master and replica. In the case of cross-region replication, in-transit data is always encrypted. RDS doesn’t use KMS for intransit encryption. KMS is used only with encryption at rest.
26. Which of the following is an advantage of resourcebased policies over identity-based policies?
  • A. Resource-based policies are more restrictive.
  • B. Resource-based policies restrict the access of users who don’t have an AWS account.
  • C. Resource-based policies can restrict the permissions of the root user.
  • D. Resource-based policies replace identity-based policies for some services.
Answer - B
Explanation - Because resource-based policies apply to a resource, they can restrict the access of users who don’t have an AWS account, such as anonymous users. Resourcebased policies are not necessarily more restrictive, they can’t be used to restrict the root user, and they don’t replace identity-based policies.
27. What’s the maximum size of an S3 bucket policy?
  • A. 2 KB
  • B. 6 KB
  • C. 10 KB
  • D. 20 KB
Answer - D
Explanation - A bucket policy can be up to 20 KB in size.
28. You’re working with a third-party vendor that wants to grant you read and write access to an S3 bucket in their AWS account. You plan to store your EBS snapshots in this bucket. The vendor has asked for your AWS account ID so they can add it to the bucket policy, but you’re apprehensive about giving it. What’s the most secure alternative?
  • A. Ask the vendor to use an IAM permissions policy instead of a bucket policy.
  • B. Ask the vendor to create an IAM user with access to the bucket.
  • C. Provide your canonical user ID.
  • D. Create an IAM role and provide them with its ARN.
Answer - C
Explanation - The canonical user ID is a 64-character string that can be used to identify an AWS account in an S3 bucket policy. Creating an IAM role and providing the ARN would permit the vendor to grant that role access, but they’d still need either your AWS account number or canonical user ID. Asking the vendor to create for you an IAM user with permissions to the bucket would get you access to the bucket, but you wouldn’t be able to store your EBS backups there since you wouldn’t be using your own account. An IAM permissions policy can’t be used to grant another account access to an S3 bucket.
29. Which version of AWS Signature do all regions support for S3?
  • A. Signature version 1
  • B. Signature version 2
  • C. Signature version 3
  • D. Signature version 4
Answer - D
Explanation - All regions support Signature version 4. Regions created before January 30, 2014, support Signature versions 2 and 4. There is no version 1 or 3.
30. When using AWS Signature version 4, which of the following keys is used to sign a request to S3?
  • A. Public key
  • B. Signing key
  • C. Secret access key
  • D. Policy key
Answer - B
Explanation - The signing key is used to sign requests. The secret access key is used to create a signing key, which is valid for up to 7 days. A policy key is not an encryption key, but a condition that can be specified along with the request. S3 requests don’t use public keys.
31. Which of the following AWS CLI commands will list the AWS canonical user ID?
  • A. aws iam list-users
  • B. aws iam list-account-aliases
  • C. aws s3 list-buckets
  • D. aws s3api list-buckets
Answer - D
Explanation - The command aws s3api list-buckets is the only one that will list the canonical user ID. aws s3 listbuckets is not a valid command.
32. You need to use IAM database authentication with Amazon Aurora. Which of the following database engines can you use? (Choose two.)
  • A. MySQL
  • B. PostgreSQL
  • C. Oracle
  • D. Microsoft SQL Server
Answer - A, B
Explanation - Aurora offers only MySQL and PostgreSQL and supports IAM database authentication for both.
33. Which of the following credentials can be used to create a CodeDeploy deployment? (Choose two.)
  • A. Root user credentials
  • B. Git credentials
  • C. IAM user credentials
  • D. Anonymous
Answer - A, C
Explanation - The root user or an IAM user can create a CodeDeploy deployment. CodeDeploy doesn’t authenticate using Git credentials and it doesn’t allow anonymous access.
34. An IAM user is attempting to deploy an application using CodeDeploy but the deployment is failing. You’re able to deploy the application using your administrative credentials. Which of the following permissions should you ensure the user has?
  • A. UpdateDeploymentGroup
  • B. GetDeployment
  • C. GetDeploymentConfig
  • D. UpdateApplication
Answer - C
Explanation - The user needs to have the GetDeploymentConfig permissions to get the deployment configuration for the application they’re deploying. They don’t need permissions to update the deployment group, view other deployments, or modify the application.
35. What’s the maximum number of GitHub tokens you can have associated with CodeDeploy per region?
  • A. 5
  • B. 10
  • C. 20
  • D. Unlimited
Answer - B
Explanation - You can have up to 10 GitHub tokens per region.
36. When trying to deploy a CodeDeploy template using the AWS CLI, you get the error that is required. What can you conclude about the template?
  • A. You don’t have the appropriate permissions to deploy the template.
  • B. The template updates an existing IAM resource.
  • C. It creates or modifies an IAM resource without a custom name.
  • D. It creates or modifies an IAM resource with a custom name.
Answer - D
Explanation - The AWS CLI requires you to explicitly acknowledge that a template will create an IAM resource. In this case, the error indicates that the template assigns the resource a custom name. The AWS CLI checks for this prior to making a request to the CloudFormation service, so it doesn’t first check permissions or whether the template would update an existing resource.
37. Which of the following AWS managed policies grants access to create and deploy application revisions to an ECS cluster using CodeDeploy?
  • A. AWSCodeDeployDeployerAccess
  • B. AWSCodeDeployRole
  • C. AWSCodeDeployRoleForECS
  • D. AWSCodeDeployRoleForECSLimited
Answer - A
Explanation - The AWSCodeDeployDeployerAccess managed policy grants access to create and deploy application revisions. The rest are permissions policies to be used with roles but don’t grant permission to create or deploy application revisions.
38. You plan to use CodeDeploy to deploy an application to EC2 instances. Which of the following permissions do you need to grant in the instances’ IAM profile role? (Choose two.)
  • A. codedeploy:*
  • B. s3:Get*
  • C. autoscaling:*
  • D. s3:List*
Answer - B, D
Explanation - CodeDeploy deploys EC2/on-premises applications from an S3 bucket, so the instances need access to list and get buckets and files from S3. They don’t need access to the CodeDeploy or Auto Scaling services.
39. You’re attempting to use CodeDeploy to deploy an application to an EC2 instance, but the deployment keeps failing with the error “Validation of PKCS7 signed message failed.” How should you resolve this?
  • A. Attach to the instance an instance profile role with the appropriate permissions.
  • B. Restart the instance.
  • C. Install the latest version of the CodeDeploy agent.
  • D. Add an outbound security group rule to allow HTTPS access to the CodeDeploy service.
Answer - C
Explanation - CodeDeploy agents earlier than version 1.0.1.854 don’t support the SHA-2 hash algorithm required by CodeDeploy. Upgrading the agent will resolve the error. The error indicates that the agent is reaching the CodeDeploy service, so adding a security group rule or restarting the instance won’t make a difference. The error doesn’t indicate a permissions issue.
40. You used your administrative IAM user to upload an application revision to an S3 bucket. You’re attempting to use CodeDeploy to deploy the application revision to an EC2 instance, but the deployment continually fails with the error “UnknownError: not opened for reading error.” Your research indicates that this error means the CodeDeploy agent can’t read the application revision from the S3 bucket where it’s stored. You verify that the permissions of your own IAM user, the instance profile role, and the service role are all configured correctly. You also verify that the latest CodeDeploy agent is installed and running and that you can read the application revision using your IAM user. Which of the following could be preventing access to the revision?
  • A. Permissions boundaries
  • B. An S3 bucket policy
  • C. An S3 ACL
  • D. Incorrect permissions in the appspec.yml file
Answer - B
Explanation - An S3 bucket policy could restrict a principal’s access to the revision. An S3 ACL could also block access to it, but ACLs operate at the account level, and the fact that you were able to read the application revision indicates that an ACL is not the issue. The question indicates that you verified the permissions of the instance profile role, so permissions boundaries aren’t the problem. The appspec.yml file is included in the application revision bundle, so a misconfiguration there can’t be the problem.
41. When attempting to deploy an application revision to an EC2 instance using CodeDeploy, you get the error “InstanceAgent::Plugins::CodeDeployPlugin::Comman dPoller: Missing credentials - please check if this instance was started with an IAM instance profile.” You check that the instance has an instance profile associated with it. What could be the problem?
  • A. The instance is stopped.
  • B. The CodeDeploy service role doesn’t exist.
  • C. The instance profile role doesn’t have the correct permissions.
  • D. The CodeDeploy service role doesn’t have the correct permissions.
Answer - C
Explanation - The error appears only if the instance profile role is missing or if it doesn’t have the appropriate permissions. The error comes from the CodeDeploy agent running on the instance, so the instance must be running.
42. When attempting to deploy an application to an EC2 instance using CodeDeploy you get the error “InvalidSignatureException – Signature expired.” What could be the problem?
  • A. The permissions of the instance profile role are incorrect.
  • B. The time on the instance is incorrect.
  • C. The CodeDeploy agent isn’t running.
  • D. The application revision is encrypted.
Answer - B
Explanation - When the CodeDeploy agent sends a request to the CodeDeploy service, it signs the request with a signature that is valid for a small window of time. The error indicates that the time on the instance and the time of the CodeDeploy service don’t match.
43. Which of the following options can you set in a password policy? (Choose two.)
  • A. Password expiration
  • B. Maximum length
  • C. Require multi-factor authentication (MFA)
  • D. Require an administrator to reset expired passwords
Answer - A, D
Explanation - You can set a password policy to enforce password expiration and require an administrator to reset expired passwords. A policy can’t require MFA or set a maximum length.
44. Your organization has over 500 IAM users in its AWS account. You plan to change the password policy to set a password expiration period of 90 days. Which of the following will occur when you implement this policy?
  • A. The password expiration takes effect for each user only after you reset their password.
  • B. Users with passwords older than 90 days will be required to change their password at their next sign-in.
  • C. All users will be required to change their password immediately, regardless of password age.
  • D. All user access keys older than 90 days will expire.
Answer - B
Explanation - Users with passwords older than 90 days will have to change them at their next sign-in. Password policies don’t affect access keys.
45. Which of the following is not an option for an IAM password policy?
  • A. Locking a user out after a number of failed login attempts
  • B. Requiring the use of lowercase letters
  • C. Preventing password reuse
  • D. Preventing users from changing their own passwords
Answer - A
Explanation - IAM doesn’t offer lockout policies that lock out a user after a number of failed login attempts. All of the other choices are available options for a password policy.
46. Which of the following is true regarding a Security Token Service (STS) session token obtained from a regional STS endpoint?
  • A. It’s valid only in the region from which it was requested.
  • B. It’s valid in all regions.
  • C. It’s valid for a longer time than one obtained from the global endpoint.
  • D. It’s smaller than one obtained from the global endpoint.
Answer - B
Explanation - A token obtained from a regional STS endpoint is valid in all regions. It’s not necessarily smaller or valid for a longer time than one obtained from the global STS endpoint.
47. In which of the following regions can you not disable the Security Token Service (STS)?
  • A. us-east-1 (N. Virginia)
  • B. us-east-2 (Ohio)
  • C. Canada (Central)
  • D. us-west-1 (N. California)
Answer - A
Explanation - You can’t disable STS in the us-east-1 (N. Virginia) region. You can disable it in all others.
48. Your organization is terminating operations in the uswest-1 (N. California) region. A colleague has disabled the region, but a month later the organization receives a bill for EC2 instances running in the region. Which of the following do you need to do to avoid incurring additional costs from the EC2 instances? (Choose two.)
  • A. Enable the region.
  • B. Disable the region.
  • C. Disable STS in the region.
  • D. Terminate all EC2 instances in the region.
Answer - A, D
Explanation - Once a region is disabled, EC2 instances running in it continue to incur charges. You can’t make changes to resources in a disabled region. You need to enable the region and then terminate the EC2 instances. STS has no bearing on whether the region is enabled or disabled.
49. You need to grant an IAM user permissions to enable and disable AWS regions. Which of the following actions should you include in the user’s IAM policy permissions?
  • A. sts:EnableRegion
  • B. account:EnableRegion
  • C. iam:DisableRegion
  • D. aws-portal:ListRegions
Answer - B
Explanation - The account:EnableRegion and account:DisableRegion actions are required to enable or disable a region. The others aren’t valid actions.
50. You currently don’t use Security Token Service (STS) and want to disable access to as many endpoints as possible. Which of the following STS endpoints can you not disable? (Choose three.)
  • A. sts.ap-southeast-1.amazonaws.com
  • B. sts.ap-east-1.amazonaws.com
  • C. sts.us-east-1.amazonaws.com
  • D. sts.us-east-2.amazonaws.com
  • E. sts.amazon.com
Answer - B, C, E
Explanation - All but three endpoints can be disabled: The global endpoint (sts.amazon.com), us-east-1 (N. Virginia) (sts.us-east-1.amazonaws.com), and ap-east-1 (Hong Kong) (sts.ap-east-1.amazonaws.com).