Amazon Web Services (AWS) - Set #14

Powered by

You have a total of 130 minutes to finish the practice test of AWS Certified SysOps Administrator to test your knowledge.

1. You want to grant access to your application running on AWS, but you don’t want to provide with them longterm credentials. Instead you’d like them to be able to log in by authenticating to an external identity provider such as Google. What is this called?
  • A. Token vending machine
  • B. Web identity federation
  • C. MFA-protected API access
  • D. Web scale identification
Answer - B
Explanation - Web identity federation allows a user to log into an external identity provider, receive an authentication token, and exchange it for temporary AWS credentials.
2. You want to configure web identity federation for your application running on AWS. Which of the following services can help you easily define and control user permissions?
  • A. Security Token Service
  • B. Cognito
  • C. OpenID Connect
  • D. Resource Access Manager
Answer - B
Explanation - Cognito can create IAM roles to define permissions for users. STS provides temporary credentials in exchange for a Cognito token but doesn’t control user permissions. OpenID Connect is an authentication framework used by some identity providers. Resource Access Manager lets you share a few of your AWS resources with other AWS accounts.
3. You’re currently using a token vending machine (TVM) running on a single EC2 instance to provide temporary AWS credentials to users of your mobile application. As your application has grown, the TVM has been unable to keep up with demand and users are occasionally unable to receive credentials. What approach does AWS recommend to resolve this?
  • A. Deploy the TVM on more instances and use Auto Scaling.
  • B. Upgrade the instance class of the TVM instance.
  • C. Replace the TVM with Cognito.
  • D. Replace the TVM with web identity federation.
Answer - C
Explanation - AWS recommends using Cognito instead of a TVM. Cognito supports web identity federation, but the question doesn’t indicate that it’s needed. Web identity federation can also be implemented without Cognito.
4. You’ve configured an IAM role that has permissions to terminate any EC2 instances. You want to ensure IAM users can’t assume the role unless they provide a valid multi-factor authentication (MFA) token. Which of the following must you do to achieve this?
  • A. Configure a password policy to require MFA.
  • B. Add the condition {"Bool": {"aws:MultiFactorAuthPresent": true} to the role’s trust policy.
  • C. Disable these users’ access keys.
  • D. Apply to the users an identity-based policy that requires MFA in order to terminate EC2 instances.
Answer - B
Explanation - The condition in the role’s trust policy will require a valid MFA token to assume the role. Applying an identity-based policy won’t be effective because once a user assumes a role, they no longer operate under the permissions of their user principal, but of the role. Disabling the users’ access keys won’t prevent them from assuming the role. You can’t configure a password policy to require MFA.
5. You want to allow only specific IAM users to be able to change their own passwords. Other non-administrator users should not be allowed to change their own passwords. Which of the following two steps are necessary to achieve this? (Choose two.)
  • A. Create an identity-based policy to grant the specific users permission to perform the iam:ChangePassword action.
  • B. Implement a password policy that allows users to change their own passwords.
  • C. In the policy, specify the resource arn:aws:iam::account-id:user/${aws:username}.
  • D. Implement a password policy that requires users to create a random password.
Answer - A, C
Explanation - You can grant only specific users access to change their password by creating and applying an identitybased policy that grants them permission to perform the iam:ChangePassword action against their own IAM user resource, which is specified by its ARN in the format arn:aws:iam::account-id:user/${aws:username}. A password policy allowing users to change their own passwords would apply to all users. It’s not possible to implement a password policy requiring users to create a random password, and even if it were, it wouldn’t be necessary for allowing users to change their own passwords.
6. Several custom Python applications use an AWS SDK to assume a particular IAM role named AppRole. For only one application, you need to limit the permissions granted by this role. What’s a secure way to modify the permissions for just this one application?
  • A. Use a session control policy.
  • B. Use a managed session policy.
  • C. Use an IAM permissions boundary.
  • D. Use an access control policy.
Answer - B
Explanation - When assuming a role, you can specify a managed session policy to restrict the permissions granted to the session. Access control policies apply only to crossaccount access. An IAM permissions boundary is an identity-based policy, which in this case would apply to the role and hence would impact every application that assumes the role. There’s no such thing as a session control policy.
7. Which of the following policies limit permissions but can’t grant them? (Choose two.)
  • A. Service control policies
  • B. Access control lists
  • C. Trust policy
  • D. Session policies
Answer - A, D
Explanation - Service control policies and session policies can only limit permissions. Access control lists and trust policies can grant permissions.
8. Several custom Python applications use an AWS SDK to assume a particular IAM role named AppRole. The role’s permissions policy grant it write access to all S3 buckets. The application currently writes to a bucket named AppBucket. There’s a bucket policy attached to AppBucket that grants write access to the AppRole role. Developers are going to reconfigure the application to write to a new bucket named AppBucketData, and you want to ensure the application can’t write any more data to AppBucket. How can you accomplish this?
  • A. Modify the role’s permissions boundary.
  • B. Implement a session policy.
  • C. Modify the bucket policy.
  • D. Implement a service control policy.
Answer - D
Explanation - A service control policy can restrict access granted by identity-based and resource-based policies, so it could restrict access to the AppBucket bucket by limiting the permissions granted by the bucket policy and the role’s permissions policy. Simply modifying the bucket policy would still leave access via the role’s permissions policy. A session policy and permissions boundaries can’t limit access granted by a resourcebased policy.
9. You’re creating a policy that allows the TerminateInstances action against all EC2 instances except for one that’s untagged. Which of the following policy elements should you use?
  • A. NotAction
  • B. NotResource
  • C. NotPrincipal
  • D. Condition
Answer - B
Explanation - You would need to specify the excepted instance as NotResource. There’s no need to use the NotAction element. You can’t use Condition to specify an instance. Principal and NotPrincipal have no effect in an identitybased policy.
10. Which of the following Security Token Service (STS) API actions support multi-factor authentication (MFA)?
  • A. GetFederationToken
  • B. AssumeRole
  • C. AssumeRoleWithWebIdentity
  • D. AssumeRoleWithSAML
Answer - B
Explanation - AssumeRole and GetSessionToken are the only actions that support MFA.
11. Which of the following Security Token Service (STS) API actions doesn’t support session policies?
  • A. GetSessionToken
  • B. AssumeRole
  • C. AssumeRoleWithSAML
  • D. GetFederationToken
Answer - A
Explanation - GetSessionToken is the only action that doesn’t support session policies.
12. Which of the following is required to import a certificate into Amazon Certificate Manager (ACM)? (Choose two.)
  • A. Certificate signing request
  • B. PEM-encoded certificate body
  • C. Certificate private key
  • D. Certificate chain
Answer - B, C
Explanation - A PEM-encoded certificate body and private key are required to import a certificate. You can optionally provide a certificate chain. You don’t have to provide a certificate signing request.
13. Which of the following is required for importing a certificate into Amazon Certificate Manager (ACM)?
  • A. The public key algorithm must be 2048-bit RSA.
  • B. The certificate can’t be self-signed.
  • C. The private key must be encrypted.
  • D. The certificate must contain a public key.
Answer - D
Explanation - The certificate must contain a public key, which can be 1024-, 2048-, or 4096-bit RSA or Elliptic Prime Curve 256-, 384-, or 521-bit. The certificate can be selfsigned. The private key can’t be encrypted.
14. Which of the following services can detect whether an EC2 instance has been compromised by malware?
  • A. Shield Standard
  • B. GuardDuty
  • C. Inspector
  • D. Web Application Firewall (WAF)
Answer - B
Explanation - GuardDuty analyzes VPC flow logs, CloudTrail logs, and Route 53 DNS query logs to look for malicious network activity that could be an indication of malware. Inspector scans instances for vulnerabilities but doesn’t detect suspicious activity. AWS Shield Standard and WAF protect AWS resources from threats outside of AWS.
15. On an EC2 instance, you’re running a legacy application that has a hard-coded SQL connection string in its configuration. The application connects to a self-hosted Microsoft SQL Server in the same VPC. Which of the following can help protect the connection string from exposure? (Choose two.)
  • A. Use Relational Database Service (RDS) instead of the self-hosted database.
  • B. Put the connection string in AWS Secrets Manager.
  • C. Encrypt the connection string.
  • D. Reconfigure the application to programmatically retrieve the connection string.
Answer - B, D
Explanation - Using AWS Secrets Manager to store the connection string and configuring the application to programmatically retrieve it can help protect the string from exposure. Using RDS or encrypting the string won’t protect it from exposure.
16. You host an application that connects to a third-party service using an API key. You want to begin rotating the API key automatically on a regular basis. How can you do this securely and with minimal effort? (Choose two.)
  • A. Store the API key in AWS Secrets Manager.
  • B. Store the API key in Key Management Service (KMS).
  • C. Store the API key in a DynamoDB table.
  • D. Create a Lambda function to rotate the key.
Answer - A, D
Explanation - Storing the API key in AWS Secrets Manager is the most secure option, as it encrypts secrets at rest. A Lambda function can integrate with Secrets Manager to automatically rotate the key. You can’t store an API key in KMS. Securely storing and rotating the key in DynamoDB is possible but would require more effort than using Secrets Manager.
17. Two days ago, you enabled GuardDuty on your account.Today while analyzing CloudWatch metrics you notice that an EC2 instance in your account is sending an unusually large volume of data. GuardDuty reports no findings. Which of the following could explain this?
  • A. GuardDuty findings are updated only twice a day.
  • B. It takes several days for GuardDuty to establish a baseline.
  • C. GuardDuty doesn’t detect unusual traffic volume.
  • D. VPC flow logging isn’t configured.
Answer - B
Explanation - It takes GuardDuty 7 to 14 days to establish a baseline for certain finding types, including the Behavior:EC2/TrafficVolumeUnusual finding. GuardDuty findings are updated in real time. You don’t need to configure VPC Flow Logs in order to use GuardDuty to monitor network traffic ingressing or egressing a VPC.
18. During a routine penetration test of Linux EC2 instances in a private subnet, you discover that a developer accidentally left a web service 8000. Which of the following would have alerted you to this fact?
  • A. Web Application Firewall
  • B. Macie
  • C. Inspector
  • D. GuardDuty
Answer - C
Explanation - Inspector checks instances for listening TCP ports that don’t receive any traffic during the assessment run. GuardDuty, Macie, and Web Application Firewall would not have discovered this.
19. You want to receive a notification when a new Windows Server AMI is released. Which of the following SNS topics should you subscribe to?
  • A. arn:aws:sns:us-east-1:amazon:ec2-windowsami- update
  • B. arn:aws-us-gov:sns:us-gov-west-1:aws-usgov: ec2-windows-ami-update
  • C. arn:aws:sns:us-east-1:801119661308:ec2- windows-ami-private
  • D. arn:aws:sns:us-east-1:801119661308:ec2- windows-ami-update
Answer - D
Explanation - Amazon publishes notifications about new Windows AMIs to the ec2-windows-ami-update topic. The ec2-windows-ami-private topic is for when Amazon makes obsolete Windows AMIs private. The other two aren’t valid ARNs.
20. Which of the following AWS CLI commands will yield the AMI ID of the latest Windows Server 2019 image in the us-east-1 (N. Virginia) region?
  • A. aws ssm get-parameters --names /aws/service/ami-windowslatest/Windows_Server-2016-English-Full-Base --region us-east-1
  • B. aws ssm get-parameters --names /aws/service/ami-windowslatest/Windows_Server-2019-English-Full-Base --region us-east-1
  • C. aws ec2 describe-images --owners amazon -- filters "Name=name,Values=Windows_Server-2019-English-Full-Base* " --query 'sort_by(Images, &CreationDate)[].Name'
  • D. aws ec2 describe-images --owners amazon -- filters "Name=name,Values=Windows_Server-2019-English-Full-Base* " --query 'sort_by(Images, &CreationDate)[].Name' -- region us-east-1
Answer - B
Explanation - AWS publishes the latest AMI ID as a Simple Systems Manager (SSM) public parameter that you can query by the AMI’s alias, which in this case is Windows_Server-2019-English-Full-Base. The aws ec2 describe-images commands would yield a list of AMI aliases for Windows Server 2019, but not the latest AMI ID.
21. Which of the following Amazon Inspector rules does not generate findings for Windows instances?
  • A. Unused listening TCP ports
  • B. Software without data execution prevention (DEP)
  • C. Non-secure client protocols
  • D. Non-secure server protocols
Answer - B
Explanation - The software without data execution prevention (DEP) rule generates findings only for Linux instances. The other rules generate findings for Linux and Windows instances.
22. You need to determine how many times a Lambda function was triggered over the past month. The CloudWatch log group for the function has been deleted. How can you determine this information with minimal effort?
  • A. Create a metric filter for the function’s log stream.
  • B. Restore the log group.
  • C. View the Invocations metric for the functions in the Lambda CloudWatch namespace.
  • D. Count the number of Invoke actions in the CloudTrail event logs.
Answer - C
Explanation - Lambda function invocations are stored in CloudWatch Metrics. Deleting the log group for a function has no effect on metrics, but it does result in the log stream being deleted. You can’t restore a deleted log group, and even if you could, creating a metric filter for function invocations would not generate a retroactive metric. CloudTrail event logs would contain function invocations, but counting them would require more effort than just checking CloudWatch Metrics.
23. Your organization is developing an application that will use a Simple Queue Service queue. You need to allow authorized users both with and without AWS accounts to add items to the queue. Which of the following approaches will achieve this with the least effort? (Choose three.)
  • A. Create an IAM role.
  • B. Create an SQS queue policy.
  • C. Add the * principal to the queue policy.
  • D. Add the role to the policy as a principal.
  • E. Add the * principal to the role’s trust policy.
Answer - A, B, D
Explanation - The solution requiring the least effort includes creating an IAM role that can be assumed by a user in another account or by a non-AWS user via an identity provider. An SQS queue policy grants the role access to the queue by specifying the role as a principal. Specifying the wildcard (*) as a principal for either the queue policy or the role’s trust policy would give everyone access to the queue.
24. How does CodeBuild isolate customer build environments?
  • A. Separate compute instances
  • B. Isolated Docker containers
  • C. Access control lists
  • D. Separate VPCs
Answer - B
Explanation - Each build environment runs in an isolated Docker container. Isolation is not achieved by using separate compute instances, access control lists, or separate VPCs.
25. You’re using the Relational Database Service (RDS) to host a SQL database in a private subnet. The RDS instance connects to the Internet via a NAT gateway. You want to use CodeBuild to perform integration tests against data in this database. How can you connect to the RDS instance from the build environment? (Choose two.)
  • A. Connect to the RDS instance’s public endpoint.
  • B. Connect to the RDS instance’s private endpoint.
  • C. Enable VPC access in your CodeBuild project.
  • D. Configure port forwarding on the NAT gateway.
Answer - B, C
Explanation - To connect a CodeBuild environment to an RDS instance in a private subnet, you must connect the environment to the VPC the instance is in. The RDS instance doesn’t have a public endpoint. You can’t configure port forwarding on a NAT gateway.
26. You want CodeBuild to pull a Docker image from your Elastic Container Registry (ECR) in the same account. Which of the following do you need to do to grant CodeBuild the necessary permissions?
  • A. Add as a principal to the repository’s resource-based policy.
  • B. Add the ARN of the AWS account’s root user to the repository’s resource-based policy.
  • C. Add the ecr:BatchGetImage action to a permissions policy applied to the user that will be running the build.
  • D. Specify the SID CodeBuildAccess in the repository’s policy.
Answer - A
Explanation - To grant CodeBuild permissions to pull a Docker image from ECR using its own credentials, you need to add the service principal to the repository’s policy. Adding permissions for a user won’t have any impact on the permissions of the service. A SID is just an identifier and doesn’t grant permissions.
27. You’re currently storing a password as a SecureString parameter in AWS Simple Systems Manager (SSM). You reference the parameter named “password” from an application running on an EC2 instance. You want to automatically rotate this password regularly. How can you achieve this with minimal effort? (Choose two.)
  • A. Manually rotate the password as needed.
  • B. Store the password in AWS Secrets Manager and name it “password.”
  • C. Reference the secret using the SSM parameter name “/aws/reference/secretsmanager/password.”
  • D. Reference the secret using the name “password.”
Answer - B, C
Explanation - AWS SSM can reference secrets stored in AWS Secrets Manager. The easiest solution is to add the secret to AWS Secrets Manager, name it “password,” modify the application to reference the SSM parameter name “/aws/reference/secretsmanager/password.” Modifying the application to query AWS Secrets Manager directly would require more work, as would manually rotating the password.
28. You stored a plaintext string named “secretstring” in AWS Systems Manager Parameter Store. When using the AWS CLI command aws ssm get-parameters -- names securestring to retrieve it, you get back an encrypted value. How can you retrieve the unencrypted value of the string?
  • A. Use the aws kms decrypt command.
  • B. Obtain administrator access to the customer master key used to encrypt it.
  • C. Obtain usage access to the customer master key used to encrypt it.
  • D. Add the --with-decryption flag to the command.
Answer - D
Explanation - Appending the --with-decryption flag will decrypt the string. Just having access to the encryption key isn’t enough. The aws kms decrypt command won’t decrypt the encrypted value.
29. Your organization currently uses Microsoft Active Directory (AD). You want to integrate your on-premises AD-aware applications with AWS but must remain compliant with Payment Card Industry Data Security Standard (PCI DSS) version 3.2. Which of the following AWS services helps to meet the requirement?
  • A. LDAP
  • B. AWS Managed Microsoft AD
  • C. Simple AD
  • D. AD Connector
Answer - B
Explanation - AWS Managed Microsoft AD is the only PCI DSS– compliant service for integrating on-premises ADaware applications with AWS. LDAP is a protocol, not an AWS service.
30. Which of the following AWS Directory Service options support multi-factor authentication (MFA)? (Choose two.)
  • A. AWS Directory Service for Microsoft Active Directory
  • B. Simple AD
  • C. AD Connector
  • D. IAM
Answer - A, C
Explanation - AWS Directory Service for Microsoft AD and AD Connector both support MFA. Simple AD doesn’t. IAM is not a part of AWS Directory Service.
31. You need a Microsoft Active Directory–compatible service that supports group policies for 50 Windows instances. Which of the following solutions will meet your needs and require the least effort?
  • A. AWS Directory Service for Microsoft AD
  • B. Simple AD
  • C. AD Connector
  • D. Amazon Cloud Directory
Answer - B
Explanation - Simple AD is a stand-alone Active Directory– compatible server that can store up to 20,000 objects and supports group policies. AWS Directory Service for Microsoft AD supports group policies but is more complicated to configure. AD Connector redirects requests to an existing Active Directory but can’t act as a stand-alone AD server. Amazon Cloud Directory doesn’t provide any AD services.
32. You want to use Amazon Inspector to scan applications on your CentOS Linux and Windows EC2 instances for vulnerabilities. Which of the following applications will Inspector not scan? (Choose two.)
  • A. Binary files copied directly to the instance
  • B. Applications installed using yum
  • C. Applications installed using Windows Installer
  • D. Stand-alone executables compiled on the instance
Answer - A, D
Explanation - Inspector will scan applications installed using a package manager such as yum or Windows Installer. It won’t scan applications that were compiled on or copied to the instance.
33. Which of the following security services uses an agent installed on an EC2 or on-premises instance?
  • A. Firewall Manager
  • B. GuardDuty
  • C. Inspector
  • D. Macie
Answer - C
Explanation - Inspector scans for vulnerabilities using an agent installed on your instances. Inspector can perform network assessments without an agent. GuardDuty, Macie, and Firewall Manager are agentless.
34. You’re developing a Python web application that will run on AWS. Which AWS service will allow you to securely test and implement the application with minimal effort?
  • A. EC2
  • B. Lambda
  • C. Elastic Beanstalk
  • D. ECS
Answer - B
Explanation - Lambda is a serverless compute service that makes it easy to deploy and upgrade applications written in a variety of languages, including Python. You provide the application code, and Lambda provides the rest. EC2 requires you to manage the operating system the application runs on. Elastic Beanstalk automates deployment of your application on EC2 instances, but it requires you to create a manifest to define the runtime environment. By default, it makes the application publicly available. ECS requires you to create and deploy containers for your application to run in.
35. You need to apply a security patch to a large number of EC2 instances. What’s the most efficient way to do this?
  • A. Use AWS Systems Manager to apply the patch.
  • B. Create a new AMI with the patch and apply it to the instances.
  • C. Open a support case with AWS.
  • D. Create a new AMI with the patch and update the Auto Scaling group to use the new AMI.
Answer - A
Explanation - The most efficient approach is to use AWS Systems Manager to apply the patch. There’s no indication that autoscaling is being used. You can’t apply an AMI to an existing instance. It’s not the responsibility of AWS to patch EC2 instances.
36. Where can you view the patching status of an RDS instance?
  • A. The RDS Console
  • B. SSM Patch Manager
  • C. Artifact
  • D. SSM Compliance Manager
Answer - A
Explanation - The RDS Console displays the current patching status of RDS instances. Because RDS instances aren’t EC2 or on-premises instances, they can’t be patched with SSM Patch Manager and won’t show up in SSM Compliance Manager. Artifact allows you to download security and compliance documents for AWS services.
37. You need to determine which instances were using a particular AMI exactly 99 days ago. Which of the following services can you use to get this information with the least effort?
  • A. SSM Compliance Manager
  • B. AWS Config
  • C. CloudTrail logs
  • D. CloudTrail events
Answer - B
Explanation - AWS Config tracks the configuration status of resources over time and can show the relationships between resources. You could use CloudTrail logs to derive this information, but it would require more effort. CloudTrail events don’t contain information for events more than 90 days old, and even if they did, this would require more effort than using AWS Config. SSM Compliance Manager can be used to analyze which AMIs instances you are currently using, but it won’t show this information from 99 days ago.
38. You have a fleet of EC2 instances running the Apache web server. You routinely upgrade Apache as new security updates are released. You need to track which versions are installed on each instance over time. Which of the following should you use to achieve this with minimal effort? (Choose two.)
  • A. AWS Config
  • B. Systems Manager Automation
  • C. CloudWatch Events
  • D. Systems Manager Inventory
Answer - A, D
Explanation - Systems Manager Inventory can run periodically to detect which applications are installed on EC2 instances. AWS Config can track these state changes over time. Systems Manager Automation can be used to perform changes to your AWS resources but doesn’t perform any inventory collection on instances. CloudWatch Events performs actions on a schedule or in response to events in your AWS environment.
39. You want to receive a notification whenever anyone performs a port scan against your public EC2 instances. Which of the following services should you use to achieve this with the least effort? (Choose two.)
  • A. GuardDuty
  • B. Lambda
  • C. CloudWatch Events
  • D. Simple Email Service
Answer - A, C
Explanation - GuardDuty can monitor for port scans, and when it generates a finding, it can trigger a CloudWatch Events rule to send a notification using Simple Notification Service. There’s no need to use Lambda or Simple Email Service.
40. You’ve used Inspector to perform network assessments against your running EC2 instances. Some of the findings show which processes are listening on accessible ports, but others don’t. What do you need to do to ensure that the findings show listening processes on the remaining instances?
  • A. Add an inbound security rule to allow the Inspector service to reach the instances.
  • B. Stop the instances.
  • C. Install the Inspector agent.
  • D. Run an assessment using host assessments.
Answer - C
Explanation - The Inspector agent must be installed on instances for Inspector findings to show listening processes. Running a host assessment won’t generate a finding that shows this information. If the instances are stopped, the agent won’t be running. An inbound security rule isn’t needed because the agent initiates the connection to the Inspector service.
41. You’re running a fleet of EC2 instances behind an application load balancer with an elastic IP address. You’re allowing public IP access to TCP ports 80 and 443. Which of the following can alert you about distributed denial of service (DDoS) layer 7 attacks against the instance?
  • A. Web Application Firewall (WAF)
  • B. Shield Advanced
  • C. Shield Standard
  • D. Firewall Manager
Answer - B
Explanation - AWS Shield Advanced automatically alerts you to application layer (layer 7) attacks. WAF requires you to create your own rules to identify and mitigate layer 7 attacks. Firewall Manager is a management interface for WAF and AWS Shield Advanced, but it doesn’t provide protection by itself.
42. You need to enlist the help of Amazon’s DDoS Response Team (DRT) to mitigate potential attacks against your elastic load balancer. Which of the following tasks can the DRT perform on your behalf to achieve this?
  • A. Identifying the source of the attack
  • B. Creating WAF web access control lists in your account
  • C. Stopping the attack at its source
  • D. Proactively mitigating layer 7 attacks
Answer - B
Explanation - You can grant permission to the DRT to create WAF web access control lists to mitigate an attack. The DRT doesn’t proactively mitigate layer 7 attacks, nor does it stop them at the source. The DRT can’t conclusively identify the source of an attack.
43. Which of the following is most effective at absorbing a distributed denial of service (DDoS) attack?
  • A. AWS AirBag
  • B. CloudFront
  • C. Elastic load balancing
  • D. 10-gigabit EC2 network interfaces
Answer - B
Explanation - CloudFront is the most effective option for absorbing DDoS attacks as it processes requests at edge locations, keeping the malicious traffic away from your AWS resources. Elastic load balancing occurs within your VPC, and a DDoS attack could overwhelm your VPC resources. Many DDoS attacks can exceed hundreds of gigabits per second, so using 10-gigabit EC2 network interfaces also isn’t the most effective option. There’s no service called AWS AirBag (yet).
44. You run a web application on a fleet of EC2 instances behind an elastic load balancer. You need to count the number of requests from China over a period of six months. Which of the following services can help you accomplish this with the least effort?
  • A. GuardDuty
  • B. Web Application Firewall (WAF)
  • C. CloudWatch Metrics
  • D. CloudFront
Answer - B
Explanation - You can use WAF to create rules that count the number of requests from a particular country. You can get visibility into the origin of requests using CloudFront, but it requires more effort.
45. You need to monitor for suspicious access to files in your S3 buckets. Which of the following provides the most cost-effective solution with the least effort?
  • A. Macie
  • B. GuardDuty
  • C. CloudWatch
  • D. Lambda
Answer - A
Explanation - Macie specifically monitors CloudTrail event logs for suspicious activity against your S3 buckets. There’s no charge for analyzing the first 10,000 events. GuardDuty provides more broad protection by analyzing resource access patterns across your AWS account. You could monitor S3 access by streaming CloudTrail data logs to CloudWatch Logs, but this would require analyzing the logs yourself. Likewise, you could use Lambda to perform this analysis, but this too would require a great deal of effort.
46. Where can you obtain the public IP address of a Linux EC2 instance?
  • A. Ping the instance’s private DNS name.
  • B. The user data
  • C. The instance metadata
  • D. The ifconfig command
Answer - C
Explanation - The public IP address of an instance is stored in the instance metadata. User data is defined at instance launch and doesn’t define the instance’s public IP address. The ifconfig command won’t display the public IP address because it’s not assigned to the interface.
47. From within an EC2 instance, sending an HTTP GET request to which of the following URLs will return an instance’s public IP address?
  • A.
  • B.
  • C.
  • D.
Answer - A
Explanation - Sending an HTTP GET request to will return the instance’s public IP address. Sending a request to or will yield the instance’s private IP address. isn’t a valid URL.
48. Which of the following two components are required for configuring a VPN connection between a VPC and an on-premises network? (Choose two.)
  • A. A default route to the virtual private gateway
  • B. Virtual private gateway
  • C. A default route to the Internet gateway
  • D. Customer gateway
Answer - B, D
Explanation - A virtual private gateway and customer gateway are required to set up a VPN connection. An Internet gateway isn’t necessary. Although a default route to the virtual private gateway is allowed, it’s not required.
49. You’re running a web service on EC2 instances in an Auto Scaling group. These instances are members of an application load balancer target group. How can you ensure an instance is replaced when the web service fails on it? (Choose two.)
  • A. Configure the Auto Scaling group to use an EC2 health check.
  • B. Configure a UDP health check to monitor the web service.
  • C. Configure an ELB health check to monitor the web service.
  • D. Configure the Auto Scaling group to use an ELB health check.
Answer - C, D
Explanation - Configuring ELB health checks to monitor the web service and then using that health check in the Auto Scaling group will ensure that any instance on which the web service fails will be replaced. Using an EC2 health check will only look at the system status and instance status, but not the status of the web service. There is no UDP health check.
50. You’re running a database-backed web application on six EC2 instances behind an application load balancer. The instances are evenly distributed across private subnets in three availability zones. CloudWatch shows that some instances are incurring significantly higher CPU utilization than others. Which of the following could be the reason?
  • A. Clients are connecting directly to the public IP addresses of some instances.
  • B. Session stickiness is enabled on the elastic load balancer.
  • C. Health checks are occurring too rapidly.
  • D. Cross-zone load balancing is disabled.
Answer - B
Explanation - Enabling session stickiness can result in uneven distribution to instances. Once a client is routed to an instance, it receives a session cookie and subsequent requests are routed to the same instance until the session cookie expires. Disabling cross-zone load balancing wouldn’t cause the issue in this case because the instances are evenly distributed across availability zones. The instances don’t have public IP addresses because they’re in private subnets.