Amazon Web Services (AWS) - Set #2

Powered by Techhyme.com

You have a total of 130 minutes to finish the practice test of AWS Certified SysOps Administrator to test your knowledge.


1. When an alarm is triggered in Amazon CloudWatch that appears to be reporting hardware failure, your boss wants the Amazon EC2 instance to recover itself. How can you recover an Amazon EC2 instance when it is on a host that is having hardware issues?
  • A. Set an alarm action to trigger a reboot.
  • B. Set an alarm action to stop the instance.
  • C. Set an alarm action to terminate the instance.
  • D. Set an alarm action to recover the instance.
Answer - D
Explanation - When you want an Amazon EC2 instance to recover itself, meaning that it migrates itself to another host, you select the alarm action of Recover the Instance. Reboot, stop and terminate are not used to recover an Amazon EC2 instance.
2. Your organization has development workloads that run on Amazon EC2 instances. Your boss has asked you to determine the best method to ensure that the development instances are not left running when they are not in use. What is the best method to accomplish this goal?
  • A. Use Amazon CloudWatch to watch for low CPU utilization. Set the alarm action to stop the instance when the alarm is triggered.
  • B. Use Amazon CloudWatch to watch for low CPU utilization. Set the alarm action to terminate the instance when the alarm is triggered.
  • C. Use Amazon CloudWatch to watch for high CPU utilization. Set the alarm action to stop the instance when the alarm is triggered.
  • D. Use Amazon CloudWatch to watch for high CPU utilization. Set the alarm action to terminate the instance when the alarm is triggered.
Answer - A
Explanation - In this case, the best solution is to use Amazon CloudWatch to watch for low CPU utilization and set the alarm action to stop the instance. This will ensure that when the Amazon EC2 is not in use it will be turned off.
3. When is a good time to use the Terminate alarm action?
  • A. When an Amazon EC2 instance is currently not needed anymore but will be needed later.
  • B. When an Amazon EC2 instance needs to be running 24x7.
  • C. When an Amazon EC2 instance is not needed after finishing a job.
  • D. You should never use the Terminate alarm action.
Answer - C
Explanation - Terminating the Amazon EC2 instance effectively destroys it. It is a useful alarm action when you have some Amazon EC2 instances running a job. Once the job is complete, when you set the alarm action to terminate, the Amazon EC2 instances are destroyed afterward, which prevents you from paying for instances that are not in use. If you need to use an Amazon EC2 instance later, it is better to stop it than to terminate it. If an Amazon EC2 instance needs to run 24x7, then you should not use terminate on it.
4. Your boss would like to view previous Amazon CloudWatch alarms. Where can these be viewed?
  • A. The Alarms tab in the AWS Management Console.
  • B. The Alarms tab in the Amazon EC2 Management Console.
  • C. The History tab in the AWS Management Console.
  • D. The History tab in the Amazon CloudWatch Console
Answer - D
Explanation - You can view prior Amazon CloudWatch alarms in the History tab that is available in the Amazon CloudWatch Console. There is no History tab in the AWS Management Console. There is no Alarms tab in the AWS Management Console or the Amazon EC2 Management Console.
5. Your boss has come to you asking if there is an easy way to view the usage each month to see how much their assets in AWS are going to cost. Where can they go to see this information?
  • A. They can view this information in the AWS Management Console.
  • B. They can view this information in AWS Billing and Cost Management.
  • C. They can view this information in AWS Trusted Advisor.
  • D. They can’t; there is no way to monitor for this in AWS.
Answer - B
Explanation - AWS Billing and Cost Management allows you to view your usage and create budgets. Trust Advisor can help determine methods to save money—think cost optimization—but it does not let you view usage in relation to billing. While AWS Billing and Cost Management exists in the AWS Management Console, you don’t get usage information from the AWS Management Console; you get it from AWS Billing and Cost Management.
6. Your security team has asked you if there is a way to report on anyone who made changes in AWS Billing and Cost Management using the root credentials. What should you tell them?
  • A. No. There isn’t a way to tell if a change was made as the root account.
  • B. No. You can tell that a change was made, but you can’t tell who made the change.
  • C. Yes. You can make a report in Amazon CloudWatch that will tell them if the root user was used to make changes in the AWS Billing and Cost Management Console.
  • D. Yes. You can make a report in AWS CloudTrail that will tell them if the root user was used to make changes in the AWS Billing and Cost Management Console.
Answer - D
Explanation - AWS CloudTrail logs every action taken in the AWS Billing and Cost Management Console. It can tell you if the change was made as the root user or an IAM user. Amazon CloudWatch does not track who made changes to what.
7. Your organization is just getting started using AWS. It has opted to use the AWS Free Tier to do a proof of concept. Your boss wants to ensure that they will get an alert if they will exceed what the AWS Free Tier provides. What is the best way to give them the alert they need with the least amount of administrative overhead?
  • A. Set up an AWS Free Tier alert in AWS Budgets.
  • B. Set up an AWS Free Tier alert in Amazon CloudWatch.
  • C. Set up an AWS Free Tier alert in AWS CloudTrail.
  • D. Set up a manual billing alert utilizing Amazon CloudWatch.
Answer - A
Explanation - AWS Budgets includes the ability to set up an AWS Free Tier alert out of the box that will tell you if you are getting close to exceeding the limits of AWS Free Tier or if you are likely to exceed it based on forecasting of your usage. AWS CloudTrail does not make alarms on its own. Amazon CloudWatch does not have an out-of-the box report for AWS Free Tier, though you could set one up manually.
8. You are the system administrator in charge of getting your organization’s AWS environment set up. You want to enable billing alerts, but when you log in with your IAM account, you are unable to do so. Why can’t you create the billing alert?
  • A. Your IAM account doesn’t have the necessary permissions; you need more access.
  • B. You can’t set up billing alerts in AWS; you have to arrange them with your technical account manager.
  • C. You need to be signed in with the AWS account’s root user credentials to enable billing alerts.
  • D. It is not possible to set up billing alerts in AWS.
Answer - C
Explanation - To enable billing alerts, you must be logged in as the root user for the AWS account. You don’t need a TAM; you can set up the billing alert once you are logged in as the root account.
9. What are the valid statuses you can get from the Amazon EC2 health checks? (Choose two.)
  • A. Pass
  • B. Fail
  • C. OK
  • D. Impaired
  • E. Offline
Answer - C, D
Explanation - When a health check is run on an Amazon EC2 instance, you can get types of statuses. OK means that all of the health checks have passed. If any of the health checks fail, then the status displayed is Impaired.
10. You don’t like the status checks and the alerting done from the status checks that exist on Amazon EC2.
  • A. You can disable them by turning off the monitoring in the Amazon EC2 instance.
  • B. You can disable them by installing the Amazon CloudWatch Logs agent and then disabling them through the agent.
  • C. You can’t disable them; they are part of Amazon EC2.
  • D. You can’t disable them; they are part of Amazon EC2. You can disable the alerts that trigger off of the status checks.
Answer - D
Explanation - As the status checks themselves are a part of the Amazon EC2 instances, you can’t disable them. You can, however, disable the CloudWatch alarms that utilize the status checks to trigger.
11. How can you view the status checks for your organization’s Amazon EC2 instances? (Choose two.)
  • A. Amazon EC2 Console
  • B. AWS Management Console
  • C. Command Line
  • D. Amazon CloudWatch Console
  • E. AWS CloudTrail Console
Answer - A, C
Explanation - If you need to view the status checks for your organization’s Amazon EC2 instances, you can look at them in either the Amazon EC2 Console or the Command Line. Status checks are not available through either Amazon CloudWatch or AWS CloudTrail.
12. Where should you create an alarm for a failed Amazon EC2 status check failure?
  • A. Amazon EC2 Console
  • B. Amazon CloudWatch Console
  • C. AWS CloudTrail Console
  • D. AWS Management Console
Answer - A
Explanation - You can create alarms based on status checks in the Amazon EC2 Console. This type of alarm is not created in Amazon CloudWatch. AWS CloudTrail is not used to create alarms, and the AWS Management Console does not give you the ability to create alarms, though it does allow you to get to the Amazon EC2 Console.
13. How long are statistics retained in Amazon CloudWatch?
  • A. 6 months
  • B. 12 months
  • C. 15 months
  • D. 30 months
Answer - C
Explanation - Amazon CloudWatch statistics are retained for 15 months. This gives you historical information on the availability and performance of your various systems.
14. Which product would you use to monitor all API calls including activities performed on the AWS Management Console against Amazon EC2 and Amazon EBS?
  • A. Amazon CloudWatch
  • B. AWS CloudTrail
  • C. Amazon API Gateway
  • D. AWS Lambda
Answer - B
Explanation - You would use AWS CloudTrail to monitor all of the API calls performed against Amazon EC2 and Amazon EBS, including activities performed in the AWS Management Console. Amazon CloudWatch is not used to monitor API calls. The Amazon API Gateway is used as an API management service but would not be an appropriate response in this case. AWS Lambda allows you to execute code but does not monitor API calls.
15. Where do the trails from AWS CloudTrail store their data?
  • A. Amazon EBS
  • B. Amazon EFS
  • C. Amazon EC2 instance
  • D. S3 bucket
Answer - D
Explanation - AWS CloudTrail stores its trails in S3 buckets. Amazon EBS is used to provide storage drives on Amazon EC2 instances. Amazon EFS provides fileserver-like experiences, but it is not used for storing AWS CloudTrail trails. Amazon EC2 instances are not used to store trails from AWS CloudTrail.
16. Your boss has asked you if there is a way to validate that all of the AWS services that you rely on are up and operational. What should your answer be?
  • A. Yes, we can check the Service Health Dashboard.
  • B. Yes, we can check Amazon CloudWatch.
  • C. Yes, we can check AWS CloudTrail.
  • D. No, there is no way to check the AWS services.
Answer - A
Explanation - You should explain to your boss that you can validate AWS services using the Service Health Dashboard. The Service Health Dashboard allows you to select a continent and view the health of the various services. Amazon CloudWatch and AWS CloudTrail do not monitor all of the AWS services; they monitor the resources within your account.
17. Your boss has asked you if there is a way to get a personalized view of all the AWS services that you rely on to confirm that they are up and operational. What should your answer be?
  • A. Yes. We can check the Service Health Dashboard.
  • B. Yes. We can check AWS CloudTrail.
  • C. Yes. We can use the Personal Health Dashboard.
  • D. Yes. We can check Amazon CloudWatch.
Answer - C
Explanation - The Personal Health Dashboard displays similar information to the Service Health Dashboard. The biggest difference is that you don’t need to select a continent for the Personal Health Dashboard as you log in and it gives you the information based on where your assets are deployed. Neither Amazon CloudWatch nor AWS CloudTrail will give you the kind of information you are looking for.
18. You log into the Personal Health Dashboard. You see a notification that there is a “Route53 operational issue.” You begin getting calls saying that customers aren’t able to reach your website. Could these two issues be related?
  • A. Yes. Amazon Route 53 provides DNS services. If DNS is not working properly, then customers may not be able to reach your resources.
  • B. Yes. Amazon Route 53 provides caching services. If it can’t cache content, then customers may not be able to reach your resources.
  • C. No. Amazon Route 53 errors wouldn’t show up in the Personal Health Dashboard.
  • D. No, the issues couldn’t be related.
Answer - A
Explanation - Amazon Route 53 is Amazon’s DNS service. If the DNS service is degraded and customers are not able to resolve name records to IP addresses, then your website will be down. Additionally, if you are using Amazon Route 53 for internal DNS, you have systems that are not able to communicate internally. Amazon Route 53 does not provide content caching services; that is the job of Amazon CloudFront. As Amazon Route 53 is an Amazon service, it will show up in both the Service Health Dashboard and the Personal Health Dashboard.
19. Your boss has approached you about giving access to only a specific set of Amazon EC2 instances in Amazon CloudWatch. How would you accomplish this in AWS IAM?
  • A. You specify which Amazon EC2 instances can be accessed in an AWS IAM policy.
  • B. You give permissions to the individual Amazon EC2 instances, and those permissions will carry over into Amazon CloudWatch.
  • C. You can’t grant access in Amazon CloudWatch for specific resources with AWS IAM.
  • D. You can create a role that will define granular permissions for individual Amazon EC2 instances in Amazon CloudWatch.
Answer - C
Explanation - You can’t grant access in Amazon CloudWatch for specific resources with AWS IAM. You must give permissions to view Amazon EC2 metrics as a whole; for example, you can’t specify an instance or even a load balancer individually. The other options would not work and may give the end user more permissions than they need to do their job.
20. You have been tasked by your boss to ensure that you receive alerts when a particular event ID occurs on both your on-premises systems and your Amazon EC2 instances. Which product would allow you to collect the logs in a single place, filter on the event ID, and send an alert?
  • A. AWS CloudTrail
  • B. Amazon CloudWatch Logs
  • C. Amazon EC2 Logs
  • D. Amazon SNS
Answer - B
Explanation - Using Amazon CloudWatch Logs allows you to collect all of your event logs in one location and filter on parts of those logs. From there, you can set an alarm in Amazon CloudWatch to trigger Amazon SNS, which will send a notification to anyone who is subscribed to the Amazon SNS topic. AWS CloudTrail does not collect event logs, nor does it allow filtering on logs. Amazon EC2 logs to Amazon CloudWatch, so Amazon EC2 Logs is not real. Amazon SNS is used to send the notification, but it does not collect and parse logs.
21. Your boss wants to leverage your existing investment in AWS as much as possible and has asked you to implement a real-time performance and availability monitoring solution that will cover both your on premises systems and your resources in the AWS cloud. What should you suggest?
  • A. A third-party tool like SolarWinds
  • B. AWS CloudTrail
  • C. Amazon SNS
  • D. Amazon CloudWatch Logs
Answer - D
Explanation - Amazon CloudWatch Logs can allow you to implement real-time monitoring. That paired with highly durable storage that has a low cost makes this the best solution. The answer on AWS exams will never be a third-party product, so that’s generally an easy way to weed out a wrong answer if you’re stuck. AWS CloudTrail is not used to monitor availability or performance; it monitors API calls. Amazon SNS is not used to monitor availability and performance, though it does pair well with Amazon CloudWatch to send notifications when an alarm is triggered.
22. You have strict regulatory requirements on log retention. You need to find a solution that will allow you to collect logs and store them at a lower cost. What would be the best solution to meet this need?
  • A. Amazon SNS
  • B. AWS CloudTrail
  • C. Amazon CloudWatch Logs
  • D. Amazon EBS
Answer - C
Explanation - Amazon CloudWatch Logs is the clear winner here. Using the Amazon CloudWatch Logs agent, you can rotate logs off of systems to preserve drive space and store those logs in low-cost storage within AWS. Amazon SNS does not store logs; it sends notifications based on topics. AWS CloudTrail does not store logs; it monitors API calls and then stores the data into trails on S3. Amazon EBS is used to add storage to servers and would not be the appropriate response in this case as you would need to attach it to an Amazon EC2 instance, which would raise the cost.
23. Your security team has mandated that you need to avoid using service accounts unless absolutely necessary because of the overhead in managing password rotation. You want to deploy the Amazon CloudWatch Logs agent. What could you use to authenticate the agent that is not a service account?
  • A. Access keys
  • B. AWS IAM
  • C. Active Directory
  • D. There isn’t any option other than a service account.
Answer - A
Explanation - You can use access keys to authenticate the Amazon CloudWatch Logs agent instead of a username and password. As the access key is still tied to a username, you may want to check with your security team that it meets their criteria. While access keys are created in AWS IAM, AWS IAM is not a granular enough response to satisfy this question. While you can link your Active Directory environment to AWS, this is still not getting away from the need for service accounts. While Windows systems support mSA and gMSA, those may not work on older Windows Server systems and will not work on Linux systems.
24. Your security team has mandated that you need to avoid using service accounts unless absolutely necessary because of the overhead in managing password rotation. You want to deploy the Amazon cloudWatch Logs agent. What could you use to authenticate the agent that is not a service account?
  • A. Active Directory
  • B. AWS IAM
  • C. IAM roles
  • D. There isn’t any option other than a service account.
Answer - C
Explanation - You can use IAM roles to authenticate the Amazon CloudWatch Logs agent instead of a username and password. There is no username or password to manage with this approach, and it is the best solution to solve the need for the Amazon CloudWatch Logs agent while also meeting your security team’s criteria. While IAM roles are created in AWS IAM, AWS IAM is not a granular enough response to satisfy this question. While you can link your Active Directory environment to AWS, this is still not getting away from the need for service accounts. While Windows systems support MSA and gMSA, those may not work on older Windows Server systems and will not work on Linux systems.
25. Your operations center has asked if there is a better way to analyze and visualize the data that has been made available to them with Amazon CloudWatch. What would you recommend?
  • A. Amazon CloudWatch Logs agent
  • B. AWS CloudTrail
  • C. Amazon Redshift
  • D. Amazon CloudWatch Logs Insights
Answer - D
Explanation - Amazon CloudWatch Logs Insights gives you the ability to take the data you have in Amazon CloudWatch and make it more actionable. It aids in the analysis of data and gives the ability to visualize the data more thoroughly. The Amazon CloudWatch Logs agent collects data from inside of the operating system but does not provide the greater analytics and visualization that they are requesting. AWS CloudTrail is not used for analytics; it collects any API-related events. Amazon Redshift is a data warehousing solution, and while it can aid with analytics, it is not a good fit for what the Operations Center has requested.
26. Your security team wants to minimize the amount of metrics that are kept in Amazon CloudWatch. They have asked you to delete the older metrics. How will you accomplish this?
  • A. You can’t delete metrics; they are retained for the life of the account.
  • B. You can’t delete metrics, though metrics do expire according to a schedule.
  • C. Log into the AWS Management Console with your IAM account and delete the metrics.
  • D. Log into the AWS Management Console with the root account and delete the metrics.
Answer - B
Explanation - While you can’t manually delete metrics, they are removed based on a schedule: 1-minute metrics are available for 15 days, 5-minute metrics are available for 63 days, and 1-hour metrics are available for 15 months.
27. You have an application that you need to monitor. As it is critical to the business, you have been asked if you can create a metric that can record data every second. You also need to be able to retrieve it every second. How can you accomplish this?
  • A. Create a custom metric with a fast resolution.
  • B. Create a custom metric with a standard resolution.
  • C. Create a custom metric with a high resolution.
  • D. Create a custom metric with a detailed resolution.
Answer - C
Explanation - You can accomplish this by creating a custom metric with a high resolution. High-resolution custom metrics can get data per second and can be retrieved in intervals of 1, 5, 10, 15, 30, or 60 seconds. Standard resolution is not correct as it gathers data every minute. Fast and detailed resolutions don’t exist. For questions regarding custom metrics, just remember that you can have high or standard resolutions.
28. Your boss has asked you if you can get pre-built metrics at a 1-second sampling rate as you can with your custom metrics. What should your response be?
  • A. Yes, you can use high resolution on pre-built metrics.
  • B. Yes, you can use high resolution on all metrics.
  • C. Yes, you can use standard resolution on all metrics.
  • D. No, you can’t use high resolution for pre-built metrics.
Answer - D
Explanation - Amazon CloudWatch only allows you to use highresolution metrics when you are using custom metrics.
29. How would you set a custom metric to use high resolution?
  • A. Set MetricResolution to 1 using the PutMetricRequest API.
  • B. Set StorageRetention to 1 using the PutMetricRequest API.
  • C. Set StorageResolution to 1 using the PutMetricRequest API.
  • D. Set MetricRetention to 1 using the PutMetricRequest API.
Answer - C
Explanation - To set a custom metric to use high resolution, you set the StorageResolution parameter to 1 through the PutMetricRequest API. StorageResolution is an optional field; if it is not specified, then standard resolution will be used by default.
30. Your boss wants to use high-resolution metrics because they want to be able to get data every 15 seconds. They are concerned about additional cost from using high resolution metrics. What should you tell your boss?
  • A. High-resolution metrics are more expensive.
  • B. High-resolution metrics are less expensive.
  • C. High-resolution metrics cost the same as standard.
  • D. You can’t do 15-second periods with high resolution.
Answer - C
Explanation - High-resolution metrics don’t cost any more or any less than standard-resolution metrics. You can do 1-, 5-,10-, 15-, 30-, and 60-second intervals with high resolution.
31. You have installed the Amazon CloudWatch Logs agent on a set of Amazon EC2 systems. They are sending logs to Amazon CloudWatch every 5 seconds, but you would prefer that happened every 15 seconds instead. What can you do?
  • A. Adjust the Amazon CloudWatch Logs agent to send logs every 15 seconds.
  • B. You can’t adjust the 5-second time; it is the default setting.
  • C. Set Amazon CloudWatch to pull the data every 15 seconds.
  • D. Set AWS CloudTrail to pull the logs every 15 seconds.
Answer - A
Explanation - The Amazon CloudWatch Logs agent default sending time is every 5 seconds; however, this is configurable. So the best solution would be to adjust this timer. The setting change is made to the Amazon CloudWatch Logs agent, not to Amazon CloudWatch itself. AWS CloudTrail is not used for pulling logs; instead it logs API activity.
32. You have begun sending system logs into Amazon CloudWatch. You want to ensure that you see any logs that contain the word error in them. How would you achieve this?
  • A. Statistic filters
  • B. Log filters
  • C. Metric filters
  • D. Error filter
Answer - C
Explanation - Metric filters allow you to define what information a metric will count. In this case, you might create a metric filter that looks for the word error or search IIS logs for server-side errors such as the 500 series of HTTP response codes. The other filters listed are not real; they were made up for this question.
33. You work for a financial institution and you need to parse your log data for account numbers. You have a regex query built that has been used in other solutions. How can you parse your log data for the regex that will find account numbers?
  • A. Amazon CloudWatch Metric Filters
  • B. AWS Management Console
  • C. Amazon CloudWatch
  • D. Amazon Kinesis
Answer - D
Explanation - Amazon Kinesis allows you to connect your log stream and process the logs using the regex that you wanted to search on. Amazon CloudWatch Metric Filters do not support regex. Neither Amazon CloudWatch nor the AWS Management Console give you the ability to search by regex.
34. You have created some high-resolution custom metrics and want to ensure that Amazon CloudWatch will trigger an alarm no more than 10 seconds after an incident occurs. How can this be accomplished?
  • A. Create a high-resolution Amazon CloudWatch alarm.
  • B. Create a standard Amazon CloudWatch alarm.
  • C. Create a detailed Amazon CloudWatch alarm.
  • D. You can’t set an Amazon CloudWatch alarm for under a minute.
Answer - A
Explanation - Amazon CloudWatch allows you to create high resolution alarms that work with high-resolution custom metrics. These allow you to alert at 10- or 30- second intervals. Standard Amazon CloudWatch alarms do not allow you to alarm under a minute. There is no such thing as a detailed Amazon CloudWatch alarm.
35. You have created an Amazon CloudWatch alarm for your Amazon EC2 instances and it is constantly in the ALARM state. None of your systems are having any issues. How can you resolve the issue?
  • A. Delete the alarm and then re-create it.
  • B. Adjust the threshold that the alarm is set to so that it is no longer breached.
  • C. Reboot the Amazon EC2 instances.
  • D. Install the Amazon CloudWatch Logs agent.
Answer - B
Explanation - Since none of your systems are having issues, you can safely adjust the threshold so that it is no longer breached. This will allow the Amazon CloudWatch alarm to clear and be OK. Deleting and re-creating the alarm won’t help if the thresholds are set the same. While rebooting the instances may help temporarily, it is not a long-term solution. Installing the Amazon CloudWatch Logs agent will not help clear the alarm as Amazon CloudWatch is already receiving data for the alarm in question.
36. Your Operations Center would like to create a dashboard to track Amazon CloudWatch alarms. What would be the best solution?
  • A. Amazon CloudWatch Logs
  • B. AWS CloudTrail
  • C. Amazon EC2 with business analytics software
  • D. Amazon CloudWatch Dashboards
Answer - D
Explanation - Amazon CloudWatch Dashboards will allow your Operations Center people to create their own custom dashboards. Amazon CloudWatch Logs does not give you the ability to create dashboards, and neither does AWS CloudTrail. You could potentially get some business analytics software on an Amazon EC2 to do what you are needing, but it would not be the best solution.
37. You want to view how well your systems and resources in AWS are doing at any point in time. You have systems in multiple regions. How do you get a dashboard-like experience for your availability and performance data?
  • A. You can’t set up a dashboard that can monitor across all regions.
  • B. Use Amazon CloudWatch Dashboards.
  • C. Use Amazon CloudWatch Logs.
  • D. Use an Amazon CloudWatch Logs agent.
Answer - B
Explanation - You can create a dashboard in Amazon CloudWatch Dashboards and monitor all of your systems and resources across all of the regions you are using. Both Amazon CloudWatch Logs and Amazon CloudWatch Logs Agent collect data, but they do not provide dashboards.
38. Your security team has asked you to ensure that API calls are being logged. You know that you can use AWS CloudTrail to accomplish this. What do you need to do next?
  • A. AWS CloudTrail is enabled, but you need to tell it what type of API calls to log.
  • B. AWS CloudTrail is enabled, but you need to configure a trail to start logging API calls.
  • C. Nothing; AWS CloudTrail is enabled and configured by default.
  • D. You need to enable AWS CloudTrail to begin recording API calls.
Answer - C
Explanation - AWS CloudTrail is enabled by default on your account. The default setup will log 90 days’ worth of API calls, though it is limited to logging management events only when the activity includes create, modify, or delete.
39. Your security team has asked you to ensure that all API calls are being logged. You know that you can use AWS CloudTrail to accomplish this. What do you need to do next?
  • A. AWS CloudTrail is enabled, but you need to tell it what type of API calls to log.
  • B. AWS CloudTrail is enabled, but you need to configure a trail to start logging all API calls.
  • C. Nothing; AWS CloudTrail is enabled and configured by default.
  • D. You need to enable
Answer - B
Explanation - By default, AWS CloudTrail only logs management events that had a create, modify, or delete activity. To ensure that you are logging all events as your security team has requested, you will need to create a new trail and set it to gather all events, including management, data, and read-only activities.
40. Your security team wants to ensure that all activity within the AWS Management Console is recorded. What is the best solution that meets this goal?
  • A. AWS Trusted Advisor
  • B. Amazon CloudWatch Logs
  • C. AWS CloudTrail
  • D. Amazon CloudWatch
Answer - C
Explanation - Since all activity in the AWS Management Console calls APIs, all activity within the AWS Management Console is recorded by AWS CloudTrail. AWS Trusted Advisor makes recommendations based on best practices but does not log API calls. Both Amazon CloudWatch and Amazon CloudWatch Logs ingest logs. While Amazon CloudWatch creates alarms off of AWS CloudTrail data, it does not record API activity.
41. You are the system administrator for a rapidly growing company. While you only have resources in one region currently, you know that you will expand into other regions soon. How can you ensure that API calls are captured automatically for any new regions that are added? (Choose two.)
  • A. Select Global from the region drop-down, then create the trail.
  • B. Select the existing region in the trail configuration page.
  • C. Select Yes to apply to all regions in the trail configuration page.
  • D. In the CLI, you set the parameter
  • E. You can’t automatically add new regions to an AWS CloudTrail trail.
Answer - C, D
Explanation - There are two methods you can use to ensure that AWS CloudTrail uses all regions, including new regions that are added. You can select Yes to apply to all of the regions while you are in the trail configuration page, or you set the IsMultiRegionTrail to True if you are using the AWS CLI/SDKs. You can’t select Global from the region drop-down list, though it does appear if you go into a service with account-wide reach like IAM. While you can add the existing region manually, the ask is to ensure that future regions are added to the trail automatically.
42. Your boss wants you to create two separate trails in Amazon CloudWatch, one for management and one for data. Can you create the trails in the way that your boss wants you to?
  • A. Yes, you can create two separate trails and separate management activity from data activity.
  • B. No, you can’t put management and data traffic into separate trails or create multiple trails.
  • C. No, you can’t put management and data traffic into separate trails, though you can create multiple trails.
  • D. No, you can’t create multiple trails, though you can separate management and data activity.
Answer - A
Explanation - As you can create up to five AWS CloudTrail trails in an AWS region, you can certainly create the two that your boss is asking for. Additionally, you can create one for management activity and one for data activity.
43. Your security team has required that you encrypt your AWS CloudTrail log files. What do you need to do to ensure that they are encrypted and only accessible to those who need to review them?
  • A. Nothing; you can’t encrypt AWS CloudTrail log files.
  • B. Nothing; they are encrypted with S3 SSE by default.
  • C. They are encrypted by default using S3 SSE; you can use S3 bucket policies or IAM to control access.
  • D. You need to enable encryption in S3 so that the AWS CloudTrail log files are encrypted.
Answer - C
Explanation - AWS CloudTrail log files are encrypted by default using S3 Server-Side Encryption (SSE). The only thing you would need to do is set up who should have access. This can be done via S3 bucket policies or with IAM.
44. Your security team has made the requirement that controls need to be implemented to prevent accidental deletion of AWS CloudTrail log files. What is the best solution for this?
  • A. Restrict access to the S3 bucket.
  • B. Enable MFA Delete.
  • C. Enable versioning.
  • D. Use lifecycle policies to archive deleted objects.
Answer - B
Explanation - By enabling MFA Delete, you guarantee that items in the S3 bucket can’t be accidentally deleted as an MFA token must be used as a second factor of authentication before you are allowed to delete anything. While restricting access to the S3 bucket is certainly a best practice, it won’t necessarily prevent people from accidentally deleting log files. Enabling versioning may be helpful, but it will not prevent accidental deletion. Lifecycle policies don’t archive deleted objects; they can expire them and then transition them to long-term storage like Amazon Glacier.
45. Your legal team has asked you to ensure that AWS CloudTrail log files are only retained for 90 days. What can you do to meet their needs?
  • A. You can’t adjust the retention time frame on AWS CloudTrail log files.
  • B. You make the change in AWS CloudTrail to reflect the 90-day rule.
  • C. You make the change in Amazon CloudWatch to reflect the 90-day rule.
  • D. You make a lifecycle rule in S3 to delete log files older than 90 days.
Answer - D
Explanation - The best way to meet the requirements of your legal team is to create a lifecycle rule in S3 that will automatically delete log files that are older than 90 days. You would not make this change in AWS CloudTrail or Amazon CloudWatch.
46. Your developers are checking an AWS CloudTrail log file troubleshooting their work. They are complaining that API calls they are making are not showing up until 15 minutes later. What can you do to remediate this issue?
  • A. The AWS CloudTrail trail is not configured properly; you need to reconfigure it to log items faster.
  • B. There is nothing to remediate; AWS CloudTrail log files typically get an event around 15 minutes after the API call.
  • C. You should change the timing between the delivery of the event and the occurrence of the event to 5 minutes.
  • D. You should change the timing between the delivery of the event and it occurring to 1 minute.
Answer - B
Explanation - When an API event occurs, AWS CloudTrail will send that event into the log files within 15 minutes. There is no way to speed up the delivery of the event.
47. You look in your S3 bucket where AWS CloudTrail stores its log files and you notice that there are no log files during the late evening hours. What is the most likely cause for the missing log files?
  • A. There was no API activity during this time frame.
  • B. There was a misconfiguration in AWS CloudTrail.
  • C. You don’t have permissions to view the log files.
  • D. AWS CloudTrail doesn’t have the access it needs to write the log files.
Answer - A
Explanation - The most likely cause of the missing log files is that there was no API activity during that time frame. If AWS CloudTrail was misconfigured, then you would not see log files in the Amazon S3 bucket at all. If you don’t have permissions to view the log files, you wouldn’t know that some are missing from a specific time frame. If AWS CloudTrail doesn’t have access to write to the Amazon S3 bucket, you would have no log files at all.
48. Your security team has asked for you to provide a way to validate that AWS CloudTrail log files have not been modified since being placed in the S3 bucket. What can you do to prove that the files have not been changed with the least amount of administrative effort?
  • A. Enable encryption in Amazon S3.
  • B. Create an AWS Lambda function to check the hashes every hour and compare against a database of the original hashes.
  • C. Enable AWS CloudTrail log file integrity validation.
  • D. Manually hash the files and check against known hashes.
Answer - C
Explanation - AWS CloudTrail offers the ability to enable log file integrity validation. This creates a hash value for the log file, which you can validate through the AWS CLI. Enabling encryption in Amazon S3 is a best practice, but it does not validate that the files have not been modified. An AWS Lambda function could be made to do this; however, it would require a fair amount of overhead. Manually hashing the files would work but would result in a lot of administrative overhead.
49. Your security team wants to ensure that AWS resources are built according to the organizational standards that have been set. How can you prove to your security team that your systems are using the desired configurations?
  • A. Use Amazon CloudWatch.
  • B. Use AWS CloudTrail.
  • C. Use AWS Config.
  • D. Use AWS Lambda.
Answer - C
Explanation - AWS Config allows you to evaluate configuration changes that are made against desired configuration to see if there is a conflict. If a conflict is identified, you can have AWS send a message via Amazon SNS to the security team and they can follow up. While Amazon CloudWatch provides monitoring, it does not monitor for baseline configurations. AWS CloudTrail is used for monitoring API calls, not desired configuration. AWS Lambda is used to run functions when something triggers the function.
50. Your legal department wants to know anytime a configuration change is made on one of their systems. They want to receive a notification when the change is made. How can you ensure that the legal department is aware of any changes made to their server?
  • A. Enable Amazon CloudWatch and create an SNS topic; subscribe them to the topic.
  • B. Enable AWS CloudTrail and create an SNS topic; subscribe them to the topic.
  • C. Enable AWS Config and create an SNS topic; subscribe them to the topic.
  • D. Enable AWS Config and create an SMS topic; subscribe them to the topic.
Answer - C
Explanation - To meet your legal department’s request, you should enable AWS Config, and then create an SNS topic. Subscribe them to the topic and they will get notifications anytime a configuration change is made to their system. Amazon CloudWatch and AWS CloudTrail would not be used for notifying users about configuration changes, though SNS certainly would be. It is tempting to think of SMS as a text message, but in AWS terms, that belongs to another product. Using Amazon SNS will allow you to send text messages and emails.