Amazon Web Services (AWS) - Set #20

Powered by Techhyme.com

You have a total of 130 minutes to finish the practice test of AWS Certified SysOps Administrator to test your knowledge.

1. Which of the following lets you securely run arbitrary commands on a Red Hat EC2 instance in a private subnet without using your own SSH client?
  • A. Telnet
  • B. EC2 Instance Connect
  • C. RDP
  • D. EC2 Console Output
Answer - B
Explanation - EC2 Instance Connect lets you achieve commandline access to an EC2 Linux instance without using your own SSH client. Telnet is insecure.
2. Which of the following services uses SQL?
  • A. EMR
  • B. RedShift
  • C. CloudWatch Log Insights
  • D. Minerva
Answer - B
Explanation - RedShift uses PostgreSQL. EMR uses Hadoop. There’s no service called Minerva.
3. Which EC2 Auto Scaling option requires the least effort to implement?
  • A. Dynamic scaling policies
  • B. Scheduled scaling
  • C. Predictive scaling
  • D. Lifecycle scaling
Answer - C
Explanation - Predictive scaling will automatically scale instances based on the past 14 days’ performance. There’s no such thing as lifecycle scaling.
4. You’re running a dynamic web application on two EC2 instances in different regions. You’re load balancing traffic to the application using Route 53 latency resource records. The CPU utilization on these instances intermittently spikes to nearly 100% and users report a slowdown during this time. Which of the following will offer the most performance improvement?
  • A. Implement Auto Scaling groups.
  • B. Move the instances into the same region.
  • C. Implement an application load balancer.
  • D. Use Route 53 weighted records instead of latency records.
Answer - A
Explanation - Auto Scaling groups will spawn more instances to handle the load. An application load balancer won’t help because the instances are in different regions.
5. Which of the following is true of a launch template?
  • A. It’s versioned.
  • B. It can be used with ECS.
  • C. It can’t be edited.
  • D. You can tag specific versions of a launch template.
  • E. It requires an AMI ID.
Answer - A
Explanation - A launch template is versioned and can be edited. It can’t be used with ECS, and you can’t tag a specific version. A launch template doesn’t require an AMI ID, but if you use it to launch an instance, you must provide an AMI ID at launch time.
6. Which of the following is true of a launch configuration? (Choose two.)
  • A. It’s not versioned.
  • B. It can be used with ECS.
  • C. It can’t be edited.
  • D. It requires an AMI ID.
Answer - C, D
Explanation - A launch configuration requires an AMI ID and can’t be edited.
7. You need to implement a highly available MySQL database in AWS. It must be synchronously backed up. Which of the following Relational Database Service (RDS) options should you choose?
  • A. Automated snapshots
  • B. Multi-AZ
  • C. Amazon Aurora
  • D. Read replica
Answer - B
Explanation - Multi-AZ synchronously replicates data from the primary instance to a standby instance and fails over to the secondary instance if the primary fails. Amazon Aurora doesn’t use MySQL but is MySQL-compatible. A read replica uses asynchronous replication.
8. Which of the following services allows for decoupling application components by reliably passing messages between applications?
  • A. Lambda
  • B. SQS
  • C. Email
  • D. SNS
Answer - B
Explanation - Simple Queue Service (SQS) provides reliable delivery of messages to applications.
9. By default, how long does a sent message remain in an SQS queue?
  • A. It’s deleted immediately.
  • B. 1 day
  • C. 4 days
  • D. 14 days
  • E. 30 days
Answer - C
Explanation - A sent message is deleted automatically after 4 days.
10. What’s the longest a sent message can stay in an SQS queue?
  • A. 1 minute
  • B. 1 day
  • C. 4 days
  • D. 14 days
  • E. 30 days
Answer - D
Explanation - You can configure an SQS queue to retain sent messages for up to 14 days.
11. Which of the following can be used to temporarily store a 1 MB binary file? (Choose two.)
  • A. S3
  • B. DynamoDB
  • C. SQS
  • D. Lambda
  • E. SNS
Answer - A, B
Explanation - S3 and DynamoDB are good options for storing temporary files. SQS can’t store files greater than 256 KB, but it can store a pointer to DynamoDB or S3. Lambda and SNS aren’t storage services.
12. Which of the following should you not use to store session state?
  • A. DynamoDB
  • B. Redis
  • C. Elasticache
  • D. Memecached
  • E. SQS
Answer - E
Explanation - SQS is for message queuing, not for storing session state. The rest can be used for storing session state.
13. You have two different AWS accounts. In one account you have an instance in the availability zone us-east-1a, while in the other account you have an instance in the AZ us-east-1b. Which of the following is true of this configuration?
  • A. This is a violation of the AWS terms of service.
  • B. The instances are in different physical locations.
  • C. The instances may be in the same physical location.
  • D. The instances may be in different regions.
Answer - C
Explanation - An availability zone name may not map to the same physical location across AWS accounts. To see AZ name to location mappings for an account, use the AWS CLI command aws ec2 escribe-availability-zones --region region-name.
14. Using one domain name, you want to direct traffic to a different instance based on the URL path. Which of the following should you use? (Choose two.)
  • A. Network load balancer
  • B. Application load balancer
  • C. Host-based routing
  • D. Path-based routing
Answer - B, D
Explanation - An ALB with path-based routing fits the bill. NLB doesn’t provide path-based routing.
15. A friend who uses AWS for her personal website is reporting that the US-West-1c availability zone is having an EC2 outage. Your company has EC2 instances in the US-West-1c zone but isn’t experiencing any problems. How should you respond to your friend’s report?
  • A. Take no action.
  • B. Migrate your instances to a different zone.
  • C. Create an Auto Scaling group.
  • D. Open a proactive support ticket with AWS.
Answer - A
Explanation - The US-West-1c zone for your friend’s account is probably mapped to a different location than it is for your company’s account. Because there’s no apparent problem in the AZ you’re using, there’s no need to take action. As the saying goes, “If it ain’t broke, don’t fix it.”
16. You want to grant a user in another AWS account access to a file in an S3 bucket. Which of the following should you do?
  • A. Use an IAM policy.
  • B. Disable SSE-S3 encryption.
  • C. Make the file public.
  • D. Use a resource-based policy.
Answer - D
Explanation - Create a bucket policy to grant the user access to the file. There’s no need to make the file public or disable SSE-S3 encryption.
17. You have an EC2 instance running an Apache web server on TCP port 444. A public-facing application load balancer is configured to listen for HTTPS traffic and proxy it to the instance. But when you browse to the load balancer’s endpoint, you get a “gateway timeout” error. Which of the following should do to resolve this? (Choose two.)
  • A. On the security group attached to the instance, add an inbound rule for HTTPS.
  • B. On the security group attached to the instance, add an inbound rule for TCP port 444.
  • C. On the security group attached to the application load balancer, add an outbound rule for TCP port 444.
  • D. On the security group attached to the application load balancer, add an outbound rule for HTTPS.
Answer - B, C
Explanation - The web server’s security group should allow inbound traffic to TCP port 444. The load balancer needs an outbound rule to permit TCP port 444 traffic to the instance. The presence of the “gateway timeout” error indicates that the load balancer already has an inbound rule for HTTPS, so there’s no need to add one.
18. Which of the following is designed to store long-term credentials?
  • A. IAM
  • B. STS
  • C. Secrets Manager
  • D. KMS
Answer - A
Explanation - IAM is designed to store long-term credentials. STS is for generating short-term credentials. Secrets Manager is designed for storing short-term application secrets such as API keys, which should be rotated regularly. KMS stores encryption keys, not credentials.
19. You have an IAM role to grant specific permissions to DynamoDB. This role is attached to an instance profile. You need to also grant the role permissions to an S3 bucket. Which of the following can you do to accomplish this? (Choose two.)
  • A. Create a bucket policy to grant the role access.
  • B. Add the permissions to the instance profile.
  • C. Create a new IAM role with just the S3 permissions and add it to the instance profile.
  • D. Add the permissions to the IAM role.
Answer - A, D
Explanation - Adding the appropriate permissions to the IAM role is all that’s necessary. Creating a bucket policy and granting the role access would also work. You can’t add permissions directly to an instance profile, only an instance profile role. Creating a new IAM role with just the S3 permissions and attaching it to the instance profile would result in losing the DynamoDB permissions.
20. The KMS custom key store depends on which of the following?
  • A. IAM
  • B. CloudHSM
  • C. VPC
  • D. CloudTrail
Answer - B
Explanation - KMS custom key stores use CloudHSM clusters.
21. Which of the following can you export?
  • A. KMS-generated CMK
  • B. Private TLS certificates from ACM
  • C. Marketplace AMIs
  • D. SSE-S3 key
Answer - B
Explanation - You can export a private TLS certificate from ACM. The rest you can’t export.
22. You’ve created a custom Windows AMI and used it to successfully launch several EC2 instances, but none of the instances show up in AWS Simple Systems Manager inventory. Which of the following could be the reason? (Choose two.)
  • A. The instances are in a private subnet.
  • B. The SSM agent never ran.
  • C. The instances are in a public subnet.
  • D. The instances’ security group has no outbound rules.
  • E. The instances aren’t running.
Answer - B, D
Explanation - The SSM agent must run and have outbound Internet access to check in with SSM.
23. You need to provide a client’s IAM principal with access to an S3 bucket. The client has given you a 64-character string. What else do you need to grant them access?
  • A. ARN
  • B. Account number
  • C. IAM username
  • D. The IAM principal’s access key ID
Answer - A
Explanation - The 64-character string is a canonical user ID, which you can use instead of the account ID to grant the client access. You also need the ARN of the IAM principal.
24. A colleague wants to create a VPC subnet with a CIDR of 10.0.0.0/28. What should you tell them?
  • A. AWS doesn’t allow this CIDR.
  • B. It will give them 11 usable addresses.
  • C. It will give them 10 usable addresses.
  • D. It will give them 16 usable addresses.
  • E. This CIDR will leave room for only one subnet.
Answer - B
Explanation - AWS reserves the first four addresses and last IP address of a subnet. The range of the CIDR is 10.0.0.0– 10.0.0.15 inclusive. Subtracting 5 IP addresses leaves you with 11 usable.
25. You’ve attempted to use your root access key to enumerate some AWS resources using the AWS CLI, but you’re getting an error. Which of the following could be the reason?
  • A. The access key is expired.
  • B. Root access keys are blocked by default.
  • C. The time on your workstation is wrong.
  • D. The root user doesn’t have the proper permissions.
Answer - C
Explanation - The root user has access to all resources, and its access key isn’t blocked by default and doesn’t expire. Having the wrong time on your machine will result in an invalid signature exception.
26. For the next 24 hours you want to monitor a VPC for unusually large volumes of traffic Which of the following should you do?
  • A. Enable GuardDuty.
  • B. Enable VPC flow logging.
  • C. Enable Inspector.
  • D. Create a CloudWatch alarm to monitor VPC traffic.
Answer - B
Explanation - VPC flow logging is the only option given the short time frame. GuardDuty takes 7–14 days to establish a baseline. Inspector doesn’t monitor VPC traffic. There isn’t a CloudWatch metric that tracks all VPC traffic, so you can’t create such an alarm.
27. You’re running a web service on an EC2 instance. You want Route 53 to return the private IP address of the instance. How can you achieve this?
  • A. Use a private hosted zone.
  • B. Create a simple resource record.
  • C. Create an alias record.
  • D. This isn’t possible.
Answer - B
Explanation - You can create a simple resource record that resolves to the instance’s private IP address. There’s no need to use a private hosted zone. An alias record would return the public IP address of the target resource, which can’t be an EC2 instance.
28. You’re attempting to set up a VPC peering connection between two VPCs, VPC A and VPC B. In VPC A you’ve created the peering connection and configured the route table, NACLs, and security groups to allow access to an ENI in VPC B. Which of the following must you do to get a working VPC peering connection? (Choose two.)
  • A. Create a new peering connection on the VPC B side.
  • B. Accept the peering connection on the VPC B side.
  • C. Create a transit gateway in VPC A.
  • D. Configure the route table, security groups, and NACLs in VPC B.
  • E. Create a transit gateway in VPC B.
Answer - B, D
Explanation - You need to accept the peering connection on VPC B and configure the appropriate routes, NACLs, and security groups. There’s no need to create a transit gateway or create an additional peering connection.
29. A dual-stack Windows application requires IPv4 and IPv6. Which of the following is required to implement this application in a VPC?
  • A. Allocate an IPv6 CIDR for the VPC.
  • B. Place the instance in a public subnet.
  • C. Create an IPv6 gateway.
  • D. IPv6 isn’t supported for Windows instances.
Answer - A
Explanation - You need to allocate an IPv6 CIDR for the VPC to use IPv6. There’s no need to put the instance in a public subnet. There’s no such thing as an IPv6 gateway in AWS. Internet gateways support IPv6. An IPv6 egressonly gateway allows only outbound IPv6 traffic to the Internet.
30. Which of the following does Direct Connect provide?
  • A. Reduced jitter
  • B. Packet capture
  • C. Encryption
  • D. Authentication
Answer - A
Explanation - Direct Connect provides consistent latency, also known as low jitter. It doesn’t provide encryption, authentication, or packet capture facilities.
31. Which of the following elastic load balancing features can result in an uneven distribution of traffic to instances?
  • A. Session stickiness
  • B. Cross-zone load balancing
  • C. SSL offload
  • D. Path-based routing
Answer - A, D
Explanation - Session stickiness and path-based routing can result in an uneven distribution of traffic to instances. Cross-zone load balancing attempts to evenly distribute traffic to instances across availability zones.
32. You have an EC2 instance with an elastic IP address associated with it. IPv6 is enabled in the instance’s public subnet. How can you ensure that hosts on the Internet are able to reach the instance via IPv6?
  • A. Disable IPv4 on the instance.
  • B. Assign a global unicast IPv6 address to the instance.
  • C. Allocate and associate an elastic IPv6 address to the instance.
  • D. Create an egress-only Internet gateway.
Answer - B
Explanation - An instance must have a global unicast IPv6 address in order to be reachable via IPv6. You can’t disable IPv4 on an instance, in a subnet, or in a VPC. There’s no such thing as an elastic IPv6 address. An egress-only Internet gateway is essentially a NAT gateway for IPv6.
33. Which of the following VPC attributes determines whether the Amazon DNS server is enabled?
  • A. enableDnsSupport
  • B. enableDnsHostnames
  • C. enableDnsResolution
  • D. enableDns
Answer - A
Explanation - If enableDnsSupport is enabled, the Amazon DNS server is enabled. If enableDnsHostnames is set to true, then instances with a public IP address will receive a public DNS hostname. The other two options aren’t valid.
34. You suspect unauthorized SSH access to an EC2 instance. How can you immediately shut down all SSH access to the instance without affecting other instances in the same subnet?
  • A. Shut down the instance.
  • B. Modify the instance’s security group to remove the rule allowing SSH access.
  • C. Create an inbound NACL rule to deny SSH access to the instance’s private IP address.
  • D. Create an inbound NACL rule to deny SSH access to the instance’s public IP address.
Answer - B
Explanation - Removing the rule allowing inbound SSH access will shut down any existing SSH sessions and prevent more. Inbound NACL rules don’t allow you to specify a destination, only a source. Shutting down the instance may affect other instances.
35. Which of the following does the URL https://d123456abcdef7.cloudfront.net indicate?
  • A. An elastic load balancer
  • B. A CloudFlare distribution
  • C. An HTTP distribution
  • D. An RTMP distribution
Answer - C
Explanation - The URL begins with https:// and the domain name begins with d, indicating a CloudFront HTTP distribution. RTMP distribution URLs begin with rtmp://.
36. Which of the following cannot be a CloudFront origin?
  • A. A public S3 bucket configured for static website hosting
  • B. An elastic load balancer
  • C. A public web server
  • D. A Lambda function
Answer - D
Explanation - A Lambda function can’t be a CloudFront origin. The other options can.
37. You have an EC2 instance with a private and public IP address. You want to add this instance as a target to a network load balancer target group in the same VPC. How can you do this?
  • A. Add the instance’s private IP address to the target group.
  • B. Add the instance’s public IP address to the target group.
  • C. Create a VPN connection.
  • D. Create an elastic IP address for the instance.
Answer - A
Explanation - Adding the instance’s private IP address to the target group is sufficient. You can’t add a public IP address to an NLB target group. There’s no need to create a VPN since the NLB and instance are already in the same VPC.
38. When browsing to the public URL of an application load balancer, users receive a “503 Service Unavailable” error. The target group contains only EC2 instances. What could this indicate?
  • A. The target instance didn’t accept the connection from the load balancer.
  • B. The target instance closed the connection from the load balancer.
  • C. There are no healthy instances.
  • D. The users are unable to connect to the application load balancer.
Answer - C
Explanation - The “503 Service Unavailable” error can indicate that there are no healthy or registered instances. Since there are registered instances, the most likely explanation is that all the instances are unhealthy.
39. You want to use CloudWatch to find the average CPU utilization for an instance over a 30-minute period. The metric is updated every 5 minutes. Which statistic and period should you use?
  • A. The Average statistic with a 5-minute period
  • B. The Sample Count statistic with a 6-minute period
  • C. The p50 statistic with a 30-minute period
  • D. The Average statistic with a 30-minute period
  • E. The Average statistic with a 6-minute period
Answer - D
Explanation - The Average statistic with a 30-minute period will average all the values over the period.
40. You’re running a relational database on an EC2 instance backed by an EBS io1 volume. As the frequency of writes to the database has increased, database performance has declined. Which of the following configuration parameters should you adjust to improve performance?
  • A. Reduce the frequency of snapshots.
  • B. Decrease the volume queue length.
  • C. Increase the number of provisioned IOPS.
  • D. Increase the disk size.
Answer - C
Explanation - Increasing the number of provisioned IOPS will reduce the volume queue length, which is a metric, not a configuration parameter. The number of snapshots doesn’t impact EBS performance because snapshots are stored in S3. Increasing the disk size won’t change the number of provisioned IOPS.
41. Which of the following protocols does EFS use?
  • A. CIFS
  • B. SMB
  • C. NetBIOS
  • D. NFS
  • E. FSx
Answer - D
Explanation - EFS uses the Network File System (NFS) protocol. FSx isn’t a protocol but an AWS service.
42. On which type of gateway does AWS Storage Gateway allow you to use iSCSI?
  • A. Volume Gateway
  • B. File Gateway
  • C. Tape Gateway
  • D. Block Gateway
Answer - A
Explanation - The Volume Gateway lets you mount volumes using iSCSI.
43. On which type of gateway does AWS Storage Gateway allow you to use NFS?
  • A. Volume Gateway
  • B. File Gateway
  • C. Tape Gateway
  • D. Block Gateway
Answer - B
Explanation - The File Gateway lets you mount file shares using NFS.
44. Which of the following is required to enable MFA Delete?
  • A. An EBS volume
  • B. S3 object versioning
  • C. A bucket policy
  • D. A hardware token
Answer - C
Explanation - You must enable MFA Delete using a bucket policy. You don’t have to turn on versioning, but doing so adds an extra layer of protection by retaining “deleted” object versions. A hardware token isn’t required since you can use a virtual software token as well.
45. You want to create a custom AMI based on an AMI from the AWS Marketplace. How can you do this? (Choose two.)
  • A. Download the AMI.
  • B. Launch an instance from the AMI.
  • C. Copy the AMI.
  • D. Take a snapshot of the instance.
  • E. Take a snapshot of the AMI.
Answer - B, D
Explanation - You can launch an instance from the AMI, make the needed customizations, and then take a snapshot of the instance. You can then create an AMI from the snapshot.
46. Which of the following can launch the SBE EC2 instance types from an AMI?
  • A. Fargate
  • B. Snowball Edge
  • C. ECS
  • D. There is no such thing as the SBE instance type.
Answer - B
Explanation - There is such a thing as the SBE instance type, and the Snowball Edge appliance can launch these instances from an AMI.
47. An SSE-C encrypted object named file.txt exists in an S3 bucket on which versioning is enabled. What will happen if you try to delete this object?
  • A. S3 will create a delete marker.
  • B. S3 will create a delete marker only if you provide the encryption key.
  • C. S3 will delete the object.
  • D. S3 will delete the object only if you provide the encryption key.
  • E. S3 will neither delete the object nor create a delete market.
Answer - A
Explanation - Because versioning is enabled, S3 will only create a delete marker. There’s no need to specify the encryption key to delete an object version.
48. What happens when you delete a delete marker from a versioned S3 object?
  • A. This isn’t possible.
  • B. It disables versioning.
  • C. The object is deleted.
  • D. The object reappears.
Answer - D
Explanation - A delete marker causes the object to disappear from the bucket. Deleting the delete marker causes the object to reappear. Strange but true!
49. Which Glacier retrieval option lets you access data in less than 5 minutes?
  • A. Defrost
  • B. Expedited
  • C. Icepick
  • D. Emergency
  • E. Bulk
Answer - B
Explanation - The Expedited option lets you access data in 1–5 minutes. Bulk retrieval takes 5–12 hours. The others aren’t valid options.
50. Where does AWS Storage Gateway permanently store data?
  • A. NFS vaults
  • B. EBS
  • C. Local volumes
  • D. S3 buckets
Answer - D
Explanation - AWS Storage Gateway permanently stores data in S3 buckets. It can use local volumes for temporary storage.