Amazon Web Services (AWS) - Set #3

Powered by Techhyme.com

You have a total of 130 minutes to finish the practice test of AWS Certified SysOps Administrator to test your knowledge.

1. One of your critical applications just suffered an outage. It is suspected that a change caused the outage but there is no scheduled change in your change management calendar. How can you figure out who made the change and what the change was?
  • A. Use Amazon CloudWatch to check for events that happened around the time of the outage.
  • B. Use AWS CloudTrail to look at any of the API calls made around the time that it is believed the change occurred to see who made the change and what the change was.
  • C. Setup AWS Config to send a message to an SNS topic when any config changes are made.
  • D. Use AWS Config to view the configuration history of the resource that suffered the outage and AWS CloudTrail to see who made the change.
Answer - D
Explanation - The best solution to this would be to use AWS Config to view the configuration history of the resource that suffered the outage and use AWS CloudTrail to see who made the change. Amazon CloudWatch would not be a good solution for this case. You may get information once the outage occurred, but Amazon CloudWatch is not monitoring for configuration changes. While you could use AWS CloudTrail to look for the events that led up to the outage, you will have a lot of noise that you will need to sort through to find the relevant records. AWS Config can certainly send messages anytime a configuration change is made, but this could end up being noisy. If it wasn’t set up prior to this event occurring, you won’t have any emails related to the incident.
2. You are the system administrator in charge of your organization’s AWS resources. You work for a hospital and have been asked by the internal audit team for a report that proves that you have implemented the proper controls to maintain HIPAA compliance. How can you do this within AWS?
  • A. Create rules that evaluate your systems for the desired controls in AWS Config.
  • B. Use AWS CloudTrail to check for inappropriate API calls.
  • C. Use Amazon CloudWatch to monitor for compliance.
  • D. There is no automated tool; you must do it all manually.
Answer - A
Explanation - You can create rules in AWS Config that look for things like unsecured port numbers, etc. You can then create a report based on the outcome of those rules. AWS CloudTrail would not be a good solution as you would have to know exactly what to look for. Amazon CloudWatch does not monitor for compliance; it monitors for availability and performance metrics.
3. You are the system administrator for your organization in charge of its AWS infrastructure. You have configured the desired configurations for your systems. You want to ensure that systems are never out of compliance. Can you prevent users from making changes with AWS Config?
  • A. Yes, select the Enforce option when you set upAWS Config.
  • B. Yes, it does it automatically without any further interaction.
  • C. No, AWS Config is only able to monitor configurations, not change them.
  • D. No, AWS Config doesn’t monitor configuration drift.
Answer - C
Explanation - AWS Config can measure for configuration drift and alert you to changes; however, it can’t prevent changes, nor can it change settings back. There is no Enforce option when you set up AWS Config. AWS Config doesn’t automatically revert settings; it can only alert that a change has occurred that has taken the system out of compliance with the desired configuration.
4. You have multiple accounts under AWS Organizations. You want to combine the results of AWS Config under AWS Organizations. How can you do this?
  • A. Create an aggregator in one of the regions that you want to monitor.
  • B. Create an aggregator in AWS Organizations.
  • C. You can’t view the AWS Config data from multiple regions, though you can view it for multiple regions.
  • D. You can’t view the AWS Config data from multiple regions or accounts in one area.
Answer - B
Explanation - AWS Config has the ability to work using multiaccount multi-region data aggregation. To view the data in AWS Organizations, you will need to create the aggregator in AWS Organizations. While you can create an aggregator in one of the regions you are using, the question asked if you can create it in AWS Organizations.
5. You have multiple accounts under AWS Organizations. You want to combine the results of AWS Config under one of the regions that most of your resources reside in. How can you do this?
  • A. Create an aggregator in one of the regions that you want to monitor.
  • B. Create an aggregator in AWS Organizations.
  • C. You can’t view the AWS Config data from multiple regions, though you can view it for multiple regions.
  • D. You can’t view the AWS Config data from multiple regions or accounts in one area.
Answer - A
Explanation - AWS Config has the ability to work using multiaccount multi-region data aggregation. Since you want to combine the results of AWS Config from several regions into the region that has the majority of your resources, you should create the aggregator in the region where you want to combine results. You would not create the aggregator in AWS Organizations as you want to view the combined data in one of your regions, not from your AWS Organizations console.
6. You want to ensure that AWS Config is enabled for all three regions that your organization is using. How would you enable AWS Config for all three regions?
  • A. It is automatically enabled for all regions.
  • B. You need to enable it once for all regions.
  • C. You need to enable it once per region.
  • D. You can’t use AWS Config for that many regions.
Answer - C
Explanation - AWS Config is not enabled by default. You need to enable it once per region for any region you want to have monitored.
7. Your security team has asked you to make sure that any changes to the desired configurations in AWS Config are monitored so that they know who made the change. Which product can be used to achieve this request?
  • A. AWS Config
  • B. Amazon CloudWatch
  • C. AWS CloudTrail
  • D. AWS IAM
Answer - C
Explanation - Since changes made in AWS Config are API calls, AWS CloudTrail will log all changes that are made to AWS Config. Amazon CloudWatch would not monitor API calls; it monitors performance and availability metrics. AWS IAM does not monitor API calls.
8. You currently have 145 individual AWS Config rules built for your organization’s environment. You need to make 10 more rules for new criteria that your legal team wants you to monitor for. Will you be able to create 10 more rules?
  • A. Yes, you can create unlimited rules.
  • B. Yes, but you will need to request an increase on the limit from AWS.
  • C. No, because you can’t have more than 150 rules.
  • D. No, because you can’t add more rules.
Answer - B
Explanation - With AWS Config, you are limited to 150 rules. If you need more than 150 rules, then you need to contact AWS to increase the number of rules allowed on your account. Once the increase has been completed, you will be able to create the necessary rules.
9. Your boss wants you to set up a periodic rule in AWS Config, and they want it to run every 6 hours. How should you respond to this request?
  • A. Set up the periodic rule for 3 hours because you can’t set it to 6.
  • B. Set up the periodic rule to run every 6 hours.
  • C. Set up the periodic rule to run every 12 hours because you can’t set it to 6.
  • D. Tell your boss that AWS Config can only do change-triggered rules.
Answer - B
Explanation - You can set periodic rules to run every 1, 3, 6, 12, or 24 hours. So your response should be to set up the rule to run every 6 hours.
10. You are not using AWS Organizations, but you want to aggregate your AWS Config data from all of your other accounts. Besides setting up AWS Config and the aggregator, what else do you need to do?
  • A. There is nothing else to set up; once the aggregator is created it will work.
  • B. Create a role and assign it to the aggregator account.
  • C. Add an AWS IAM account for the aggregator to use in each individual AWS account.
  • D. Authorize the aggregator account in each individual AWS account.
Answer - D
Explanation - You will need to authorize the aggregator account in AWS Config so that it can be used to gather data from AWS Config and return it to the aggregator in the other account that you created. AWS Config will not be able to gather information from your other AWS accounts until it has been authorized. Creating a role does not authorize the aggregator account to do what it needs to do. Adding a new AWS IAM account into each AWS account does not provide authorization.
11. A resource has been reported as noncompliant by AWS Config and a notification has been sent. When the rules are run again, the resource is still noncompliant, but you didn’t get a notification. Why is this?
  • A. AWS Config is having a service outage.
  • B. AWS Config is misconfigured so it is not sending messages properly.
  • C. This behavior is by design; notifications are sent when the status changes.
  • D. You will only get one notification when it fails.
Answer - C
Explanation - AWS Config sends notification when the status on an object changes. Since the resource was already reported as noncompliant, you will not get another notification until it is compliant. It would be highly unlikely that AWS Config is experiencing an outage. If AWS Config was misconfigured, you would not have received the first notification at all.
12. You have AWS Config configured in your AWS account. You have added a security group to an Amazon EC2 instance. Which resources will have changes recorded in AWS Config?
  • A. Amazon EC2 instance
  • B. The security group
  • C. Primary resource and related resources
  • D. All of these
Answer - D
Explanation - When you add a security group to an Amazon EC2 instance, AWS Config records changes for the Amazon EC2 instance, the security group, primary resources, and related resources.
13. Your Operations Center team would like to know what kinds of things AWS Config can record. What should you include in your response?
  • A. All of the following options
  • B. OS patches
  • C. Application installations
  • D. Network configurations
Answer - A
Explanation - You can tell your Operations Center team that AWS Config can record OS patches, application installations,network configurations, and really any change that is made to the systems.
14. Which account is used in AWS Organizations to create an organization, invite new AWS accounts, and remove AWS accounts?
  • A. root
  • B. master
  • C. An IAM user with sufficient access
  • D. A shared access key
Answer - B
Explanation - The master account is the one used to create the organization as well as invite or remove other AWS accounts. The root account is the most privileged user in an AWS account but not in AWS organizations. An IAM user would not be able to create an organization or add/remove AWS accounts. A shared access key is used to log in through the CLI, not into the AWS Management Console where you set up AWS Organizations.
15. You have a new person in Accounting who is in charge of paying for your AWS account charges. They have asked you if there is a way to see what the charges are so far. Where should you tell them to go?
  • A. AWS Budgets
  • B. AWS Management Console
  • C. AWS Billing and Cost Management Dashboard
  • D. AWS Trusted Advisor
Answer - C
Explanation - The AWS Billing and Cost Management Dashboard will allow them to monitor what the current spend is now and even sort by service. AWS Budgets is good for setting alerts when you exceed a specified amount. The AWS Management Console does not contain the current spend…though it does provide a shortcut to get to the AWS Billing and Cost Management Dashboard. AWS Trusted Advisor gives you recommendations in several areas but does not track your spend.
16. You have been asked by your manager to create a report that will forecast how much AWS is going to cost your organization over the next three months. You have been using AWS for six months. Which tool will provide this information?
  • A. AWS Organizations
  • B. AWS Trusted Advisor
  • C. AWS Budgets
  • D. Cost Explorer
Answer - D
Explanation - Cost Explorer allows you to get a forecast of your likely usage and cost for the next three months based on current and previous usage. AWS Organizations will not give you the forecasting you are looking for. AWS Trusted Advisor makes recommendations based on the Well Architected Framework, but it does not provide cost/usage forecasting. AWS Budgets allows you to define alarms that will let you know if you exceed a set amount.
17. Your accounting department likes the view that the Billing and Cost Management Dashboard gives them, but they don’t want to have to go to each individual AWS account to view billing for the entire organization. What should you implement to allow them to view billing for the entire organization?
  • A. AWS Trusted Advisor
  • B. AWS Organizations
  • C. AWS Management Console
  • D. AWS Budgets
Answer - B
Explanation - AWS Organizations allows your accounting department to view billing and cost information for all of the AWS accounts in your organization. While AWS Trusted Advisor can give recommendations regarding cost savings and cost optimization, it does not provide a central area to view billing and usage. The AWS Management Console gives you shortcuts to set up AWS Organizations but does not offer the central view of billing that AWS Organizations does. AWS Budgets is used to set a budget so that you can get alerts if it looks like you will go over budget.
18. Your boss wants to view the current amount due on your AWS account. Where should you tell your boss to look?
  • A. AWS Management Console
  • B. AWS Trusted Advisor
  • C. AWS Budgets
  • D. AWS Cost Explorer
Answer - D
Explanation - AWS Cost Explorer monitors the current amount due on your AWS account. AWS Management Console provides a shortcut to AWS Cost Explorer but does not provide the information you are looking for. AWS Trusted Advisor can make recommendations to optimize cost, but it does not give you the current or forecasted amounts due. AWS Budgets allows you to set a desired spend amount and notifications if you are in danger of exceeding the desired spend amount.
19. Your boss wants to view the forecasted amount due on your AWS account. Where should you tell your boss to look?
  • A. AWS Cost Explorer
  • B. AWS Trusted Advisor
  • C. AWS Management Console
  • D. AWS Budgets
Answer - A
Explanation - AWS Cost Explorer monitors the current amount due on your AWS account. AWS Management Console provides a shortcut to AWS Cost Explorer, but it does not provide the information you are looking for. AWS Trusted Advisor can make recommendations to optimize cost, but it does not give you the current or forecasted amounts due. AWS Budgets allows you to set a desired spend amount and notifications if you are in danger of exceeding the desired spend amount.
20. Your accounting department wants to know if there are ways to save on costs for EC2 instances. When they view the Reservation Recommendations screen in AWS Cost Explorer, they get a message saying that there are no recommendations available at this time. What is a possible cause of this error?
  • A. You are using instance types that can’t be set as reserved instances.
  • B. Your instances haven’t run long enough to generate recommendations.
  • C. They don’t have permissions to view cost and budget items.
  • D. You are using instance sizes that can’t be used with reserved instances.
Answer - B
Explanation - In the Reservation Recommendations screen of AWS Cost Explorer, you will get a message stating there are no purchase recommendations if your instances haven’t been running long enough. All instance types/sizes can be converted to reserved instances. If the accounting department didn’t have appropriate permissions, they would get an Access Denied error.
21. Which services does AWS Trusted Advisor not provide?
  • A. Cost savings recommendations
  • B. Performance recommendations
  • C. Security recommendations
  • D. Alarms for going over budget
Answer - D
Explanation - AWS Trusted Advisor provides recommendations on cost savings, performance, and security, but does not provide alarms for going over budget. AWS Budgets provides the capability to set billing alarms and notifications based on those alarms.
22. You want to use AWS Trusted Advisor to monitor how well you are setting things up in your organization’s AWS account. When you log in, you are disappointed to see only seven checks. How can you get access to all of the checks within AWS Trusted Advisor? (Choose two.)
  • A. Upgrade to Developer-level support.
  • B. Upgrade to Enterprise-level support.
  • C. Upgrade to Teams-level support.
  • D. You can’t upgrade; there are only seven checks.
  • E. Upgrade to Business-level support.
Answer - B, E
Explanation - With the free support plan, you get access to seven basic checks, which AWS refers to as core checks. If you need access to all of the checks available in AWS Trusted Advisor, then you will need to upgrade your support plan to Business or Enterprise level. The Developer support plan only includes the seven basic checks just like the Basic support plan. Teams-level support was made up for this question.
23. Which of the following is a category that AWS Trusted Advisor checks?
  • A. Security
  • B. Cost monitoring
  • C. Budgeting
  • D. System vulnerabilities
Answer - A
Explanation - This one comes down to memorization…AWS Trusted Advisor checks for cost optimization, security, service limits, fault tolerance, and performance.
24. Which of the following is a category that AWS Trusted Advisor checks?
  • A. Network intrusions
  • B. Application configurations
  • C. Service limits
  • D. Conflicting security groups and NACLs
Answer - C
Explanation - This one comes down to memorization…AWS Trusted Advisor checks for cost optimization, security, service limits, fault tolerance, and performance.
25. Which of the following is a category that AWS Trusted Advisor checks?
  • A. Vulnerability scanning
  • B. Budgeting
  • C. Cost reporting
  • D. Performance
Answer - D
Explanation - This one comes down to memorization…AWS Trusted Advisor checks for cost optimization, security, service limits, fault tolerance, and performance.
26. Which of the following is a category that AWS Trusted Advisor checks?
  • A. Network intrusions
  • B. Cost optimization
  • C. Security scans
  • D. Cost budgeting
Answer - B
Explanation - This one comes down to memorization…AWS Trusted Advisor checks for cost optimization, security, service limits, fault tolerance, and performance.
27. Which of the following is a category that AWS Trusted Advisor checks?
  • A. IOPS optimization
  • B. Budgeting
  • C. Fault tolerance
  • D. Available IP space
Answer - C
Explanation - This one comes down to memorization…AWS Trusted Advisor checks for cost optimization, security, service limits, fault tolerance, and performance.
28. Trusted Advisor continuously alerts on one of your resources and your boss has asked you to ensure that AWS Trusted Advisor no longer alerts on that resource. How can you accomplish this?
  • A. Add an exclusion for reporting the resource at the resource level.
  • B. Add an exclusion for reporting the resource at the check level.
  • C. Add an exclusion for reporting the resource in Amazon CloudWatch.
  • D. There is no way to disable the alerts from occurring in AWS Trusted Advisor.
Answer - A
Explanation - To keep a resource from being reported in AWS Trusted Advisor, you can add an exclusion for reporting the resource at the resource level. You can’t do exclusions at the check level. Exclusions for AWS Trusted Advisor are not made in Amazon CloudWatch.
29. You have remediated an issue that was being reported by AWS Trusted Advisor. You have hit refresh multiple times in the past minute but nothing has changed. What is the most likely cause?
  • A. You did not properly remediate the issue that AWS Trusted Advisor was reporting.
  • B. You have to wait for 15 minutes to refresh a check from the last time it was checked.
  • C. You have to wait for 10 minutes to refresh a check from the last time it was checked.
  • D. You have to wait for 5 minutes to refresh a check from the last time it was checked.
Answer - D
Explanation - You have to wait for 5 minutes to refresh a check from the last time it was checked. It has probably not been 5 minutes since the last refresh, so you will need to wait.
30. You try to create an elastic IP address and you get a message that states that your service limit has been reached. Where can you go to verify that this is the case?
  • A. Amazon CloudWatch
  • B. AWS Trusted Advisor
  • C. AWS CloudTrail
  • D. AWS Config
Answer - B
Explanation - AWS Trusted Advisor provides checks on service limits. From AWS Trusted Advisor, you can see which service limits you are approaching and which ones you have met. Amazon CloudWatch, AWS CloudTrail, and AWS Config would not provide the service limit information you require.
31. You try to create an elastic IP address and you get a message that states that your service limit has been reached. You have verified in AWS Trusted Advisor that the service limit has indeed been reached. How can you resolve the issue? (Choose two.)
  • A. Increase your service limits from the AWS Management Console.
  • B. Increase your service limits from the AWS CLI.
  • C. Contact AWS to request a service limit increase.
  • D. Deprovision old resources to free up unused elastic IP addresses.
  • E. Increase your service limits from the AWS SDK.
Answer - C, D
Explanation - You have two options here. You can either deprovision old resources and reclaim some of your elastic IP addresses, or if that isn’t an option, you can contact AWS and ask for a service limit increase. You can’t increase service limits on your own from the AWS Management Console, CLI, or SDK.
32. Your organization’s accounting department is looking at reservation recommendations but is not seeing any. You use spot instances to support batch jobs that can be easily interrupted. How can you explain to your accounting department why they are not seeing any recommendations?
  • A. AWS Trusted Advisor uses on-demand rates to calculate savings with reserved instances.
  • B. Spot instances aren’t up long enough to generate recommendations in AWS Trusted Advisor.
  • C. Spot instances don’t show up in AWS Trusted Advisor.
  • D. The accounting department doesn’t have permissions to view the reserved instance recommendations.
Answer - A
Explanation - AWS Trusted Advisor uses on-demand rates to calculate savings with reserved instances. This makes sense when you take into account the constant price fluctuation with the spot instance market. AWS Trusted Advisor analyzes a month of activity, so spot instances will show up at the end of the month.
33. Your security department wants an easy way to monitor the overall security posture of your AWS environment. Which tool should you recommend to them?
  • A. AWS WAF
  • B. AWS Systems Manager
  • C. Amazon Inspector
  • D. Amazon GuardDuty
Answer - C
Explanation - Amazon Inspector allows you to run security assessments against your resources in AWS. AWS WAF protects web applications, AWS Systems Manager provides patching and baselining services, and Amazon GuardDuty looks for malicious traffic on your network.
34. Your security department wants to know which processes are running on open ports. How can you give them this information? (Choose two.)
  • A. Run a scan from Amazon Inspector.
  • B. Run a scan with Amazon GuardDuty.
  • C. Use AWS WAF.
  • D. Install the Amazon Inspector agent.
Answer - A, D
Explanation - While you can capture open network ports with the agentless scan from Amazon Inspector, you need to install the agent if you want to know which processes are running on the open ports. Amazon GuardDuty analyzes network traffic for malicious activity, and AWS WAF protects web applications.
35. Your security department has asked you for a report that includes how well your systems are lining up with CIS benchmarks. How can you provide them with this report?
  • A. Use Amazon Inspector to run an assessment template that contain the CIS rules package desired.
  • B. Use AWS Config to run an assessment template that contains the CIS rules package desired.
  • C. Use AWS Systems Manager to run an assessment template that contains the CIS rules package desired.
  • D. You can’t; there isn’t a report like this.
Answer - A
Explanation - To provide your security team with the report they are wanting, you will need to create or choose an assessment template and ensure that it contains the CIS rules package you are wanting to test your systems against. AWS Config and AWS Systems Manager don’t provide a report like this.
36. You have just begun using Amazon Inspector to analyze your systems. You get a call stating that Amazon Inspector is causing performance impacts; however, you do not have the agent installed, and you don’t currently have an assessment running. What should your response be?
  • A. Amazon Inspector couldn’t be the cause since you are not currently scanning the environment.
  • B. Amazon Inspector is probably the issue because the agentless configuration is known to cause performance impacts.
  • C. Amazon Inspector is not likely to be the cause of the performance issue as the agentless configuration is not supposed to cause performance issues.
  • D. Amazon Inspector is the cause of the performance issue as the agentless configuration has been known to cause performance issues.
Answer - C
Explanation - Amazon Inspector is not the cause of the performance issue as the agentless configuration does not cause performance issues. According to AWS, there is a minimal hit to performance if the agent is installed. Amazon Inspector not scanning might have seemed like a good fit; this is where you need to remember that the agent install can cause a small impact to performance. That wouldn’t necessarily require an active scan to be occurring.
37. You have been asked to create your own rules packages for Amazon Inspector assessment templates to use. How do you create a rules package?
  • A. You can’t create rules packages.
  • B. Create the rules package inside of the Amazon Inspector Dashboard.
  • C. Create the rules package inside of the AWS Config Dashboard.
  • D. Create the rules package inside of the AWS Systems Manager Dashboard.
Answer - A
Explanation - Only the rules provided by AWS are allowed to be used for assessment runs, so you can’t create rules packages.
38. You have been asked to scan your application servers for a vulnerable version of software. The software was installed using Ansible. When you look at the scan, you don’t see the application listed. What is the most likely cause?
  • A. Ansible is not supported for use in AWS.
  • B. Amazon Inspector can only find applications installed by the operating system’s package manager.
  • C. The application is not supported in Amazon Inspector.
  • D. Amazon Inspector can’t tell you application version numbers.
Answer - B
Explanation - Amazon Inspector can only find applications installed by the operating system’s package manager. It can’t find applications installed by automation software like Chef, Puppet. or Ansible.
39. You have been asked to provide a basic report based on the findings of Amazon Inspector for the executives of your organization. What type of report should you run from Amazon Inspector?
  • A. Full report
  • B. Executive report
  • C. Findings report
  • D. Basic report
Answer - C
Explanation - The findings report is a high-level report containing an executive summary of the findings from the scan. A full report is a detailed report that is perfect for IT and InfoSec teams. Executive reports and basic reports don’t actually exist.
40. You have been asked to provide a detailed report based on the findings of Amazon Inspector for the members of the security team in your organization. What type of report should you run from Amazon Inspector?
  • A. Full report
  • B. Executive report
  • C. Findings report
  • D. Basic report
Answer - A
Explanation - A full report is a detailed report that is perfect for IT and InfoSec teams. The findings report is a high-level report containing an executive summary of the findings from the scan. Executive reports and basic reports don’t actually exist.
41. Your security team has come to you and asked if AWS has a solution that will allow them to monitor network traffic for threats. How should you respond?
  • A. Yes, Amazon GuardDuty.
  • B. Yes, Amazon Inspector.
  • C. Yes, but it’s only available via a third party.
  • D. No, there is no built-in way to do this.
Answer - A
Explanation - Amazon GuardDuty allows you to monitor for threats by analyzing AWS CloudTrail events, VC Flow Logs, and DNS logs. Amazon Inspector allows you to do security assessments against your infrastructure.
42. Which AWS service identifies threats throughout your AWS account by analyzing VPC Flow Logs, DNS logs, and CloudTrail events?
  • A. Amazon CloudWatch
  • B. Amazon Inspector
  • C. Amazon GuardDuty
  • D. Amazon Macie
Answer - C
Explanation - Amazon GuardDuty allows you to monitor for threats by analyzing AWS CloudTrail events, VPC Flow Logs, and DNS logs. Amazon CloudWatch allows you to monitor logs from all of your AWS resources, Amazon Inspector allows you to do security assessments against your infrastructure, and Amazon Macie classifies data in S3 and applies behavioral analysis.
43. Which AWS services classifies data in S3 and catalogs the normal behaviors from users who are accessing that data?
  • A. Amazon CloudWatch
  • B. Amazon Inspector
  • C. Amazon GuardDuty
  • D. Amazon Macie
Answer - D
Explanation - Amazon Macie classifies data in S3 and catalogs the normal behaviors from users who are accessing that data. Amazon GuardDuty allows you to monitor for threats by analyzing AWS CloudTrail events, VPC Flow Logs, and DNS logs. Amazon CloudWatch allows you to monitor logs from all of your AWS resources, and Amazon Inspector allows you to do security assessments against your infrastructure.
44. Which of these is not something that Amazon GuardDuty monitors for?
  • A. Instance compromise
  • B. Account compromise
  • C. Reconnaissance activity
  • D. DDoS
Answer - D
Explanation - Amazon GuardDuty monitors for reconnaissance activity and account and instance compromise. It does not monitor for events like a DDoS attack.
45. Your security team wants to be notified when Amazon GuardDuty finds a threat on the network. Which products can be used with Amazon GuardDuty to send them alerts? (Choose two.)
  • A. Amazon CloudWatch Logs
  • B. Amazon CloudWatch Events
  • C. Amazon SNS
  • D. Amazon SQS
  • E. Amazon Inspector
Answer - B, C
Explanation - Amazon GuardDuty sends detailed security alerts to Amazon CloudWatch Events. Alerts that make it to Amazon CloudWatch Events can be used to send a notification through Amazon SNS. Amazon GuardDuty security alerts are sent to Amazon CloudWatch Events, not Amazon CloudWatch Logs. Amazon SQS is a queue system used for message delivery, not appropriate in this case. Amazon Inspector is used to conduct security assessments.
46. You have been asked by your organization’s CISO how long Amazon GuardDuty will retain the findings that it has alerted on as your organizational standard is 90 days. What should you tell the CISO?
  • A. 90 days
  • B. 180 days
  • C. 45 days
  • D. 30 days
Answer - A
Explanation - Amazon GuardDuty keeps findings in the Amazon GuardDuty Console for 90 days. After 90 days, they are deleted.
47. You have a lot of sensitive data in your S3 buckets and you have been asked if there is a solution to classify sensitive data and then monitor it for usage. Which product would fit the criteria?
  • A. Amazon Inspector
  • B. Amazon Macie
  • C. Third-party product
  • D. There is no product that will meet these requirements.
Answer - B
Explanation - Amazon Macie not only finds and classifies data, it also monitors the data for anomalous access. Amazon Inspector is used to perform security assessments. Third-party products will never be the answer on an AWS exam.
48. You want to see how well your environment compares to the five pillars of the Well-Architected Framework. Which tool could you use to get a report regarding how well your workloads fit into the AWS Well-Architected Framework?
  • A. AWS Well-Architected Tool
  • B. Amazon CloudWatch
  • C. AWS CloudTrail
  • D. Amazon Inspector
Answer - A
Explanation - The AWS Well-Architected Tool allows you to check your workloads against the five pillars of the Well-Architected Framework. Amazon CloudWatch is a monitoring solution, AWS CloudTrail monitors API calls, and Amazon Inspector is a security assessment tool.
49. You want to be able to monitor what software is installed and add licenses to installed software across your on-prem systems and your AWS systems. Which products will allow you to do this? (Choose two.)
  • A. Amazon Inspector
  • B. AWS Systems Manager
  • C. AWS License Manager
  • D. AWS Config
  • E. Amazon CloudWatch
Answer - B, C
Explanation - AWS License Manager, when paired with AWS Systems Manager, can inventory your software both onprem and in AWS. Once your software is managed by AWS License Manager, you can apply licensing rules to it. Amazon Inspector is used for security assessments. AWS Config monitors configuration drift, and Amazon cloudWatch monitors logs and events across AWS.
50. You are using AWS License Manager to monitor license usage in your account. You want to be able to manage licensing in all of the AWS accounts in your organization. What is the most efficient way to manage your licenses?
  • A. Have your IAM account added to each AWS account.
  • B. Set up the AWS accounts in AWS Organizations.
  • C. Have individual account owners report license usage.
  • D. You can’t centrally manage your license for all AWS accounts.
Answer - B
Explanation - The most efficient method to manage licenses will be to add all of the AWS accounts in your organization to AWS Organizations. Then you can centrally manage all licensing with AWS License Manager. While you could have your IAM account added to each AWS account, this is certainly not the most efficient route to take. Individual account owners reporting usage is definitely not efficient.