AWS-Solution-Architect-Associate Exam - AWS Certified Solutions Architect - Associate

NEW QUESTION 1
You need to create a management network using network interfaces for a virtual private cloud (VPC) network. Which of the following statements is incorrect pertaining to Best Practices for Configuring Network Interfaces.

• A. You can detach secondary (ethN) network interfaces when the instance is running or stoppe
• B. However, you can't detach the primary (eth0) interface.
• C. Launching an instance with multiple network interfaces automatically configures interfaces, private IP addresses, and route tables on the operating system of the instance.
• D. You can attach a network interface in one subnet to an instance in another subnet in the same VPC, however, both the network interface and the instance must reside in the same Availability Zone.
• E. Attaching another network interface to an instance is a valid method to increase or double the network bandwidth to or from the dual-homed instance

Answer: D

Explanation: Best Practices for Configuring Network Interfaces
You can attach a network interface to an instance when it's running (hot attach), when it's stopped (warm attach), or when the instance is being launched (cold attach).
You can detach secondary (ethN) network interfaces when the instance is running or stopped. However, you can't detach the primary (eth0) interface.
You can attach a network interface in one subnet to an instance in another subnet in the same VPC, however, both the network interface and the instance must reside in the same Availability Zone.
When launching an instance from the CLI or API, you can specify the network interfaces to attach to the instance for both the primary (eth0) and additional network interfaces.
Launching an instance with multiple network interfaces automatically configures interfaces, private IP addresses, and route tables on the operating system of the instance.
A warm or hot attach of an additional network interface may require you to manually bring up the second interface, configure the private IP address, and modify the route table accordingly. (Instances running Amazon Linux automatically recognize the warm or hot attach and configure themselves.)
Attaching another network interface to an instance is not a method to increase or double the network bandwidth to or from the dual-homed instance.
Reference:
http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.htmI#use-network-and-security-applia nces-in-your-vpc

NEW QUESTION 2
Amazon RDS supports SOAP only through _ _

• A. HTTP or HTTPS
• B. TCP/IP
• C. HTIP
• D. HTIPS

Answer: D

NEW QUESTION 3
What does Amazon Cloud Formation provide?

• A. The ability to setup Autoscaling for Amazon EC2 instances.
• B. None of these.
• C. A templated resource creation for Amazon Web Services.
• D. A template to map network resources for Amazon Web Service

Answer: D

NEW QUESTION 4
What is the maximum key length of a tag'?

• A. 512 Unicode characters
• B. 64 Unicode characters
• C. 256 Unicode characters
• D. 128 Unicode characters

Answer: D

NEW QUESTION 5
How many relational database engines does RDS currently support?

• A. Three: MySQL, Oracle and Microsoft SQL Sewer.
• B. Just two: MySQL and Oracle.
• C. Five: MySQL, PostgreSQL, MongoDB, Cassandra and SQLite.
• D. Just one: MySQ

Answer: A

NEW QUESTION 6
You have a video transcoding application running on Amazon EC2. Each instance pol Is a queue to find out which video should be transcoded, and then runs a transcoding process. If this process is interrupted, the video will be transcoded by another instance based on the queuing system. You have a large backlog of videos which need to be transcoded and would like to reduce this backlog by adding more instances. You will need these instances only until the backlog is reduced. Which type of Amazon EC2 instances should you use to reduce the backlog in the most cost efficient way?

• A. Reserved instances
• B. Spot instances
• C. Dedicated instances
• D. On-demand instances

Answer: B

Explanation: Reference: http://aws.amazon.com/ec2/purchasing-options/spot-instances/

NEW QUESTION 7
You are looking to migrate your Development (Dev) and Test environments to AWS. You have decided to use separate AWS accounts to host each environment. You plan to link each accounts bill to a Master AWS account using Consolidated Billing. To make sure you Keep within budget you would like to implement a way for administrators in the Master account to have access to stop, delete and/or terminate resources in both the Dev and Test accounts. Identify which option will allow you to achieve this goal.

• A. Create IAM users in the Master account with full Admin permission
• B. Create cross-account roles in the Dev and Test accounts that grant the Master account access to the resources in the account by inheriting permissions from the Master account.
• C. Create IAM users and a cross-account role in the Master account that grants full Admin permissions to the Dev and Test accounts.
• D. Create IAM users in the Master account Create cross-account roles in the Dev and Test accounts that have full Admin permissions and grant the Master account access.
• E. Link the accounts using Consolidated Billin
• F. This will give IAM users in the Master account access to resources in the Dev and Test accounts

Answer: C

Explanation: Bucket Owner Granting Cross-account Permission to objects It Does Not Own
In this example scenario, you own a bucket and you have enabled other AWS accounts to upload objects. That is, your bucket can have objects that other AWS accounts own.
Now, suppose as a bucket owner, you need to grant cross-account permission on objects, regardless of who the owner is, to a user in another account. For example, that user could be a billing application that needs to access object metadata. There are two core issues:
The bucket owner has no permissions on those objects created by other AWS accounts. So for the bucket owner to grant permissions on objects it does not own, the object owner, the AWS account that created the objects, must first grant permission to the bucket owner. The bucket owner can then delegate those permissions.
Bucket owner account can delegate permissions to users in its own account but it cannot delegate permissions to other AWS accounts, because cross-account delegation is not supported.
In this scenario, the bucket owner can create an AWS Identity and Access Management (IAM) role with permission to access objects, and grant another AWS account permission to assume the role temporarily enabling it to access objects in the bucket.
Background: Cross-Account Permissions and Using IAM Roles
IAM roles enable several scenarios to delegate access to your resources, and cross-account access is
one of the key scenarios. In this example, the bucket owner, Account A, uses an IAM role to temporarily delegate object access cross-account to users in another AWS account, Account C. Each IAM role you create has two policies attached to it:
A trust policy identifying another AWS account that can assume the role.
An access policy defining what permissions-for example, s3:Get0bject-are allowed when someone assumes the role. For a list of permissions you can specify in a policy, see Specifying Permissions in a Policy.
The AWS account identified in the trust policy then grants its user permission to assume the role. The user can then do the following to access objects:
Assume the role and, in response, get temporary security credentials. Using the temporary security credentials, access the objects in the bucket.
For more information about IAM roles, go to Roles (Delegation and Federation) in IAM User Guide. The following is a summary of the walkthrough steps:
Account A administrator user attaches a bucket policy granting Account B conditional permission to upload objects.
Account A administrator creates an IAM role, establishing trust with Account C, so users in t hat account can access Account A. The access policy attached to the role limits what user in Account C can do when the user accesses Account A.
Account B administrator uploads an object to the bucket owned by Account A, granting full-control permission to the bucket owner.
Account C administrator creates a user and attaches a user policy that al lows the user to assume the role.
User in Account C first assumes the role, which returns the user temporary security credentials. Using those temporary credentials, the user then accesses objects in the bucket.
For this example, you need three accounts. The following tab Ie shows how we refer to these accounts and the administrator users in these accounts. Per IAM guidelines (see About Using an
Administrator User to Create Resources and Grant Permissions) we do not use the account root
credentials in this walkthrough. Instead, you create an administrator user in each account and use those credentials in creating resources and granting them permissions

NEW QUESTION 8
You need to set up a security certificate for a cIient's e-commerce website as it will use the HTTPS protocol. Which of the below AWS services do you need to access to manage your SSL server certificate?

• A. AWS Directory Service
• B. AWS Identity & Access Management
• C. AWS CIoudFormation
• D. Amazon Route 53

Answer: B

Explanation: AWS Identity and Access Management (IAM) is a web service that enables Amazon Web Services (AWS) customers to manage users and user permissions in AWS.
All your SSL server certificates are managed by AWS Identity and Access management (IAM). Reference: http://docs.aws.amazon.com/IAM/latest/UserGuide/ManagingServerCerts.htm|

NEW QUESTION 9
Will my standby RDS instance be in the same Availability Zone as my primary?

• A. Only for Oracle RDS types
• B. Yes
• C. Only if configured at launch
• D. No

Answer: D

NEW QUESTION 10
Which of the following are t rue regarding AWS CIoudTraiI? Choose 3 answers

• A. CIoudTraiI is enabled globally
• B. CIoudTraiI is enabled by default
• C. CIoudTraiI is enabled on a per-region basis
• D. CIoudTraiI is enabled on a per-service basis.
• E. Logs can be delivered to a single Amazon 53 bucket for aggregation.
• F. CIoudTraiI is enabled for all available services within a region.
• G. Logs can only be processed and delivered to the region in which they are generate

Answer: CDE

Explanation: Reference: http://aws.amazon.com/c|oudtraiI/faqs/

NEW QUESTION 11
Which of the following items are required to allow an application deployed on an EC2 instance to write data to a DynamoDB table? Assume that no security keys are allowed to be stored on the EC2 instance. (Choose 2 answers)

• A. Create an IAM Role that allows write access to the DynamoDB tab Ie.
• B. Add an IAM Role to a running EC2 instance.
• C. Create an IAM User that al lows write access to the Dynamo DB tab Ie.
• D. Add an IAM User to a running EC2 instance.
• E. launch an EC2 Instance with the IAM Role included in the launch configuratio

Answer: AE

Explanation: Reference:
http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/TicTacToe.Phase3.htmI

NEW QUESTION 12
A user has created an ELB with Auto Scaling. Which of the below mentioned offerings from ELB helps the
user to stop sending new requests traffic from the load balancer to the EC2 instance when the instance is being deregistered while continuing in-flight requests?

• A. ELB sticky session
• B. ELB deregistration check
• C. ELB auto registration Off
• D. ELB connection draining

Answer: D

Explanation: The Elastic Load Balancer connection draining feature causes the load balancer to stop sending new requests to the back-end instances when the instances are deregistering or become unhealthy, while ensuring that in-flight requests continue to be served.
Reference:
http://docs.aws.amazon.com/EIasticLoadBaIancing/latest/DeveIoperGuide/config-conn-drain.htmI

NEW QUESTION 13
Using Amazon IAM, can I give permission based on organizational groups?

• A. Yes but only in certain cases
• B. No
• C. Yes always

Answer: C

NEW QUESTION 14
You need to configure an Amazon 53 bucket to serve static assets for your public-facing web application. Which methods ensure that all objects uploaded to the bucket are set to public read? Choose 2 answers

• A. Set permissions on the object to public read during upload.
• B. Configure the bucket ACL to set all objects to public read.
• C. Configure the bucket policy to set all objects to public read.
• D. Use AWS Identity and Access Management roles to set the bucket to public read.
• E. Amazon 53 objects default to public read, so no action is neede

Answer: AC

NEW QUESTION 15
Which of the following approaches provides the lowest cost for Amazon Elastic Block Store snapshots while gMng you the ability to fully restore data?

• A. Maintain two snapshots: the original snapshot and the latest incremental snapshot.
• B. Maintain a volume snapshot; subsequent snapshots will overwrite one another
• C. Maintain a single snapshot the latest snapshot is both Incremental and complete.
• D. Maintain the most current snapshot, archive the original and incremental to Amazon Glacier.

Answer: A

NEW QUESTION 16
It is advised that you watch the Amazon C|oudWatch " _ " metric (available via the AWS Management Console or Amazon Cloud Watch APIs) carefully and recreate the Read Replica should it fall behind due to replication errors.

• A. Write Lag
• B. Read Replica
• C. Replica Lag
• D. Single Replica

Answer: C

NEW QUESTION 17
Your website is serving on-demand training videos to your workforce. Videos are uploaded monthly in high resolution MP4 format. Your workforce is distributed globally often on the move and using company-provided tablets that require the HTTP Live Streaming (HLS) protocol to watch a video. Your company has no video transcoding expertise and it required you may need to pay for a consultant.
How do you implement the most cost-efficient architecture without compromising high availability and quality of video delivery'?

• A. A video transcoding pipeline running on EC2 using SQS to distribute tasks and Auto Scaling to adjust the number of nodes depending on the length of the queu
• B. EBS volumes to host videos and EBS snapshots to incrementally backup original files after a few day
• C. CIoudFront to serve HLS transcoded videos from EC2.
• D. Elastic Transcoder to transcode original high-resolution MP4 videos to HL
• E. EBS volumes to host videos and EBS snapshots to incrementally backup original files after a few day
• F. CIoudFront to serve HLS transcoded videos from EC2.
• G. Elastic Transcoder to transcode original high-resolution NIP4 videos to HL
• H. 53 to host videos with Lifecycle Management to archive original files to Glacier after a few day
• I. C|oudFront to serve HLS transcoded videos from 53.
• J. A video transcoding pipeline running on EC2 using SQS to distribute tasks and Auto Scaling to adjust the number of nodes depending on the length of the queu
• K. 53 to host videos with Lifecycle Management to archive all files to Glacier after a few day
• L. CIoudFront to serve HLS transcoded videos from Glacier.

Answer: C

NEW QUESTION 18
You are designing an intrusion detection prevention (IDS/IPS) solution for a customer web application in a single VPC. You are considering the options for implementing IOS IPS protection for traffic coming from the Internet.
Which of the following options would you consider? (Choose 2 answers)

• A. Implement IDS/IPS agents on each Instance running In VPC
• B. Configure an instance in each subnet to switch its network interface card to promiscuous mode and analyze network traffic.
• C. Implement Elastic Load Balancing with SSL listeners In front of the web applications
• D. Implement a reverse proxy layer in front of web servers and configure IDS/ IPS agents on each reverse proxy server.

Answer: BD

NEW QUESTION 19
You are setting up your first Amazon Virtual Private Cloud (Amazon VPC) network so you decide you should probably use the AWS Management Console and the VPC Wizard. Which of the following is not an option for network architectures after launching the "Start VPC Wizard" in Amazon VPC page on the AWS Management Console?

• A. VPC with a Single Public Subnet Only
• B. VPC with a Public Subnet Only and Hardware VPN Access
• C. VPC with Public and Private Subnets and Hardware VPN Access
• D. VPC with a Private Subnet Only and Hardware VPN Access

Answer: B

Explanation: Amazon VPC enables you to build a virtual network in the AWS cloud - no VPNs, hardware, or physical datacenters required.
Your AWS resources are automatically provisioned in a ready-to-use default VPC. You can choose to create additional VPCs by going to Amazon VPC page on the AWS Management Console and click on the "Start VPC Wizard" button.
You’II be presented with four basic options for network architectures. After selecting an option, you can modify the size and IP address range of the VPC and its subnets. If you select an option with Hardware VPN Access, you will need to specify the IP address of the VPN hardware on your network. You can modify the VPC to add more subnets or add or remove gateways at any time after the VPC has been created.
The four options are:
VPC with a Single Public Subnet Only VPC with Public and Private Subnets
VPC with Public and Private Subnets and Hardware VPN Access VPC with a Private Subnet Only and Hardware VPN Access Reference: https://aws.amazon.com/vpc/faqs/