You would like to share some documents with public users accessing an S3 bucket over the Internet.

What
are two valid methods of granting public read permissions so you can share the documents? (Choose 2)

 Grant public read access to the objects when uploading (Correct)

 Share the documents using CloudFront and a static website

 Use the AWS Policy Generator to create a bucket policy for your Amazon S3 bucket
granting read access to public anonymous users (Correct)

 Grant public read on all objects using the S3 bucket ACL

 Share the documents using a bastion host in a public subnet

A Solutions Architect is designing an authentication solution using the AWS STS that will provide temporary,
limited-privilege credentials for IAM users or for users that you authenticate (federated users). What
supported sources are available to the Architect for users? (Choose 2)

 OpenID Connect (Correct)

 EC2 instance

 Another AWS account (Correct)

 A local user on a user's PC

 Cognito identity pool

You are building an application that will collect information about user behavior. The application will rapidly
ingest large amounts of dynamic data and requires very low latency. The database must be scalable without
incurring downtime. Which database would you recommend for this scenario?

 RDS with MySQL

 DynamoDB (Correct)

 RedShift

 RDS with Microsoft SQL

A Solutions Architect is building a complex application with several back-end APIs. The architect is
considering using Amazon API Gateway. With Amazon API Gateway what are features that assist with
creating and managing APIs? (Choose 2)

 You can define plans that meter and restrict third-party developer access to APIs
(Correct)

 Flexible message delivery over multiple transport protocols

 You can define the maintenance window or AWS will schedule a 30 minute window

 You can operate multiple API versions and multiple stages for each version
simultaneously (Correct)

 Executes your code as functions using serverless technology

Your company would like to restrict the ability of most users to change their own passwords whilst
continuing to allow a select group of users within specific user groups.

What is the best way to achieve this? (Choose 2)

 Under the IAM Password Policy deselect the option to allow users to change their own
passwords (Correct)

 Create an IAM Policy that grants users the ability to change their own password and
attach it to the groups that contain the users (Correct)

 Create an IAM Role that grants users the ability to change their own password and attach
it to the groups that contain the users

 Disable the ability for all users to change their own passwords using the AWS Security
Token Service

 Create an IAM Policy that grants users the ability to change their own password and
attach it to the individual user accounts

A colleague from your company’s IT Security team has notified you of an Internet-based threat that affects a
certain port and protocol combination. You have conducted an audit of your VPC and found that this port
and protocol combination is allowed on an Inbound Rule with a source of 0.0.0.0/0. You have verified that
this rule only exists for maintenance purposes and need to make an urgent change to block the access.

What is the fastest way to block access from the Internet to the specific ports and protocols?

 You don’t need to do anything; this rule will only allow access to VPC based resources

 Update the security group by removing the rule (Correct)

 Delete the security group

 Add a deny rule to the security group with a higher priority

You are a Solutions Architect at Digital Cloud Training. One of your clients has requested that you design a
solution for distributing load across a number of EC2 instances across multiple AZs within a region.
Customers will connect to several different applications running on the client’s servers through their
browser using multiple domain names and SSL certificates. The certificates are stored in AWS Certificate
Manager (ACM).
 What is the optimal architecture to ensure high availability, cost effectiveness, and performance?

 Launch a single ALB and bind multiple SSL certificates to multiple secure listeners

 Launch a single ALB and bind multiple SSL certificates to the same secure listener.
Clients will use the Server Name Indication (SNI) extension (Correct)

 Launch multiple ALBs and bind separate SSL certificates to each ELB

 Launch a single ALB, configure host-based routing for the domain names and bind an
SSL certificate to each routing rule

A Linux instance running in your VPC requires some configuration changes to be implemented locally and
you need to run some commands. Which of the following can be used to securely connect to the instance?

 EC2 password

 Key pairs (Correct)

 Public key

 SSL/TLS certificate

One of your EC2 instances runs an application process that saves user data to an attached EBS volume. The
EBS volume was attached to the EC2 instance after it was launched and is unencrypted. You would like to
encrypt the data that is stored on the volume as it is considered sensitive however you cannot shutdown
the instance due to other application processes that are running.

What is the best method of applying encryption to the sensitive data without any downtime?

 Create an encrypted snapshot of the current EBS volume. Restore the snapshot to the
EBS volume

 Create and mount a new encrypted EBS volume. Move the data to the new volume and
then delete the old volume (Correct)

 Unmount the volume and enable server-side encryption. Re-mount the EBS volume

 Leverage the AWS Encryption CLI to encrypt the data on the volume

You are a Solutions Architect at Digital Cloud Training. A client has requested a design for a
highly-available, fault tolerant architecture for the web and app tiers of a three-tier
application. The requirements are as follows:
- Web instances will be in a public subnet and app instances will be in a private subnet
- Connections to EC2 instances should be automatically distributed across AZs
- A minimum of 12 web server EC2 instances must be running at all times
- A minimum of 6 app server EC2 instances must be running at all times
- The failure of a single availability zone (AZ) must not affect the availability of the application
or result in a reduction of capacity beneath the stated requirements
 Which of the following design options would be the most suitable and cost-effective solution?

 One Auto Scaling Group using 3 AZs and a minimum of 18 EC2 instances behind an
Internet facing ALB for the web layer. One Auto Scaling Group using 3 AZs and a
minimum of 9 EC2 instances behind an internal-only ALB for the app layer (Correct)

 One Auto Scaling Group using 3 AZs and a minimum of 12 EC2 instances behind an
Internet facing ALB for the web layer. One Auto Scaling Group using 3 AZs and a
minimum of 6 EC2 instances behind an internal-only ALB for the app layer

 One Auto Scaling Group with a minimum of 18 EC2 instances for the web layer. One Auto
Scaling Group using 3 AZs and a minimum of 9 EC2 instances for the app layer. A single
Internet-facing ALB using 3 AZs and two target groups for the web and app layers

 One Auto Scaling Group with a minimum of 12 EC2 instances for the web layer. One Auto
Scaling Group using 3 AZs and a minimum of 6 EC2 instances for the app layer. A single
Internet-facing ALB using 3 AZs and two target groups for the web and app layers

A customer has asked you to recommend the best solution for a highly available database. The database is a
relational OLTP type of database and the customer does not want to manage the operating system the
database runs on. Failover between AZs must be automatic.

Which of the below options would you suggest to the customer?

 Use DynamoDB

 Use RDS in a Multi-AZ configuration (Correct)

 Install a relational database on EC2 instances in multiple AZs and create a cluster

 Use RedShift in a Multi-AZ configuration

You are troubleshooting a connectivity issue where you cannot connect to an EC2 instance in a public
subnet in your VPC from the Internet. Which of the configuration items in the list below would you check
first? (choose 2)

 The subnet has “Auto-assign public IPv4 address�? set to “Yes�? (Correct)

 There is a NAT Gateway installed in the subnet

 The subnet route table has an attached NAT Gateway

 The security group attached to the EC2 instance has an inbound rule allowing the traffic
(Correct)

 The EC2 instance has a private IP address associated with it

 You would like to provide some on-demand and live streaming video to your customers. The plan is to
provide the users with both the media player and the media files from the AWS cloud. One of the features
you need is for the content of the media files to begin playing while the file is still being downloaded.

What AWS services can deliver these requirements? (choose 2)

 Use CloudFront with a Web and RTMP distribution (Correct)

 Use CloudFront with an RTMP distribution

 Store the media files on an EC2 instance

 Store the media files in an S3 bucket (Correct)

There is a new requirement to implement in-memory caching for a Financial Services application due to
increasing read-heavy load. The data must be stored persistently. Automatic failover across AZs is also
required.

Which two items from the list below are required to deliver these requirements? (choose 2)

 ElastiCache with the Redis engine (Correct)

 ElastiCache with the Memcached engine

 Multi-AZ with Cluster mode and Automatic Failover enabled (Correct)

 Multiple nodes placed in different AZs

 Read replica with failover mode enabled

A Solutions Architect is designing a data archive strategy using Amazon Glacier. The Architect needs to
explain the features of the service to his manager, which statements about Glacier are correct? (choose 2)

 Glacier objects are visible through S3 only (Correct)

 The contents of an archive can be modified after uploading

 Uploading archives is synchronous; downloading archives is asynchronous (Correct)

 Retrieval is immediate

 Glacier objects are visible through the Glacier console

The association between a poll-based source and a Lambda function is called the event source mapping.
Event sources maintain the mapping configuration except for stream-based services such as ________ and
________ for which the configuration is made on the Lambda side and Lambda performs the polling.
 Fill in the blanks from the options below (choose 2)

 DynamoDB (Correct)

 S3

 IoT Button

 Kinesis (Correct)

 API Gateway

The data scientists in your company are looking for a service that can process and analyze real-time,
streaming data. They would like to use standard SQL queries to query the streaming data.

Which combination of AWS services would deliver these requirements?

 DynamoDB and EMR

 Kinesis Data Streams and Kinesis Data Analytics (Correct)

 ElastiCache and EMR

 Kinesis Data Streams and Kinesis Firehose

You are a Solutions Architect at a media company and you need to build an application stack that can
receive customer comments from sporting events. The application is expected to receive significant load
that could scale to millions of messages within a short space of time following high-profile matches. As you
are unsure of the load required for the database layer what is the most cost-effective way to ensure that
the messages are not dropped?

 Use RDS Auto Scaling for the database layer which will automatically scale as required

 Create an SQS queue and modify the application to write to the SQS queue. Launch
another application instance the polls the queue and writes messages to the database
(Correct)

 Write the data to an S3 bucket, configure RDS to poll the bucket for new messages

 Use DynamoDB and provision enough write capacity to handle the highest expected load

You are a Solutions Architect at Digital Cloud Training. A large multi-national client has requested a design
for a multi-region, multi-master database. The client has requested that the database be designed for fast,
massively scaled applications for a global user base. The database should be a fully managed service
including the replication.

Which AWS service can deliver these requirements?

 RDS with Multi-AZ

 S3 with Cross Region Replication

 DynamoDB with Global Tables and Cross Region Replication (Correct)

 EC2 instances with EBS replication

The application development team in your company has a new requirement for the deployment of a
container solution. You plan to use the AWS Elastic Container Service (ECS). The solution should include load
balancing of incoming requests across the ECS containers and allow the containers to use dynamic host port
mapping so that multiple tasks from the same service can run on the same container host.

Which AWS load balancing configuration will support this?

 Use an Application Load Balancer (ALB) and map the ECS service to the ALB (Correct)

 Use a Classic Load Balancer (CLB) and create a static mapping of the ports

 Use a Network Load Balancer (NLB) and host-based routing

 You cannot run multiple copies of a task on the same instance, because the ports would
conflict

To improve security in your AWS account you have decided to enable multi-factor authentication (MFA).
You can authenticate using an MFA device in which two ways? (choose 2)

 Locally to EC2 instances

 Through the AWS Management Console (Correct)

 Using a key pair

 Using the AWS API (Correct)

 Using biometrics

An application that was recently moved into the AWS cloud has been experiencing some authentication
issues. The application is currently configured to authenticate to an on-premise Microsoft Active Directory
Domain Controller via a VPN connection. Upon troubleshooting the issues, it seems that latency across the
VPN connection is causing authentication to fail. Your company is very cost sensitive at the moment and the
administrators of the Microsoft AD do not want to manage any additional directories. You need to resolve
the issues quickly.

What is the best solution to solve the authentication issues taking cost considerations into account?

 Create an AWS Direct Connect connection to reduce the latency between your company
and AWS
 Use the AWS Active Directory Service for Microsoft Active Directory and join your existing
on-premise domain

 Install an additional Microsoft Active Directory Domain Controller for your existing
domain on EC2 and configure the application to authenticate to the local DC (Correct)

 Use the AWS Active Directory Service for Microsoft Active Directory and create a new
domain. Establish a trust relationship with your existing on-premise domain

You are designing an identity, authorization and access management solution for the AWS cloud. The
features you need include the ability to manage user accounts and group memberships, create and apply
group policies, securely connect to Amazon EC2 instances, and provide Kerberos-based single sign-on (SSO).
You do not need to establish trust relationships with other domains, use DNS dynamic update, implement
schema extensions or use other advanced directory features.

What would be the most cost-effective solution?

 Use AWS Simple AD (Correct)

 Use AWS Directory Service for Microsoft AD

 Use Amazon Cloud Directory

 Use AD Connector

You work for a company that produces TV commercials. You are planning to run an advertising campaign
during a major political event that will be watched by millions of people over several days. It is expected
that your website will receive large bursts of traffic following commercial breaks. You have performed an
analysis and determined that you will need up to 150 EC2 web instances to process the traffic which is
within the client's budget

You need to ensure you deliver a high quality and consistent user experience whilst not exceeding the
client's budget. How would you design a highly available and elastic solution?

 Create an Auto Scaling Group across multiple AZs with a desired capacity of 150 EC2
instances. Launch an Application Load Balancer and specify the same AZs as the ASG
and pre-warm the ALB by contacting AWS prior to the event

 Create an Auto Scaling Group across multiple AZs with a desired capacity of 150 EC2
instances. Launch an Application Load Balancer and specify the same AZs as the ASG

 Create an Auto Scaling Group across multiple AZs with a maximum capacity of 150 EC2
instances. Launch an Application Load Balancer and specify the same AZs as the ASG

 Create an Auto Scaling Group across multiple AZs with a maximum capacity of 150 EC2
instances. Launch an Application Load Balancer and specify the same AZs as the ASG
and pre-warm the ALB by contacting AWS prior to the event (Correct)
 For operational access to your AWS environment you are planning to setup a bastion host implementation.
Which of the below are AWS best practices for setting up bastion hosts? (choose 2)

 Deploy in 2 AZs and use an Auto Scaling group to ensure that the number of bastion host
instances always matches the desired capacity you specify during launch (Correct)

 Bastion hosts are deployed in the private subnets of the VPC

 Elastic IP addresses are associated with the bastion instances to make it easier to
remember and allow these IP addresses from on-premises firewalls (Correct)

 Access to the bastion hosts is configured to 0.0.0.0/0 for ingress in security groups

 Ports are unrestricted to allow full operational access to the bastion hosts

An application running on an external website is attempting to initiate a request to your company’s website
on AWS using API calls. A problem has been reported in which the requests are failing with an error that
includes the following text:

“Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource�?

You have been asked to resolve the problem, what is the most likely solution?

 The IAM policy does not allow access to the API

 The ACL on the API needs to be updated

 Enable CORS on the APIs resources using the selected methods under the API Gateway
(Correct)

 The request is not secured with SSL/TLS

You are an entrepreneur building a small company with some resources running on AWS. As you have
limited funding you're extremely cost conscious. Which AWS service can send you alerts via email or SNS
topic when you are forecast to exceed your funding capacity so you can take action?

 Cost Explorer

 AWS Budgets (Correct)

 AWS Billing Dashboard

 Cost & Usage reports

A company is in the process of deploying an Amazon Elastic Map Reduce (EMR) cluster. Which of the
statements below accurately describe the EMR service? (choose 2)
 EMR utilizes a hosted Hadoop framework running on Amazon EC2 and Amazon S3
(Correct)

 EMR makes it easy to securely stream video from connected devices to AWS for
analytics, machine learning (ML), and other processing

 EMR launches all nodes for a given cluster in the same Amazon EC2 Availability Zone
(Correct)

 EMR is a fully-managed service that makes it easy to set up and scale file storage in the
Amazon Cloud

 EMR clusters span availability zones providing redundancy

As a SysOps engineer working at Digital Cloud Training, you are constantly trying to improve your processes
for collecting log data. Currently you are collecting logs from across your AWS resources using CloudWatch
and a combination of standard and custom metrics. You are currently investigating how you can optimize
the storage of log files collected by CloudWatch.

Which of the following are valid options for storing CloudWatch log files? (choose 2)

 CloudWatch Logs (Correct)

 EFS

 Splunk (Correct)

 EBS

 RedShift

Your company uses Amazon Glacier to store files that must be retained for compliance reasons and are
rarely accessed. An auditor has requested access to some information that is stored in a Glacier archive. You
have initiated an archive retrieval job.

Which factors are important to know about the process from this point? (choose 2)

 There is a charge if you delete data within 90 days

 Following retrieval, you have 24 hours to download your data (Correct)

 Amazon Glacier must complete a job before you can get its output (Correct)

 The retrieved data will always be encrypted

 An MFA device is required to access the files

 A company is considering using EC2 Reserved Instances to reduce cost. The Architect involved is concerned
about the potential limitations in flexibility of using RIs instead of On-Demand instances.

Which of the following statements about RIs are useful to the Architect? (choose 2)

 RIs can be sold on the Reserved Instance Marketplace (Correct)

 You can change the region with Convertible RIs

 There is a fee charged for any RI modifications

 You cannot launch RIs using Auto Scaling Groups

 You can use RIs in Placement Groups (Correct)

Your company has recently formed a partnership with another company. Both companies have resources
running in the AWS cloud and you would like to be able to access each other’s resources using private IP
addresses. The resources for each company are in different AWS regions and you need to ensure that fully
redundant connectivity is established.

You have established a VPC peering connection between the VPCs, what steps need to be taken next to
establish connectivity and resource sharing between the VPCs across regions? (choose 2)

 Establish an IPSec VPN between the VPCs

 Establish redundant Direct Connect connections between the VPCs

 Manually add routes to each VPCs routing tables as required to enable IP connectivity
(Correct)

 Establish dynamic routing with BGP and BFD

 Update Security Group rules to allow resource sharing (Correct)

Several websites you run on AWS use multiple Internet-facing Elastic Load Balancers (ELB) to distribute
incoming connections to EC2 instances running web applications. The ELBs are configured to forward using
either TCP (layer 4) or HTTP (layer 7) protocols. You would like to start recording the IP addresses of the
clients that connect to your web applications.

Which ELB features will you implement with which protocols? (choose 2)

 X-Forwarded-For request header and TCP

 X-Forwarded-For request header and HTTP (Correct)

 Proxy Protocol and TCP (Correct)

 Proxy Protocol and HTTP

 X-Forwarded-For request header for TCP and HTTP

Your company has offices in several locations around the world. Each office utilizes resources deployed in
the geographically closest AWS region. You would like to implement connectivity between all of the VPCs so
that you can provide full access to each other’s resources. As you are security conscious you would like to
ensure the traffic is encrypted and does not traverse the public Internet. The topology should be many-to-
many to enable all VPCs to access the resources in all other VPCs.

How can you successfully implement this connectivity using only AWS services? (choose 2)

 Use software VPN appliances running on EC2 instances

 Use inter-region VPC peering (Correct)

 Implement a fully meshed architecture (Correct)

 Implement a hub and spoke architecture

 Use VPC endpoints between VPCs

The company you work for is currently transitioning their infrastructure and applications into the AWS
cloud. You are planning to deploy an Elastic Load Balancer (ELB) that distributes traffic for a web application
running on EC2 instances. You still have some application servers running on-premise and you would like to
distribute application traffic across both your AWS and on-premises resources.

How can this be achieved?

 Provision a Direct Connect connection between your on-premises location and AWS and
create a target group on an ALB to use IP based targets for both your EC2 instances and
on-premises servers (Correct)

 Provision a Direct Connect connection between your on-premises location and AWS and
create a target group on an ALB to use Instance ID based targets for both your EC2
instances and on-premises server

 Provision an IPSec VPN connection between your on-premises location and AWS and
create a CLB that uses cross-zone load balancing to distributed traffic across EC2
instances and on-premises servers

 This cannot be done, ELBs are an AWS service and can only distributed traffic within the
AWS cloud

You are undertaking a project to make some audio and video files that your company uses for onboarding
new staff members available via a mobile application. You are looking for a cost-effective way to convert
the files from their current formats into formats that are compatible with smartphones and tablets. The files
are currently stored in an S3 bucket.
 What AWS service can help with converting the files?

 MediaConvert

 Data Pipeline

 Elastic Transcoder (Correct)

 Rekognition