Single Choice

1)
You work as a solutions architect for a Healthcare company that hosts all their
applications on Amazon EC2 instances. For compliance and governance perspective, the
company has to take daily, weekly, and monthly snapshots of all their volumes. For
auditing purpose there is a requirement to keep the snapshot for 6 months and next 6
months in grace period after which the snapshots can be deleted. To automate the
snapshot creation, the organization is already using Amazon Data Lifecycle Manager
(DLM) policies, so that no volume is left out from snapshot perspective. Recently you
discovered that the total snapshot cost has almost doubled as compared to total volume
cost.

What automated method can you take to reduce the total snapshot cost?

 Manually identify the snapshots which need to be deleted via describe snapshot
API and then invoke a Delete Snapshot API based on snapshot age.
 Create an archival policy Amazon EBS Snapshots with Amazon Data Lifecycle
Manager wherein the Snapshots will be archived after 6 months and deleted
after 1 year.
Comments: This is correct and recent feature to save costs on snapshots
(https://aws.amazon.com/blogs/storage/automatically-archive-amazon-ebs-
snapshots-with-amazon-data-lifecycle-manager/)
 Push all the Snapshots to Amazon S3 bucket and then put a lifecycle policy on
that bucket to archive the snapshots after 6 months and delete it after 1 year.
 Leverage the SSM Run command to delete the snapshots who have aged for 365
days.
Score: 0.79
Multiple Choice
2)
A company is working on a new product launch. Both production and test environments
are using similar Amazon EC2 instances with attached Amazon EBS volumes. The Billing
team will need a solution to monitor the costs of both environments to identify any
unexpected charges.

What should a solutions architect implement to ensure that the Billing team can identify
the charges for each environment? (Select TWO)

 AWS Trusted Advisor

  Savings Plans
 Budgets
 Cost Allocation Tag
Comments: AWS uses the cost allocation tags to organize your resource
costs on your cost allocation report, to make it easier for you to categorize
and track your AWS costs. -
https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-
tags.html
 Cost Explorer
Comments: Although Cost Explorer can be used to monitor the EC2
charges, it will not be a useful tool by itself if the account EC2 instances
does not have tags or are allocated in different AWS accounts.
Score: 0.79
Multiple Choice
3)
Your company is looking for a solution to manage backups for their workloads running in
AWS. They are interested in the AWS Backup service, but are trying to determine the
cost of the service.

Which of the following factors would need you to look at to determine the actual cost of
AWS Backup? (Select TWO)

 The amount of storage used to store the backups.

Comments: Both the amount of storage being consumed and the specific
services being protected are the only two relevant factors.
 The service(s) being protected,
Comments: Both the amount of storage being consumed and the specific
services being protected are the only two relevant factors.
 The retention period.
 The backup frequency.
Score: 0.79
Single Choice
4)
What native Amazon VPC security feature can be used to allow and deny network traffic
with the same rule at the subnet level?

 Security Groups
 Network Access Control List (NACL)
 Comments: A NACL has reach at the subnet level.
 AWS WAF
 AWS Network Firewall
Score: 0.79
Single Choice
5)
Your team is migrating an application from a cluster of Amazon EC2 instances into AWS
Lambda functions.

Which technical consideration will continue to be your responsibility after the transition
is complete?

 Storing sensitive credentials in the application code.

 Writing optimized application code.
 Identifying the appropriate machine family and size for the application code.
Comments: With Lambda, AWS owns and manages the underlying compute
instances and their configuration.
 Updating and applying security patches to the Operating System.
Score: 0.00
Single Choice
6)
A company runs a batch application in the AWS Cloud hosted on 200+ Amazon EC2
instances. As a solutions architect, you are asked to push debug logs to an Amazon S3
bucket every 2:00 AM for all the EC2 instances.

What is the best possible solution from an operation point of view?

 Inject a user script via Ops Work to all of the Amazon EC2 instances that will push
the logs to this Amazon S3 bucket.
 Create a schedule in AWS Systems Manager Maintenance window to move the
logs to S3 bucket every 2:00 AM in the morning.
 Use SSM Session Manager to run a shell script on all Amazon EC2 instances 2:00
AM in the morning.
 Use Systems Manager Distributor to transfer the logs every 2:00 AM on all the
AWS Systems Manager Managed instances.
Comments: This option is incorrect because SSM Distributor is used to
install packaged and not to execute scripts to do some task at a time
specified interval.
Score: 0.00
Single Choice
7)
A solutions architect has been tasked to migrate the shared filesystem for a High
Performance Compute (HPC) workload to AWS. The workload runs on Amazon Linux 2,
and requires a shared filesystem that can support sub-millisecond latencies, hundreds
of gigabytes per second of throughput, and millions of IOPS.

Which storage service should the solutions architect choose to meet these
requirements?

 Amazon EFS One Zone

 Amazon FSx for Lustre
Comments: This is correct as FSx for Lustre can support sub-millisecond
latencies, hundreds of gigabytes per second of throughput, and millions of
IOPS.
 AWS Storage Gateway File Gateway with an Amazon S3 Bucket
 Amazon FSx for Windows
Score: 0.79
Multiple Choice
8)
Which of the following is a serverless NoSQL database for applications that need high
performance at any scale? (Select TWO)

 Amazon DocumentDB
 Amazon RDS
 Amazon Aurora
 Amazon DynamoDB
 Amazon ElastiCache
Score: 0.79
Multiple Choice
9)
What services can be used to perform hybrid network connectivity between on-premise
sites and Amazon VPCs? (Select TWO)

 Amazon VPC Reachability Analyzer

 VPC Peering
 AWS Direct Connect
 Comments: AWS Direct Connect can be used for an hybrid networking
connectivity.
 AWS Site-to-Site VPN
Comments: AWS Site-to-Site VPN can be used for an hybrid networking
connectivity.
Score: 0.79
Multiple Choice
10)
Which use cases are supported by Amazon S3 File Gateway? (Select TWO)

 Processing machine learning, big data analytics or serverless functions.

 Backing up on-premises file data as objects directly in Amazon S3 Glacier.
 Backing up on-premises file data as objects directly in Amazon EBS.
 Backing up on-premises file data as objects in Amazon S3.
Comments: Use cases for Amazon S3 File Gateway include: (a) migrating
on-premises file data to Amazon S3, while maintaining fast local access to
recently accessed data, (b) backing up on-premises file data as objects in
Amazon S3 (including Microsoft SQL Server and Oracle databases and logs),
with the ability to use S3 capabilities such as lifecycle management and
cross region replication, and, (c) hybrid cloud workflows using data
generated by on-premises applications for processing by AWS services such
as machine learning, big data analytics or serverless functions.
 Migrating on-premises file data to Amazon S3, while maintaining fast local access
to recently accessed data.
Comments: Use cases for Amazon S3 File Gateway include: (a) migrating
on-premises file data to Amazon S3, while maintaining fast local access to
recently accessed data, (b) backing up on-premises file data as objects in
Amazon S3 (including Microsoft SQL Server and Oracle databases and logs),
with the ability to use S3 capabilities such as lifecycle management and
cross region replication, and, (c) hybrid cloud workflows using data
generated by on-premises applications for processing by AWS services such
as machine learning, big data analytics or serverless functions.
Score: 0.79
Single Choice
11)
You are a cloud security engineer and have been tasked with ensuring that confidential
data is not accessible publicly. To ensure compliance with this mandate, you are
interested in turning on Amazon S3 Block Public Access (BPA) feature.
Which of the following statements best describes the AWS concept of public access?

 Any bucket or object that grants permissions to AllUsers OR AuthenticatedUsers

groups.
Comments: This is the correct definition of public access via ACL's.
Additionally any bucket policy that does not grant fixed access (Not *) to
one of the following is considered public:An AWS principal, user, role, or
service principal (e.g. aws:PrincipalOrgID), A set of Classless Inter-Domain
Routings (CIDRs) using aws:SourceIp, aws:SourceArn, aws:SourceVpc,
aws:SourceVpce, aws:SourceOwner, aws:SourceAccount, s3:x-amz-server-
side-encryption-aws-kms-key-id, aws:userid, outside the pattern
"AROLEID:*", s3:DataAccessPointArn, s3:DataAccessPointAccount
 Any bucket or object accessible by any source other than the bucket or object
owner.
 Any bucket or object that grants permissions to any resources located outside
AWS.
 Any bucket or object that grants permissions to any resource in another AWS
account.
Score: 0.79
Single Choice
12)
A customer runs Nodejs application code on an AWS Lambda function. To meet their
business use case, they connected the Lambda function to an Amazon VPC to access an
internal HTTP endpoint. However, they noticed that the Lambda function is no longer
able to connect to an external service on the internet.

How can this issue be resolved?

 Connect your Lambda function to VPC by creating a Virtual Private Gateway in

the Subnet.
 Enable enhanced VPC routing for the AWS Lambda function.
 Connect your Lambda function to Private subnet and add an entry to the subnet
route table pointing to a NAT gateway.
Comments: When a Lambda function is connected to a VPC, all outbound
requests go through your VPC. To connect to the internet, configure your
 VPC to send outbound traffic from the function's subnet to a NAT gateway
in a public subnet.
 Update the function code to avoid the VPC while connecting to the external
service on the internet.
Score: 0.79
Multiple Choice
13)
As a cloud architect, you've been tasked with finding a way to restrict access to a
specific content for all users in a specific country.

Which of the following services could be used? (Select TWO)

 AWS WAF
Comments: With CloudFront, you would create a distribution and use
CloudFront's geo-blocking feature to restrict access at the country level.
Also, AWS WAF can be used to restrict access to a CloudFront distribution
at the country-level. Alternatively, Amazon Route 53, can be used. However
that would re-route requests from a restricted geography, for example, to
an error message page.
References:
Restricting the geographic distribution of your content
Using AWS WAF to control access to your content
3 Ways to Geo-Restrict your App
 Amazon Route 53
 Amazon CloudFront
Comments: With CloudFront, you would create a distribution and use
CloudFront's geo-blocking feature to restrict access at the country level.
Also, AWS WAF can be used to restrict access to a CloudFront distribution
at the country-level. Alternatively, Amazon Route 53, can be used. However
that would re-route requests from a restricted geography, for example, to
an error message page.
References:
Restricting the geographic distribution of your content
Using AWS WAF to control access to your content
3 Ways to Geo-Restrict your App
 AWS Network Firewall
 AWS Shield
Score: 0.79
Multiple Choice
14)
A company wants to allow their existing Active Directory users access to AWS without
having to recreate AWS IAM user accounts for every person.

Which of the following methods is the most cost effective solution to meet the
requirements? (Select TWO)

 X.509 Certificate
 OpenID Connect
 SAML 2.0
Comments: To use an IdP, you create an IAM identity provider entity to
establish a trust relationship between your AWS account and the IdP. IAM
supports IdPs that are compatible with OpenID Connect (OIDC) or SAML 2.0
(Security Assertion Markup Language 2.0)
 Cognito Identity Pool
 Amazon Directory Services
Comments: AWS Directory Service for Microsoft Active Directory, also
known as AWS Managed Microsoft Active Directory (AD), enables your
directory-aware workloads and AWS resources to use managed Active
Directory (AD) in AWS.
Score: 0.39
Multiple Choice
15)
An on-premises customer uses GitHub, a code repository to store, track, and collaborate
on software projects, and Jenkins, an open source automation server used to automate
the building and testing of software. The customer is migrating to AWS.

Which AWS service would they use instead? (Select TWO)

 AWS CodeCommit
Comments: AWS CodeCommit is a secure, highly scalable, managed source
control service that hosts private Git repositories."
 AWS CodeDeploy
 AWS CodeBuild
 Comments: AWS CodeBuild is a fully managed continuous integration
service that compiles source code, runs tests, and produces ready-to-
deploy software packages."
 AWS CloudFormation
Score: 0.79
Multiple Choice
16)
Some companies design their AWS workloads to update their components regularly, in
small, reversible increments.

Which pillar of the AWS Well-Architected Framework does this design support?

 Operational Excellence
Comments: The Operational Excellence pillar includes the ability to support
development and run workloads effectively,
 Reliability
Comments: The Operational Excellence pillar includes the ability to support
development and run workloads effectively,
 Resilience
 Security
Comments: The Operational Excellence pillar includes the ability to support
development and run workloads effectively,
Score: 0.79
Multiple Choice
17)
What API types are supported by Amazon API Gateway? (Select TWO)

 TCP
 HTTPS API
 HTTP API
Comments: Amazon API Gateway offers two options to create RESTful APIs,
HTTP APIs and REST APIs, as well as an option to create WebSocket APIs.
 UDP
 GraphQL API
 WebSocket API
Comments: Amazon API Gateway offers two options to create RESTful APIs,
HTTP APIs and REST APIs, as well as an option to create WebSocket APIs.
Score: 0.79
Single Choice
18)
Your company is looking to store session information from their backend Amazon EC2
instances and they want to identify the best database which can provide them
durability, high availability (HA), scalability and persistence. Since they want to store
session information, they want a database which can provide them microsecond
latency.

Which one of the following database can best satisfy the requirements?

 Amazon DocumentDB
 Amazon DynamoDB
 Amazon MemoryDB for Redis
Comments: As discussed here
(https://aws.amazon.com/blogs/aws/introducing-amazon-memorydb-for-
redis-a-redis-compatible-durable-in-memory-database-service/#:
 Amazon ElastiCache with Redis cluster mode enabled
Score: 0.79
Multiple Choice
19)
Your company uses Amazon Route 53 in their networking account to manage public
hosted zone records for their root domain, example.com. A developer in a different
account requires the ability to create, update, or delete DNS records for their public
application, app1.

How should you meet this requirement without giving the developer access to the
company's networking account, or control over the root domain? (Select TWO)

 Create the app1.example.com Private Hosted Zone in the developer’s account.

Comments: DNS records must be public.
 Create the example.com Public Hosted Zone in the developer’s account.
 Create an A record in the example.com Public Hosted Zone for the subdomain
with the IP address from the app1.example.com Public Hosted Zone.
 Create the app1.example.com Public Hosted Zone in the developer’s account.
 Create an NS record in the example.com Public Hosted Zone for the subdomain
with the name servers from the app1.example.com Public Hosted Zone.
Comments: Creating an NS record in the root domain, will delegate the
subdomain to the authoritative name servers provided.
Score: 0.39
Multiple Choice
20)
A customer wants to place a Amazon EC2 instances with IPv4 in a private subnet on an
Amazon VPC. This private subnet must have direct connectivity to the internet and
without traversing a Site-to-Site VPN.

Which gateways are required to achieve this architecture? (Select TWO)

 Transit Gateway
 Direct Connect Gateway
 Internet Gateway
Comments: Internet Gateway is used for direct Internet connectivity for
public subnets. Find more here:
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html
 Virtual Private Gateway
 NAT Gateway
Comments: NAT Gateway is used for Internet direct connectivity for private
subnets. Find more here:
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_Scenario2.html
Score: 0.79
Single Choice
21)
Your company is exploring cloud computing and wants to start by building a small,
event-driven application that supports Marketing campaigns. The campaign will consist
of workflow that involves several discrete steps and target a small customer base. The
Marketing group wants the developers to build it quickly and have it ready for
customers as soon as possible. The developers want a visual way to track the individual
steps in the campaign.

Which compute option would be best?

 Configure an Amazon EC2 instance and deploy the application to run there. Write
another service to run the application components when requested on another
EC2.
 Use AWS Lambda for compute. Organize the Lambdas to run within AWS Step
Functions.
 Comments: AWS Lambda is great for small applications, event-driven apps,
and enables fast development speed. Step Functions are specifically made
to visually organize Lambda functions in a workflow.
 Run the application on AWS Batch. Set up Batch to call the Lambda for compute.
 Run the application on AWS Batch. Organize the steps in the batch with AWS
Step Functions for compute.
Score: 0.79
Multiple Choice
22)
Your company uses an Identity Provider (IdP) for Single-sign on (SSO) and has tasked
their solutions architect with connecting their AWS Account to the IdP so their users can
leverage their corporate identity to access the environment.

What actions should the solutions architect take to meet these requirements? (Select
TWO)

 Create an AWS IAM Identity Provider by uploading the JSON metadata document
from your IdP.
 Create an AWS IAM User Group, associate the User Group with the IdP and add
users to the User Group.
 Create an AWS IAM User with AWS Management Console Access, attach a policy
with a trust relationship with the IdP.
 Create an AWS IAM Identity Provider by uploading the SAML metadata document
from your IdP.
Comments: This is correct, IdP metadata documents are provided in an
SAML format
 Create an AWS IAM Role with a trust relationship with the IdP.
Comments: This is correct, Any IAM roles that will be used with IAM
federations require a trust policy to permit federation from the IdP
Score: 0.79
Multiple Choice
23)
You have to design a hybrid network architecture for an AWS Direct Connect link for
connecting to a customer's on-premise site.

What gateways can you use to make this connection? (Select THREE)

 Internet Gateway
  Transit Gateway
Comments: Transit Gateway can be used for an AWS Direct Connect link.
 Direct Connect Gateway
Comments: Direct Connect Gateway can be used for an AWS Direct
Connect link.
 NAT Gateway
 Egress only Gateway
 Virtual Private Gateway
Comments: Virtual Private Gateway can be used for an AWS Direct Connect
link.
Score: 0.79
Multiple Choice
24)
What are the components of Amazon VPC? (Select THREE)

 Egress-only Internet Gateway

 Virtual private gateway
 Elastic Network Interfaces
 Peering Connection
Comments: https://aws.amazon.com/vpc/faqs/
What are the components of Amazon VPC?
 AWS Transit Gateway
Comments: A transit gateway is a network transit hub that you can use to
interconnect your virtual private clouds (VPCs) and on-premises networks.
As your cloud infrastructure expands globally, inter-Region peering
connects transit gateways together using the AWS Global Infrastructure.
Your data is automatically encrypted and never travels over the public
internet.
 AWS Direct Connect
Comments: AWS Direct Connect links your internal network to an AWS
Direct Connect location over a standard Ethernet fiber-optic cable.
Score: 0.27
Single Choice
25)
A company has an On-Demand Amazon EC2 instance with an attached Amazon EBS
volume. There is a scheduled job that creates a snapshot of this EBS volume at 12 AM
when the instance is not used. You have a production incident where you need to
perform a change on both the instance and on the EBS volume at the same time when
the snapshot is currently taking place.

Which of the following scenarios is valid when it comes to the usage of an EBS volume
while the snapshot is in progress?

 The Amazon EBS volume can't be detached or attached when a snapshot is in

progress.
 The Amazon EBS volume can be used when the snapshot is in progress.
 The Amazon EBS volume cannot be used when a snapshot is in progress.
 The volume can be used in read only mode when a snapshot is in progress.
Comments: A volume is totally available from READ/WRITE perspective
when a snapshot is in progress.
Score: 0.00
Single Choice
26)
A multi-national company has services across the globe which has a web application as
its customer-facing frontend. One of the features of the app is to allow users to be able
to upload huge amounts of files. As part of their architecture, they use a single bucket
in the us-east-1 region and all the data from users is uploaded to this bucket. Now, as
the demand for applications has grown, more and more users are using the application,
which has led to an increase in file uploads. Because the users are across the globe, the
upload takes time when the users are geographically far from the us-east-1region,
which leads to a degraded user experience. You need to improve the upload experience
without making major code level changes.

Which is the best service that you could use to achieve this requirement?

 AWS Transfer Family

 Amazon Partner Network
 AWS DataSync
 Amazon S3 Transfer Acceleration
Comments: Transfer Acceleration is best suited for scenarios in which you
want to transfer data to a central location from all over the world or
transfer significant amounts of data across continents regularly. It can also
help you use your available bandwidth when uploading to Amazon S3.
Score: 0.79
Multiple Choice
27)
An application transforms large images to thumbnails stored on Amazon S3. Thumbnails
need to be available to download for 30 days. Thumbnails can be easily recreated using
original images. Original images need to be immediately available for 30 days and
accessible within 4 hrs. for another 60 days.

What is the most cost effective storage option for original images and converted
thumbnails? (Select TWO)

 Store thumbnails in STANDARD for 30 days then move to DEEP_ARCHIVE.

Comments: Thumbnails can be easily recreated so STANDARD is not the
cheapest option. Also after 30 days we don't need the files so no need to
ARCHIVE.
 Store original images in INTELLIGENT Tier.
 Store thumbnails in ONEZONE_IA for 30 days then delete the data.
 Store the original images in STANDARD for 30 days, transition to GLACIER for 60
days, then delete the data.
 Store Original images in STANDARD_IA for 30 days and transition to
DEEP_ARCHIVE for 60 days, then expire the data.
Comments: DEEP ARCHIVE between 12-48 hrs. Here the question explicitly
ask for 4 hrs. retrieval
Score: 0.00
Multiple Choice
28)
A company is running a three-tier architecture on AWS. The web tier is in a public
subnet, the application tier and the database are in private subnets across two
availability zones. The company's security team noticed that specific IP addresses are
attacking the Amazon EC2 instances in the web tier. A solutions architect must block
traffic from those IP addresses from reaching the Amazon VPC.

How can this requirement be met?

 Block the IP address using Amazon GuardDuty.

 Block the IP address using Amazon Inspector.
 Block the IP addresses with Network ACLs from reaching instances in the public
subnets.
Comments: NACLsdenies specific inbound or outbound traffic at the subnet
level
  Block the IP addresses with Security Groups.
Comments: Security Group is protection on the instance level. The scenario
requires protection for the VPC. So this would not work for this solution
Score: 0.79
Multiple Choice
29)
As the AWS solutions architect, you need to explore whether Amazon ECS is the right
choice to build sophisticated application architectures on a microservices model.

Which of the following is true for Amazon ECS? (Select THREE)

 Amazon ECS has built-in security; all of the images are stored in a container
registry that is only accessible through HTTPS.
Comments: True;
 A cluster may contain a mix of tasks hosted on AWS Fargate, Amazon EC2
instances, or external instances.
Comments: True;
https://docs.aws.amazon.com/AmazonECS/latest/developerguide/clusters.ht
ml
 Amazon ECS manages your cluster resources for all launch types.
Comments: False;
When using the EC2 launch type, you manage your cluster resources.
 Amazon ECS supports multi-cloud integration.
 Amazon ECS provides service discovery for a microservice architecture.
 Easier to manage since your entire application need to be on a single task
definition.
Score: 0.52
Single Choice
30)
As the solutions architect in an organization, you are given an assignment to build an
application in AWS which is required to be deployed in an Auto Scaling group of On-
Demand Amazon EC2 instances and a MongoDB database. It is expected that the
database will have high-throughput workloads performing small, random I/O operations.

Which of the following is the most performant Amazon EBS type to use for your
database?

 Throughput Optimized HDD - st1

  Cold HDD - sc1
 Provisioned IOPS SSD - io1
Comments: Provisioned IOPS SSD volumes are designed to meet the needs
of I/O-intensive workloads, particularly database workloads, that are
sensitive to storage performance and consistency.
 General Purpose SSD - gp2
Score: 0.79
Single Choice
31)
You are in charge of securely managing Amazon S3 buckets on AWS. One bucket
currently receives requests to read or write over the public internet. A potential risk
exists where person in the middle attacks or eavesdropping attempts may occur.

Which of the following options below would address this risk regardless of where the
request comes from?

 Create a bucket policy for the designated bucket and create a condition using
as:SecureTransport to only allow encrypted connections over HTTPS.
 Create a SCP policy for the organization with a condition to only write to the
bucket if the data is encrypted.
 Create a SCP policy for the organization with a condition using
as:SecureTransport to only allow encrypted connections over HTTPS.
 Create an IAM User policy with a condition that will only allow users to upload or
read from the designated bucket if as:SecureTransport is True.
Comments: Although, you can create an IAM User policy to enforce secure
transport, you have to make sure it is attached to all users who are
interacting with that bucket If you want to enforce secure transport for
anyone making requests, youll have to make sure everyone has this policy
attached which may require more management effort.
Score: 0.00
Single Choice
32)
A company operates in a highly regulated industry. The company stores log files in
Amazon S3. Industry policy requires that the company must not delete or overwritten
the log files for at least 6 months.

What should a solutions architect do to meet these requirements?

  Use presigned URL to protect the bucket from deletion.
 Enable Amazon S3 Intelligent-Tiering
 Configure MFA (multi-factor authentication) delete.
 Create a new bucket and enable object lock.
Comments: Object Lock can help prevent objects from being deleted or
overwritten for a fixed amount of time or indefinitely.
Score: 0.79
Multiple Choice
33)
What tools would you use to perform a large-scale migration of an on-premises data
warehouse to Amazon Redshift? (Select TWO)

 AWS Snowball Edge

 AWS SCT agent
 AWS DMS
 AWS Direct Connect
 Amazon S3
Score: 0.00
Single Choice
34)
A solutions architect has been asked to help troubleshoot a Step Function's execution of
a state machine. The users are noticing that occasionally, a task doesnt return a
response and it creates a situation where the state machine has to be reset.

What can be added to the process flow in the state machine to help recover
automatically from a stuck condition created by an un-returned result from a task?

 Create a cron job that will automatically retrigger the state machine after a
certain amount of time.
 Use timeouts to avoid stuck executions.
Comments: By default, the Amazon States Language doesn't specify
timeouts for state machine definitions. Without an explicit timeout, Step
Functions often relies solely on a response from an activity worker to know
that a task is complete. If something goes wrong and the TimeoutSeconds
field isn't specified for an Activity or Task state, an execution is stuck
waiting for a response that will never come.
 Create a Pass process flow to bypass the problem task.
 Remove the problem task from the state machine.
Score: 0.79
Multiple Choice
35)
Your CEO decided to migrate your data center to AWS. You are engaged as the AWS
migration specialist to create a business case and decide to use AWS Migration
Evaluator.

Which of the following are included in the business case report? (Select THREE)

 Recommendation on how to automatically converting your source servers from

physical, virtual, or cloud infrastructure to run natively on AWS
 Provide configuration data about your on-premises servers.
 An executive summary of the savings across a combination of scenarios applied
to different workloads.
Comments: Migration Evaluator Business Case
(https://aws.amazon.com/migration-evaluator/features/)
 A breakdown of what went into the on-premises costs.
 Recommendation for the customer on next steps for a successful migration.
Comments: Migration Evaluator Business Case
(https://aws.amazon.com/migration-evaluator/features/)
 Recommend AWS services required for your target architecture.
Score: 0.53
Single Choice
36)
A customer application runs on a fleet of Amazon EC2 instances. The program read and
writes to Amazon DynamoDB. The application just needs last 7 days of data. However,
the size of the database keeps increasing. The company needs a solution that
minimizes cost and development effort.

Which solution meets these requirements?

 Configure application to add an attribute that has a value of current timestamp

plus 7 days to each item created in table. Configure DynamoDB to use the
attribute as TTL attribute.
Comments: Amazon DynamoDB Time to Live (TTL) allows you to define a
per-item timestamp to determine when an item is no longer needed.
Shortly after the date and time of the specified timestamp, DynamoDB
deletes the item from your table without consuming any write throughput.
 TTL is provided at no extra cost as a means to reduce stored data volumes
by retaining only the items that remain current for your workloads needs.
 Use AWS CloudFormation to deploy the solution and re-deploy stack every 7
days.
 Configure Amazon DynamoDB stream to invoke AWS Lambda function
when new item is created. Configure AWS Lambda to delete items in table that
are older than 7 days.
 Use Amazon EC2 instance to run a script to delete items that's have timestamp
older than 7 days.
Score: 0.79
Single Choice
37)
You recently launched a new Amazon EC2 instance into your Amazon VPC, but cannot
SSH into the instance to apply an upgrade.

What troubleshooting step should you take to ensure secure SSH traffic is allowed into
your Amazon EC2 instance?

 Configure your security group to all inbound traffic over port 22 from 0.0.0.0/0.
 Configure your security group and network ACL to all inbound traffic over port 22
from your company's private IP address range.
Comments: You must add rules to allow traffic through your security group.
 Configure your network ACL to allow outbound traffic over port 22 from your
company's private IP address range.
 Configure your network ACL to allow inbound traffic over port 22 from your
company's private IP address range.
Score: 0.79
Multiple Choice
38)
Which open source databases are compatible with Amazon Aurora? (Select TWO)

 Redis
 PostgreSQL
Comments: Amazon Aurora (Aurora) is a fully managed relational database
engine that's compatible with MySQL and PostgreSQL.
https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/CHAP_A
uroraOverview.html
 SQL Server
  MySQL
Comments: Amazon Aurora (Aurora) is a fully managed relational database
engine that's compatible with MySQL and PostgreSQL.
https://docs.aws.amazon.com/AmazonRDS/latest/AuroraUserGuide/CHAP_A
uroraOverview.html
 MariaDB
Score: 0.79
Single Choice
39)
Your company has an on-premises contact center.Your CTO is looking to migrate to the
cloud to reduce operational workloads and costs.

Which AWS managed service will meet the companies requirements?

 Amazon Connect
Comments: Amazon Connect is an easy-to-use omnichannel cloud contact
center that helps you provide superior customer service at a lower cost
 Alexa for business
 Amazon Chime
 Amazon Monitron
Score: 0.79
Single Choice
40)
Your team is deploying a new solution on Amazon ECS. Since your team is new to the
cloud, your director wants you to use AWS provided permissions to ensure reusability
and automatic updates.

Which type of AWS provided permission policy should you use to enable principals to
create, manage, and describe Amazon EC2 Auto Scaling resources?

 Multi-factor authentication
 Managed policy
Comments: A managed policy is provided by AWS and can be attached to
multiple principal entities like groups and roles for reusability. It will also
receive updates from AWS automatically.
 Inline policy
 Custom policy
Score: 0.79
Single Choice
41)
A company is developing a highly available web application using stateless web servers.

Which service is most suitable for storing ephemeral session state data?

 Amazon ElastiCache
Comments: Amazon ElastiCache supports requests that are latency
sensitive at less than a millisecond for response times and data that is
stored in RAM is ephemeral which is ideal for storing session data.
 Storage Gateway
 Amazon DynamoDB
 Amazon S3
Score: 0.79
Single Choice
42)
A solutions architect needs to test the connectivity of different protocols, such as ICMP,
between an Amazon EC2 instance and an Internet Gateway, both in the same AWS
account.

Which service can the solutions architect use?

 VPC Flow Logs

 VPC IP Address Manager (IPAM)
 VPC Reachability Analyzer
Comments: VPC Reachability Analyzer is used to test connectivity between
2 points of various supported AWS services.
 Network Access Analyzer
Score: 0.79
Single Choice
43)
The data science team wants to efficiently run distributed training jobs using the latest
Amazon EC2 GPU-powered instances, and deploy training and inferences using open
source distribution, such as Kubeflow.

Which service is suitable for this use case?

 AWS Fargate
 AWS Elastic Beanstalk
 Amazon Elastic Kubernetes Service (EKS)
 Comments: https://aws.amazon.com/eks/

Model machine learning (ML) workflows

 AWS CodeBuild
Score: 0.79
Multiple Choice
44)
You can configure an application to use AWS Lambda ephemeral storage.

How can you configure storage between 512MB and 10,240MB, in 1MB increments?
(Select TWO)

 AWS Lambda console

Comments: https://aws.amazon.com/lambda/faqs/

How do I configure my application to use AWS Lambda ephemeral storage?

 AWS Lambda API
Comments: https://aws.amazon.com/lambda/faqs/

How do I configure my application to use AWS Lambda ephemeral storage?

 AWS Fargate
 Amazon EventBridge
Score: 0.79
Multiple Choice
45)
You have created an Amazon RDS instance.

How can you retrieve an endpoint of the newly created instance? (Select TWO)

 Log into Amazon RDS instance.

 Amazon RDS Parameter groups.
 You must create a AWS Lambda function to retrieve the database instance end
point.
 AWS CLI
Comments: Once your database instance is available, you can retrieve its
endpoint via the database instance description in the AWS Management
Console, DescribeDBInstances API or describe-db-instances command.
 AWS Management Console
 Comments: Once your database instance is available, you can retrieve its
endpoint via the database instance description in the AWS Management
Console, DescribeDBInstances API or describe-db-instances command.
Score: 0.79
Multiple Choice
46)
A company is building an Amazon VPC with a 10.0.0.0/16 CIDR. Two subnets need to be
created.

In the IP address design, which CIDRs can be assigned to these subnets? (Select TWO)

 10.0.0.0/32
 10.0.0.0/29
 10.0.0.0/30
 10.0.0.0/28
Comments: A subnet CIDR allowed block size is between a /28 netmask and
/16 netmask. Find more here:
https://docs.aws.amazon.com/vpc/latest/userguide/configure-subnets.html
 10.0.0.16/27
Comments: A subnet CIDR allowed block size is between a /28 netmask and
/16 netmask. Find more here:
https://docs.aws.amazon.com/vpc/latest/userguide/configure-subnets.html
Score: 0.79
Single Choice
47)
Your company has an internal knowledge base which has large number of files. 1000s of
new files are added to the knowledge base every week and once a month outdated files
are removed.The total storage requirements for the knowledge base can vary greatly
based on additions, removals and modifications of the files.The knowledge base is
accessed via a web application which runs on multiple Amazon EC2 instances behind an
application load balancer. Every EC2 instance needs to access all of the files.

What is the most suitable storage solution?

 Amazon EBS
 Amazon S3
 Amazon EFS
 Comments: Amazon Elastic File System (Amazon EFS) is a simple,
serverless, set-and-forget elastic file system that makes it easy to set up,
scale, and cost-optimize file storage in AWS.
 Amazon FSx for Lustre
Score: 0.79
Single Choice
48)
A healthcare company has strict security requirements and they need to make sure that
data in Amazon S3 buckets is not publicly accessible. However, one of their team
members inadvertently made a bucket publicly available. The Security team of the
company wants to implement a solution that would prevent public access to any
buckets requiring minimal administrative effort.

What settings needs to be implemented by the Security team to achieve the

requirement?

 Implement block public access level setting at the account level.

 Implement a Config rule named 's3-bucket-public-write-prohibited' which will
prevent public access to all the buckets.
 Configure an AWS Lambda function which periodically identifies any publicly
accessible buckets and remediates the issue.
 Implement block public access level setting at the bucket level.
Comments: This would result in creating policies for each bucket being
created.
Score: 0.00
Multiple Choice
49)
You have to design a hybrid network architecture for an AWS Site-to-Site VPN for
connecting to a customer's on-premise site.

What gateways can you use to make this connection? (Select TWO)

 Direct Connect Gateway

Comments: Direct Connect Gateway is not used for an AWS Site-to-Site
connection.
 Virtual Private Gateway
Comments: Virtual Private Gateway can be used for an AWS Site-to-Site
connection.
  NAT Gateway
 Internet Gateway
 Transit Gateway
Score: 0.39
Single Choice
50)
A company currently stores critical data in Amazon S3. The customer wants a
mechanism to recover individual objects to an earlier state due to overwrites.

Which of the following is the simplest way to recover the objects from overwrite?

 Configure bucket policy (Permissions -> Bucket Policy) that will Deny
s3:DeleteObject action.
 Enable versioning for Amazon S3 buckets.
Comments: For overwrites, Versioning is the best option because S3 will
retain previous versions of an object whether an object is updated
(overwritten).
 Copy Amazon S3 objects periodically to Amazon Elastic Block Storage (EBS)
volume as a backup.
 Create a snapshot of the Amazon S3 bucket.
Score: 0.79