NEW QUESTION 1
A user has created a web application with Auto Scaling. The user is regularly monitoring the application and he observed that the traffic is highest on Thursday and Friday between 8 AM to 6 PM. What is the best solution to handle scaling in this case?

• A. Add a new instance manually by 8 AM Thursday and terminate the same by 6 PM Friday
• B. Schedule Auto Scaling to scale up by 8 AM Thursday and scale down after 6 PM on Friday
• C. Schedule a policy which may scale up every day at 8 AM and scales down by 6 PM
• D. Configure a batch process to add a instance by 8 AM and remove it by Friday 6 PM

Answer: B

Explanation:
Auto Scaling based on a schedule allows the user to scale the application in response to predictable load changes. In this case the load increases by Thursday and decreases by Friday. Thus, the user can setup the scaling activity based on the predictable traffic patterns of the web application using Auto Scaling scale by Schedule.
http://docs.aws.amazon.com/cli/latest/reference/opsworks/set-time-based-auto-scaling.html

NEW QUESTION 2
A user has launched a Windows based EC2 instance. However, the instance has some issues and the user wants to check the log. When the user checks the Instance console output from the AWS console, what will it display?

• A. All the event logs since instance boot
• B. The last 10 system event log error
• C. The Windows instance does not support the console output
• D. The last three system events?? log errors

Answer: D

Explanation:
The AWS EC2 console provides a useful tool called Console output for problem diagnosis. It is useful to find out any kernel issues, termination reasons or service configuration issues. For a Windows instance it lists the last three system event log errors. For Linux it displays the exact console output.

NEW QUESTION 3
A user has setup a billing alarm using CloudWatch for $200. The usage of AWS exceeded $200 after some days. The user wants to increase the limit from $200 to $400? What should the user do?

• A. Create a new alarm of $400 and link it with the first alarm
• B. It is not possible to modify the alarm once it has crossed the usage limit
• C. Update the alarm to set the limit at $400 instead of $200
• D. Create a new alarm for the additional $200 amount

Answer: C

Explanation:
AWS CloudWatch supports enabling the billing alarm on the total AWS charges. The estimated charges are calculated and sent several times daily to CloudWatch in the form of metric data. This data will be stored for 14 days. This data also includes the estimated charges for every service in AWS used by the user, as well as the estimated overall AWS charges. If the user wants to increase the limit, the user can modify the alarm and specify a new threshold.

NEW QUESTION 4
A user has configured ELB with Auto Scaling. The user suspended the Auto Scaling AlarmNotification (which notifies Auto Scaling for CloudWatch alarms. process for a while. What will Auto Scaling do during this period?

• A. AWS will not receive the alarms from CloudWatch
• B. AWS will receive the alarms but will not execute the Auto Scaling policy
• C. Auto Scaling will execute the policy but it will not launch the instances until the process is resumed
• D. It is not possible to suspend the AlarmNotification process

Answer: B

Explanation:
Auto Scaling performs various processes, such as Launch, Terminate Alarm Notification etc. The user can also suspend individual process. The AlarmNotification process type accepts notifications from the Amazon CloudWatch alarms that are associated with the Auto Scaling group. If the user suspends this process type, Auto Scaling will not automatically execute the scaling policies that would be triggered by the alarms.

NEW QUESTION 5
When assessing an organization s use of AWS API access credentials which of the following three credentials should be evaluated? Choose 3 answers

• A. Key pairs
• B. Console passwords
• C. Access keys
• D. Signing certificates
• E. Security Group memberships

Answer: ACD

Explanation:
Reference:
http://media.amazonwebservices.com/AWS_Operational_Checklists.pdf

NEW QUESTION 6
An organization has created 50 IAM users. The organization wants that each user can change their password but cannot change their access keys. How can the organization achieve this?

• A. The organization has to create a special password policy and attach it to each user
• B. The root account owner has to use CLI which forces each IAM user to change their password on first login
• C. By default, each IAM user can modify their passwords
• D. The root account owner can set the policy from the IAM console under the password policy screen

Answer: D

Explanation:
With AWS IAM, organizations can use the AWS Management Console to display, create, change or delete a password policy. As a part of managing the password policy, the user can enable all users to manage their own passwords. If the user has selected the option which allows the IAM users to modify their password, he does not need to set a separate policy for the users. This option in the AWS console allows changing only the password.

NEW QUESTION 7
A user has enabled detailed CloudWatch monitoring with the AWS Simple Notification Service. Which of the below mentioned statements helps the user understand detailed monitoring better?

• A. SNS will send data every minute after configuration
• B. There is no need to enable since SNS provides data every minute
• C. AWS CloudWatch does not support monitoring for SNS
• D. SNS cannot provide data every minute

Answer: D

Explanation:
CloudWatch is used to monitor AWS as well as the custom services. It provides either basic or detailed
monitoring for the supported AWS products. In basic monitoring, a service sends data points to CloudWatch every five minutes, while in detailed monitoring a service sends data points to CloudWatch every minute. The AWS SNS service sends data every 5 minutes. Thus, it supports only the basic monitoring. The user cannot enable detailed monitoring with SNS.

NEW QUESTION 8
Which of the following requires a custom CloudWatch metric to monitor?

• A. Data transfer of an EC2 instance
• B. Disk usage activity of an EC2 instance
• C. Memory Utilization of an EC2 instance
• D. CPU Utilization of an EC2 instance

Answer: C

Explanation:
Reference:
http://aws.amazon.com/cloudwatch/

NEW QUESTION 9
Your organization's security policy requires that all privileged users either use frequently rotated passwords or one-time access credentials in addition to username/password.
Which two of the following options would allow an organization to enforce this policy for AWS users? Choose 2 answers

• A. Configure multi-factor authentication for privileged 1AM users
• B. Create 1AM users for privileged accounts
• C. Implement identity federation between your organization's Identity provider leveraging the 1AM Security Token Service
• D. Enable the 1AM single-use password policy option for privileged users

Answer: AB

Explanation:
See also: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
Enable MFA for privileged users
For extra security, enable multifactor authentication (MFA) for privileged IAM users (users who are allowed access to sensitive resources or APIs). With MFA, users have a device that generates a unique authentication code (a one-time password, or OTP) and users must provide both their normal credentials (like their user name and password) and the OTP. The MFA device can either be a special piece of hardware, or it can be a virtual device (for example, it can run in an app on a smartphone).

NEW QUESTION 10
A user has created a VPC with CIDR 20.0.0.0/16 using the wizard. The user has created a public subnet CIDR (20.0.0.0/24. and VPN only subnets CIDR (20.0.1.0/24. along with the VPN gateway (vgw-12345. to connect to the user??s data centre. The user??s data centre has CIDR 172.28.0.0/12. The user has also setup a NAT instance (i-123456. to allow traffic to the internet from the VPN subnet. Which of the below mentioned options is not a valid entry for the main route table in this scenario?

• A. Destination: 20.0.1.0/24 and Target: i-12345
• B. Destination: 0.0.0.0/0 and Target: i-12345
• C. Destination: 172.28.0.0/12 and Target: vgw-12345
• D. Destination: 20.0.0.0/16 and Target: local

Answer: A

Explanation:
The user can create subnets as per the requirement within a VPC. If the user wants to connect VPC from his own data centre, he can setup a public and VPN only subnet which uses hardware VPN access to connect with his data centre. When the user has configured this setup with Wizard, it will create a virtual private gateway to route all traffic of the VPN subnet. If the user has setup a NAT instance to route all the internet requests then all requests to the internet should be routed to it. All requests to the organization??s DC will be routed to the VPN gateway.
Here are the valid entries for the main route table in this scenario:
Destination: 0.0.0.0/0 & Target: i-12345 (To route all internet traffic to the NAT Instance.
Destination: 172.28.0.0/12 & Target: vgw-12345 (To route all the organization??s data centre traffic to the VPN gateway.
Destination: 20.0.0.0/16 & Target: local (To allow local routing in VPC.

NEW QUESTION 11
A user has created a VPC with CIDR 20.0.0.0/16. The user has created one subnet with CIDR 20.0.0.0/16 by mistake. The user is trying to create another subnet of CIDR 20.0.0.1/24. How can the user create the second subnet?

• A. There is no need to update the subnet as VPC automatically adjusts the CIDR of the first subnet based on the second subnet??s CIDR
• B. The user can modify the first subnet CIDR from the console
• C. It is not possible to create a second subnet as one subnet with the same CIDR as the VPC has been created
• D. The user can modify the first subnet CIDR with AWS CLI

Answer: D

Explanation:
A Virtual Private Cloud (VPC. is a virtual network dedicated to the user??s AWS account. A user can create a subnet with VPC and launch instances inside the subnet. The user can create a subnet with the same size of VPC. However, he cannot create any other subnet since the CIDR of the second subnet will conflict with the first subnet. The user cannot modify the CIDR of a subnet once it is created. Thus, in this case if required, the user has to delete the subnet and create new subnets.

NEW QUESTION 12
A sys admin is using server side encryption with AWS S3. Which of the below mentioned statements helps the user understand the S3 encryption functionality?

• A. The server side encryption with the user supplied key works when versioning is enabled
• B. The user can use the AWS console, SDK and APIs to encrypt or decrypt the content for server side encryption with the user supplied key
• C. The user must send an AES-128 encrypted key
• D. The user can upload his own encryption key to the S3 console

Answer: A

Explanation:
AWS S3 supports client side or server side encryption to encrypt all data at rest. The server side encryption can either have the S3 supplied AES-256 encryption key or the user can send the key along with each API call to supply his own encryption key. The encryption with the user supplied key (SSE-C. does not work with the AWS console. The S3 does not store the keys and the user has to send a key with each request. The SSE-C works when the user has enabled versioning.

NEW QUESTION 13
A company wants to send 70% of its inbound traffic to the us-east-1 region and 30% to the us-east region under normal; conditions. If all the servers go down in one of the regions, the company wants all the traffic to be re-routed to the other region.

• A. Configure an Application Load Balancer Target Group with weighted rules and a health check enabled
• B. Use a Network Load Balancer with sticky sessions enabled and weighted round room with a 70/30 ratio
• C. Create two CNAMF records in Amazon Route R3 enable dynamic traffic shaping with a 7G730 ratio
• D. Use a Route 53 weighted routing policy with a 70 /30 ratio and configure a heath check

Answer: D

Explanation:
https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/resource-record-sets-values- weighted-alias.html

NEW QUESTION 14
A user has configured an HTTPS listener on an ELB. The user has not configured any security policy which can help to negotiate SSL between the client and ELB. What will ELB do in this scenario?

• A. By default ELB will select the first version of the security policy
• B. By default ELB will select the latest version of the policy
• C. ELB creation will fail without a security policy
• D. It is not required to have a security policy since SSL is already installed

Answer: B

Explanation:
Elastic Load Balancing uses a Secure Socket Layer (SSL. negotiation configuration which is known as a Security Policy. It is used to negotiate the SSL connections between a client and the load balancer. If
the user has created an HTTPS/SSL listener without associating any security policy, Elastic Load Balancing will, by default, associate the latest version of the ELBSecurityPolicy-YYYY-MM with the load balancer.

NEW QUESTION 15
A user has launched two EBS backed EC2 instances in the US-East-1a region. The user wants to change the zone of one of the instances. How can the user change it?

• A. Stop one of the instances and change the availability zone
• B. The zone can only be modified using the AWS CLI
• C. From the AWS EC2 console, select the Actions - > Change zones and specify new zone
• D. Create an AMI of the running instance and launch the instance in a separate AZ

Answer: D

Explanation:
With AWS EC2, when a user is launching an instance he can select the availability zone (AZ. at the time of launch. If the zone is not selected, AWS selects it on behalf of the user. Once the instance is launched, the user cannot change the zone of that instance unless he creates an AMI of that instance and launches a new instance from it.

NEW QUESTION 16
A company is running as production application in one region and is expanding to a second region. A SysOps Administrator has copied the requirement Amazon Machine images (AMIs) from the region to the second. An IAM user can list the copied AMIS in the AWS Management Console but when trying to launch an EC2 instance using one of the AMIs, the process fails.
What is the likely reason?

• A. The destination AMI is corrupted because of copy process failure.
• B. The user must first register the AMI before using it.
• C. The AMI is stored in an encrypted Amazon Elastic Block Store (Amazon EBS) volume.
• D. The launch permissions are not copied from the source AMI to the new AMI.

Answer: C

Explanation:
https://aws.amazon.com/blogs/security/how-to-create-a-custom-ami-with-encrypted-amazon-ebs- snapshots-and-share-it-with-other-accounts-and-regions/

NEW QUESTION 17
A user has configured a VPC with a new subnet. The user has created a security group. The user wants to configure that instances of the same subnet communicate with each other. How can the user configure this with the security group?

• A. There is no need for a security group modification as all the instances can communicate with each other inside the same subnet
• B. Configure the subnet as the source in the security group and allow traffic on all the protocols and ports
• C. Configure the security group itself as the source and allow traffic on all the protocols and ports
• D. The user has to use VPC peering to configure this

Answer: C

Explanation:
A Virtual Private Cloud (VPC. is a virtual network dedicated to the user??s AWS account. AWS provides two features that the user can use to increase security in VPC: security groups and network ACLs. Security groups work at the instance level. If the user is using the default security group it will have a rule which allows the instances to communicate with other. For a new security group the user has to specify the rule, add it to define the source as the security group itself, and select all the protocols and ports for that source.

NEW QUESTION 18
A company has two AWS account developers and production. All application send logs to a specific Amazon bucket for each account, and the Developers are requesting access to the production
account S3 buckets to view the logs?
Which is the MOST efficient way to provide the Developers with access?

• A. Create an AWS Lambda function with an IAM role attached to it that has access to be accounts'S3 buckets Put me logs tram the production S3 bucket to the development S3 bucket
• B. Create IAM users for each Developer on the production account and add the Developers to an IAM group that provides read-only access to the S3 log bucket
• C. Create an Amazon EC2 bastion host with an 1AM role attached to it that has access to it that has production S3 log bucket and then provision access for the Developers on the host
• D. Create a resource-based pokey for the S3 bucket on the production account that grant access to the development account and then delegate the development account

Answer: B

Explanation:
https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html

NEW QUESTION 19
A user has created a subnet with VPC and launched an EC2 instance in that subnet with only default settings. Which of the below mentioned options is ready to use on the EC2 instance as soon as it is launched?

• A. Elastic IP
• B. Private IP
• C. Public IP
• D. Internet gateway

Answer: B

Explanation:
A Virtual Private Cloud (VPC. is a virtual network dedicated to a user??s AWS account? A subnet is a range of IP addresses in the VPC. The user can launch the AWS resources into a subnet. There are two supported platforms into which a user can launch instances: EC2-Classic and EC2-VPC. When the user launches an instance which is not a part of the non-default subnet, it will only have a private IP assigned to it. The instances part of a subnet can communicate with each other but cannot communicate over the internet or to the AWS services, such as RDS / S3.

NEW QUESTION 20
What are characteristics of Amazon S3? Choose 2 answers

• A. Objects are directly accessible via a URL
• B. S3 should be used to host a relational database
• C. S3 allows you to store objects or virtually unlimited size
• D. S3 allows you to store virtually unlimited amounts of data
• E. S3 offers Provisioned IOPS

Answer: AD

NEW QUESTION 21
A user is trying to create a PIOPS EBS volume with 4000 IOPS and 100 GB size. AWS does not allow the user to create this volume. What is the possible root cause for this?

• A. The ratio between IOPS and the EBS volume is higher than 30
• B. The maximum IOPS supported by EBS is 3000
• C. The ratio between IOPS and the EBS volume is lower than 50
• D. PIOPS is supported for EBS higher than 500 GB size

Answer: A

Explanation:
A provisioned IOPS EBS volume can range in size from 10 GB to 1 TB and the user can provision up to 4000 IOPS per volume. The ratio of IOPS provisioned to the volume size requested should be a maximum of 30; for example, a volume with 3000 IOPS must be at least 100 GB.

NEW QUESTION 22
An errant process is known to use in an entire processor and run at 100%. A SysOps Administrator wants to automate restarting the instance once the problem occurs for more than minutes.
How can this be accomplished?

• A. Create an Amazon CloudWatch alarm or the Amazon EC2 instance with basic monitoring Enable an action to restart the instance
• B. Create a CloudWatch alarm for the EC2 instance with detailed monitoring Enable an action to restart the instance
• C. Create an AWS Lambda function to restart the EC2 instance triggered on a scheduled basis every 2 minutes
• D. Create a Lambda function start the EC2 instance triggered by EC2 health

Answer: D

Explanation:
You can use CloudWatch Events to trigger an AWS Lambda function to start and stop your EC2 instances at scheduled intervals.
Note: This article provides an example for a simple solution. For a more robust solution, see AWS Instance Scheduler.
Resolution
CloudWatch Events allows you to create an event that is triggered at a specified time or interval in response to events that take place in your account. For example, you can create an event using CloudWatch Events for a specific time of day, or you can create an alarm when CPU utilization for an instance reaches a specific threshold. You can also configure a Lambda function to start and stop instances when triggered by these events.
In this example, we use Lambda functions to start and stop EC2 instances, and then we use CloudWatch Events to start instances in the morning and stop the instances at night.
1. Open the AWS Lambda console, and choose Create function.
2. Choose Author from scratch.
3. Enter a Name for your function, such as "StopEC2Instances."
4. From the Runtime drop-down menu, choose Python2.7.
5. Expand the Role drop-down menu, and then choose Create a custom role. This opens a new tab or window in your browser.
6. In the IAM Role drop-down menu, choose Create a new IAM Role, and enter a Role Name, such as ??lambda_start_stop_ec2."
7. Expand View Policy Document, choose Edit, and then choose Ok when prompted to read the documentation.

NEW QUESTION 23
A user has created a VPC with public and private subnets using the VPC wizard. The user has not launched any instance manually and is trying to delete the VPC. What will happen in this scenario?

• A. It will not allow to delete the VPC as it has subnets with route tables
• B. It will not allow to delete the VPC since it has a running route instance
• C. It will terminate the VPC along with all the instances launched by the wizard
• D. It will not allow to delete the VPC since it has a running NAT instance

Answer: D

Explanation:
A Virtual Private Cloud (VPC. is a virtual network dedicated to the user??s AWS account. A user can create a subnet with VPC and launch instances inside that subnet. If the user has created a public private subnet, the instances in the public subnet can receive inbound traffic directly from the Internet, whereas the instances in the private subnet cannot. If these subnets are created with Wizard, AWS will create a NAT instance with an elastic IP. If the user is trying to delete the VPC it will not allow as the NAT instance is still running.

NEW QUESTION 24
What would happen to an RDS (Relational Database Service) multi-Availability Zone deployment if the primary DB instance fails?

• A. The IP of the primary DB Instance is switched to the standby DB Instance.
• B. A new DB instance is created in the standby availability zone.
• C. The canonical name record (CNAME) is changed from primary to standby.
• D. The RDS (Relational Database Service) DB instance reboots.

Answer: D

Explanation:
Reference:
http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_RebootInstance.html

NEW QUESTION 25
......