Introducing The New!
Surepassexam Collection
Get Unlimited Access to all
Surepassexam's PREMIUM files
Q1. A user is enabling logging on a particular bucket. Which of the below mentioned options may be best suitable to allow access to the log bucket?
A. Create an IAM policy and allow log access
B. It is not possible to enable logging on the S3 bucket
C. Create an IAM Role which has access to the log bucket
D. Provide ACL for the logging group
Answer: D
Explanation:
The only recommended use case for the S3 bucket ACL is to grant the write permission to the Amazon S3 Log Delivery group to write access log objects to the user’s bucket.
Reference: http://docs.aws.amazon.com/AmazonS3/latest/dev/access-policy-alternatives-guidelines.html
Q2. How long are the messages kept on an SQS queue by default?
A. If a message is not read, it is never deleted
B. 2 weeks
C. 1 day
D. 4 days
Answer: D
Explanation:
The SQS message retention period is configurable and can be set anywhere from 1 minute to 2 weeks. The default is 4 days and once the message retention limit is reached your messages will be automatically deleted. The option for longer message retention provides greater filexibility to allow for longer intervals between message production and consumption.
Reference: https://aws.amazon.com/sqs/faqs/
Q3. A user is planning to make a mobile game which can be played online or offline and will be hosted on EC2.
The user wants to ensure that if someone breaks the highest score or they achieve some milestone they can inform all their colleagues through email. Which of the below mentioned AWS services helps achieve this goal?
A. AWS Simple Workflow Service.
B. AWS Simple Queue Service.
C. Amazon Cognito
D. AWS Simple Email Service.
Answer: D
Explanation:
Amazon Simple Email Service (Amazon SES) is a highly scalable and cost-effective email-sending service for businesses and developers. It integrates with other AWS services, making it easy to send emails from applications that are hosted on AWS.
Reference: http://aws.amazon.com/ses/faqs/
Q4. A user is accessing an EC2 instance on the SSH port for IP 10.20.30.40. Which one is a secure way to
configure that the instance can be accessed only from this IP?
A. In the security group, open port 22 for IP 1020.30.40/0
B. In the security group, open port 22 for IP 10.20.30.40/32
C. In the security group, open port 22 for IP 10.20.30.40/24
D. In the security group, open port 22 for IP 10.20.30.40
Answer: B
Explanation:
In AWS EC2, while configuring a security group, the user needs to specify the IP address in CIDR notation. The CIDR IP range 10.20.30.40/32 says it is for a single IP 10.20.30.40. If the user specifies the IP as 10.20.30.40 only, the security group will not accept and ask it in a CIRD format.
Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html
Q5. You cannot access your AWS console, so you revert to using the CLI that you are not familiar with. Which of the following commands is not a valid CLI command for EC2 instances?
A. ec2-allocate-address
B. ec2-attach-internet-gateway
C. ec2-associate-route-table
D. ec2-allocate-interface
Answer: D
Explanation:
You can use the CLI tools to manage your Amazon EC2 resources (such as instances, security groups, and volumes) and your Amazon VPC resources (such as VPCs, subnets, route tables, and Internet gateways). Before you can start using the tools, you must download and configure them.
The following are valid CLI commands for EC2 instances: ec2-accept-vpc-peering-connection
ec2-allocate-address
ec2-assign-private-ip-addresses ec2-associate-address
ec2-associate-dhcp-options ec2-associate-route-table
ec2-attach-internet-gateway
ec2-attach-network-interface (not ec2-allocate-interface) Reference:
http://docs.aws.amazon.com/AWSEC2/latest/CommandLineReference/command-reference.html
Q6. A user has enabled serverside encryption with S3. The user downloads the encrypted object from S3. How can the user decrypt it?
A. S3 does not support server side encryption
B. S3 provides a server side key to decrypt the object
C. The user needs to decrypt the object using their own private key
D. S3 manages encryption and decryption automatically
Answer: D
Explanation:
If the user is using the server-side encryption feature, Amazon S3 encrypts the object data before saving it on disks in its data centres and decrypts it when the user downloads the objects. Thus, the user is free from the tasks of managing encryption, encryption keys, and related tools.
Reference: http://docs.aws.amazon.com/AmazonS3/Iatest/dev/UsingEncryption.htmI
Q7. A user has setup Multi AZ with the MS SQL RDS instance. Which of the below mentioned functionalities can be achieved by the user?
A. High availability
B. Scalability
C. MS SQL does not support Multi AZ
D. Disaster recovery
Answer: C
Explanation:
The Multi AZ feature allows the user to achieve High Availability. MS SQL does not support Multi AZ. Reference: https://aws.amazon.com/rds/faqs/#36
Q8. A user is trying to find the state of an S3 bucket with respect to versioning. Which of the below mentioned states AWS will not return when queried?
A. versioning-enabled
B. versioning-suspended
C. unversioned
D. versioned
Answer: D
Explanation:
S3 buckets can be in one of the three states: unversioned (the default), versioning-enabled or versioning-suspended. The bucket owner can configure the versioning state of a bucket. The versioning state applies to all (never some) of the objects in that bucket. The first time owner enables a bucket for versioning, objects in it are thereafter always versioned and given a unique version ID.
Reference: http://docs.aws.amazon.com/AmazonS3/Iatest/dev/Versioning.htmI
Q9. A user has setup an application on EC2 which uses the IAM user access key and secret access key to make secure calls to S3. The user wants to temporarily stop the access to S3 for that IAM user. What should the root owner do?
A. Delete the IAM user
B. Change the access key and secret access key for the users
C. Disable the access keys for the IAM user
D. Stop the instance
Answer: C
Explanation:
If the user wants to temporarily stop the access to S3 the best solution is to disable the keys. Deleting the user will result in a loss of all the credentials and the app will not be useful in the future. If the user stops the instance IAM users can still access S3. The change of the key does not help either as they are still active. The best possible solution is to disable the keys.
Reference: http://docs.aws.amazon.com/IAM/latest/UserGuide/NIanagingCredentia|s.html
Q10. An orgAMzation has hosted an application on the EC2 instances. There will be multiple users connecting to the instance for setup and configuration of application. The orgAMzation is planning to implement certain security best practices. Which of the below mentioned pointers will not help the orgAMzation achieve better security arrangement?
A. Apply the latest patch of OS and always keep it updated.
B. Allow only IAM users to connect with the EC2 instances with their own secret access key.
C. Disable the password based login for all the users. All the users should use their own keys to connect with the instance securely.
D. Create a procedure to revoke the access rights of the indMdual user when they are not required to connect to EC2 instance anymore for the purpose of application configuration.
Answer: B
Explanation:
Since AWS is a public cloud any application hosted on EC2 is prone to hacker attacks. It becomes extremely important for a user to setup a proper security mechAMsm on the EC2 instances. A few of the security measures are listed below:
Always keep the OS updated with the latest patch
Always create separate users with in OS if they need to connect with the EC2 instances, create their keys and disable their password
Create a procedure using which the admin can revoke the access of the user when the business work on the EC2 instance is completed
Lock down unnecessary ports
Audit any proprietary applications that the user may be running on the EC2 instance
Provide temporary escalated prMleges, such as sudo for users who need to perform occasional prMleged tasks
The IAM is useful when users are required to work with AWS resources and actions, such as launching an instance. It is not useful to connect (RDP / SSH) with an instance.
Reference: http://aws.amazon.com/articles/1233/
Q11. A user is launching an AWS RDS instance with MySQL. The user wants to enable the Nlulti AZ feature. Which of the below mentioned parameters will not be allowed to configure by RDS?
A. Availability Zone
B. Region
C. DB subnet group
D. Database port
Answer: A
Explanation:
If the user is launching RDS with Multi AZ the user cannot provision the Availability Zone. RDS is launched automatically instead
Reference: https://console.aws.amazon.com/rds/
Q12. A user is planning to host a scalable dynamic web application on AWS. Which of the services may not be required by the user to achieve automated scalability?
A. CIoudWatch
B. S3
C. AutoScaIing
D. AWS EC2 instances
Answer: B
Explanation:
The user can achieve automated scaling by launching different EC2 instances and making them a part of an ELB. Cloudwatch will be used to monitor the resources and based on the scaling need it will trigger policies. AutoScaIing is then used to scale up or down the instances.
Reference: http://docs.aws.amazon.com/AutoScaIing/latest/DeveIoperGuide/\NhatIsAutoScaIing.htmI
Q13. An orgAMzation is hosting an application as part of the free usage tier. The orgAMzation wants to create IAM users for each of its 150 employees and they may access AWS as part of free usage tier. What will you advise the orgAMzation?
A. The IAM is not available as a part of the free usage tier
B. Create IAM roles and give access based on role since it will not cost the user
C. Do not create more than 100 users as it will cost the orgAMzation.
D. Create IAM users for each employee as it does not cost
Answer: D
Explanation:
IAM is a free service. You can create as many IAM users or groups as desired free of cost. Reference: http://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_Introduction.htm|
Q14. An orgAMzation is having an application which can start and stop an EC2 instance as per schedule. The orgAMzation needs the MAC address of the instance to be registered with its software. The instance is launched in EC2-CLASSIC. How can the orgAMzation update the MAC registration every time an instance is booted?
A. The instance MAC address never changes. Thus, it is not required to register the MAC address every time.
B. The orgAMzation should write a boot strapping script which will get the MAC address from the instance metadata and use that script to register with the application.
C. AWS never provides a MAC address to an instance; instead the instance ID is used for identifying the instance for any software registration.
D. The orgAMzation should provide a MAC address as a part of the user data. Thus, whenever the instance is booted the script assigns the fixed MAC address to that instance.
Answer: B
Explanation:
AWS provides an on demand, scalable infrastructure. AWS EC2 allows the user to launch On-Demand instances. AWS does not provide a fixed MAC address to the instances launched in EC2-CLASSIC. If the instance is launched as a part of EC2-VPC, it can have an ENI which can have a fixed MAC. However, with EC2-CLASSIC, every time the instance is started or stopped it will have a new MAC address.
To get this MAC, the orgAMzation can run a script on boot which can fetch the instance metadata and get the MAC address from that instance metadata. Once the MAC is received, the orgAMzation can register that MAC with the software.
Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AESDG-chapter-instancedata.html
Q15. How does Amazon SQS allow multiple readers to access the same message queue without losing messages or processing them many times?
A. By identifying a user by his unique id
B. By using unique cryptography
C. Amazon SQS queue has a configurable visibility timeout.
D. MuItipIe readers can't access the same message queue
Answer: C
Explanation:
Every Amazon SQS queue has a configurable visibility timeout. For the designated amount of time after a message is read from a queue, it will not be visible to any other reader. As long as the amount of time that it takes to process the message is less than the visibility timeout, every message will be processed and deleted. In the event that the component processing the message fails or becomes unavailable, the message will again become visible to any component reading the queue once the visibility timeout ends. This allows you to have many components all reading messages from the same queue, with each working to process different messages.
Reference: https://aws.amazon.com/sqs/faqs/