Q1. An orgAMzation is setting up their website on AWS. The orgAMzation is working on various security measures to be performed on the AWS EC2 instances. Which of the below mentioned security mechAMsms will not help the orgAMzation to avoid future data leaks and identify security weaknesses?
A. Perform SQL injection for application testing.
B. Run penetration testing on AWS with prior approval from Amazon.
C. Perform a hardening test on the AWS instance.
D. Perform a Code Check for any memory leaks.
Answer: D
Explanation:
AWS security follows the shared security model where the user is as much responsible as Amazon. Since Amazon is a public cloud it is bound to be targeted by hackers. If an orgAMzation is planning to host their application on AWS EC2, they should perform the below mentioned security checks as a measure to find any security weakness/data leaks:
Perform penetration testing as performed by attackers to find any vulnerability. The orgAMzation must take an approval from AWS before performing penetration testing
Perform hardening testing to find if there are any unnecessary ports open Perform SQL injection to find any DB security issues
The code memory checks are generally useful when the orgAMzation wants to improve the application performance.
Reference: http://aws.amazon.com/security/penetration-testing/
Q2. A user is planning to host MS SQL on an EBS volume. It was recommended to use the AWS RDS. What advantages will the user have if he uses RDS in comparison to an EBS based DB?
A. Better throughput with PIOPS
B. Automated backup
C. NIS SQL is not supported with RDS
D. High availability with multi AZs
Answer: B
Explanation:
Comparing with on-premises or EC2 based NIS SQL, RDS provides an automated backup feature. PIOPS is available with both RDS and EBS. However, HA is not available with NIS SQL.
Reference: https://aws.amazon.com/rds/faqs/
Q3. A user is planning to host a web server as well as an app server on a single EC2 instance which is a part of the public subnet of a VPC. How can the user setup to have two separate public IPs and separate security groups for both the application as well as the web server?
A. Launch a VPC instance with two network interfaces. Assign a separate security group to each and AWS will assign a separate public IP to them.
B. Launch VPC with two separate subnets and make the instance a part of both the subnets.
C. Launch a VPC instance with two network interfaces. Assign a separate security group and elastic IP to them.
D. Launch a VPC with ELB such that it redirects requests to separate VPC instances of the public subnet.
Answer: C
Explanation:
If you need to host multiple websites(with different IPs) on a single EC2 instance, the following is the suggested method from AWS.
Launch a VPC instance with two network interfaces
Assign elastic IPs from VPC EIP pool to those interfaces (Because, when the user has attached more than one network interface with an instance, AWS cannot assign public IPs to them.)
Assign separate Security Groups if separate Security Groups are needed
This scenario also helps for operating network appliances, such as firewalls or load balancers that have multiple private IP addresses for each network interface.
Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/MuItipIeIP.html
Q4. An orgAMzation is having an application which can start and stop an EC2 instance as per schedule. The orgAMzation needs the MAC address of the instance to be registered with its software. The instance is launched in EC2-CLASSIC. How can the orgAMzation update the MAC registration every time an instance is booted?
A. The instance MAC address never changes. Thus, it is not required to register the MAC address every time.
B. The orgAMzation should write a boot strapping script which will get the MAC address from the instance metadata and use that script to register with the application.
C. AWS never provides a MAC address to an instance; instead the instance ID is used for identifying the instance for any software registration.
D. The orgAMzation should provide a MAC address as a part of the user data. Thus, whenever the instance is booted the script assigns the fixed MAC address to that instance.
Answer: B
Explanation:
AWS provides an on demand, scalable infrastructure. AWS EC2 allows the user to launch On-Demand instances. AWS does not provide a fixed MAC address to the instances launched in EC2-CLASSIC. If the instance is launched as a part of EC2-VPC, it can have an ENI which can have a fixed MAC. However, with EC2-CLASSIC, every time the instance is started or stopped it will have a new MAC address.
To get this MAC, the orgAMzation can run a script on boot which can fetch the instance metadata and get the MAC address from that instance metadata. Once the MAC is received, the orgAMzation can register that MAC with the software.
Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AESDG-chapter-instancedata.html
Q5. How long can you keep your Amazon SQS messages in Amazon SQS queues?
A. From 120 secs up to 4 weeks
B. From 10 secs up to 7 days
C. From 60 secs up to 2 weeks
D. From 30 secs up to 1 week
Answer: C
Explanation:
The SQS message retention period is configurable and can be set anywhere from 1 minute to 2 weeks. The default is 4 days and once the message retention limit is reached your messages will be automatically deleted. The option for longer message retention provides greater filexibility to allow for longer intervals between message production and consumption.
Reference: https://aws.amazon.com/sqs/faqs/
Q6. Is it possible to create an S3 bucket accessible only by a certain IAM user, using policies in a C|oudFormation template?
A. No, you can only create the S3 bucket but not the IAM user.
B. S3 is not supported by CIoudFormation.
C. Yes, all these resources can be created using a CIoudFormation template
D. No, in the same template you can only create the S3 bucket and the realtive policy.
Answer: C
Explanation:
With AWS Identity and Access Management (IAM), you can create IAM users to control who has access to which resources in your AWS account. You can use IAM with AWS CIoudFormation to control what AWS CIoudFormation actions users can perform, such as view stack templates, create stacks, or delete stacks.
In addition to AWS CIoudFormation actions, you can manage what AWS services and resources are available to each user.
Q7. What happens if your application performs more reads or writes than your provisioned capacity?
A. Nothing
B. requests above your provisioned capacity will be performed but you will receive 400 error codes.
C. requests above your provisioned capacity will be performed but you will receive 200 error codes.
D. requests above your provisioned capacity will be throttled and you will receive 400 error codes.
Answer: D
Explanation:
Speaking about DynamoDB, if your application performs more reads/second or writes/second than your tabIe’s provisioned throughput capacity allows, requests above your provisioned capacity will be throttled and you will receive 400 error codes.
Reference: http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/ProvisionedThroughputlntro.htmI
Q8. A user has created a blank EBS volume in the US-East-1 region. The user is unable to attach the volume to a running instance in the same region. What could be the possible reason for this?
A. The instance must be in a running state. It is required to stop the instance to attach volume
B. The AZ for the instance and volume are different
C. The instance is from an instance store backed AMI
D. The instance has enabled the volume attach protection
Answer: B
Explanation:
An EBS volume provides persistent data storage. The user can attach a volume to any instance provided they are both in the same AZ. Even if they are in the same region but in a different AZ, it will not be able to attach the volume to that instance.
Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AmazonEBS.htmI
Q9. A user has launched an EC2 instance. However, due to some reason the instance was terminated. If the user wants to find out the reason for termination, where can he find the details?
A. The user can get information from the AWS console, by checking the Instance description under the State transition reason label
B. The user can get information from the AWS console, by checking the Instance description under the Instance Termination reason label
C. The user can get information from the AWS console, by checking the Instance description under the Instance Status Change reason label
D. It is not possible to find the details after the instance is terminated
Answer: A
Explanation:
An EC2 instance, once terminated, may be available in the AWS console for a while after termination. The user can find the details about the termination from the description tab under the label State transition reason. If the instance is still running, there will be no reason listed. If the user has explicitly stopped or terminated the instance, the reason will be "User initiated shutdown".
Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_|nstanceStraightToTerminated.html
Q10. In DynamoDB, to get a detailed listing of secondary indexes on a table, you can use the action.
A. DescribeTabIe
B. BatchGetItem
C. Getltem
D. TabIeName
Answer: A
Explanation:
In DynamoDB, DescribeTab|e returns information about the table, including the current status ofthe table, when it was created, the primary key schema, and any indexes on the table.
Reference: http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Secondarylndexes.htmI
Q11. When AutoScaIing is launching a new instance based on condition, which of the below mentioned policies will it follow?
A. Based on the criteria defined with cross zone Load balancing
B. Launch an instance which has the highest load distribution
C. Launch an instance in the AZ with the fewest instances
D. Launch an instance in the AZ which has the highest instances
Answer: C
Explanation:
AutoScaIing attempts to distribute instances evenly between the Availability Zones that are enabled for the user’s AutoScaIing group. Auto Scaling does this by attempting to launch new instances in the Availability Zone with the fewest instances.
Reference:http://docs.aws.amazon.com/AutoScaIing/latest/Deve|operGuide/AS_Concepts.htmI
Q12. A user has set an IAM policy where it allows all requests if a request from IP 10.10.10.1/32. Another policy allows all the requests between 5 PM to 7 PM. What will happen when a user is requesting access from IP 10.10.10.1/32 at 6 PM?
A. IAM will throw an error for policy conflict
B. It is not possible to set a policy based on the time or IP
C. It will deny access
D. It will allow access
Answer: D
Explanation:
With regard to IAM, when a request is made, the AWS service decides whether a given request should be allowed or denied. The evaluation logic follows these rules:
By default, all requests are denied. (In general, requests made using the account credentials for resources in the account are always allowed.)
An explicit allow policy overrides this default. An explicit deny policy overrides any allows. Reference:
http://docs.aws.amazon.com/IAM/latest/UserGuide/AccessPoIicyLanguage_EvaIuationLogic.htmI
Q13. A user has launched a MySQL RDS. The user wants to plan for the DR and automate the snapshot. Which of the below mentioned functionality offers this option with RDS?
A. Copy snapshot
B. Automated synchronization
C. Snapshot
D. Automated backup
Answer: D
Explanation:
Amazon RDS provides two different methods for backing up and restoring the Amazon DB instances: automated backups and DB snapshots. Automated backups automatically back up the DB instance during a specific, user-definable backup window, and keep the backups for a limited, user-specified period of time.
Reference: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.BackingUpAndRestoringAmazonR DSInstances.htmI
Q14. In relation to Amazon SQS, how many queues and messages can you have per queue for each user?
A. Unlimited
B. 10
C. 256
D. 500
Answer: A
Explanation:
Amazon SQS supports an unlimited number of queues and unlimited number of messages per queue for each user. Please be aware that Amazon SQS automatically deletes messages that have been in the queue for more than 4 days.
Reference: https://aws.amazon.com/items/1343?externaIID=1343
Q15. An orgAMzation has 20 employees. The orgAMzation wants to give all the users access to the orgAMzation AWS account. Which of the below mentioned options is the right solution?
A. Share the root credentials with all the users
B. Create an IAM user for each employee and provide access to them
C. It is not advisable to give AWS access to so many users
D. Use the IAM role to allow access based on STS
Answer: B
Explanation:
AWS Identity and Access Management is a web service that enables the AWS customers to manage users and user permissions in AWS. The IAM is targeted at orgAMzations with multiple users or systems that use AWS products such as Amazon EC2, Amazon RDS, and the AWS Management Console. With IAM, the orgAMzaiton can centrally manage users, security credentials such as access keys, and permissions that control which AWS resources users can access.
Reference: http://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_Introduction.htm|