Introducing The New!
Surepassexam Collection
Get Unlimited Access to all
Surepassexam's PREMIUM files
Q1. Your company policies require encryption of sensitive data at rest. You are considering the possible options for protecting data while storing it at rest on an EBS data volume, attached to an EC2 instance. Which of these options would allow you to encrypt your data at rest? (Choose 3 answers)
A. Implement third party volume encryption tools
B. Do nothing as EBS volumes are encrypted by default
C. Encrypt data inside your applications before storing it on EBS
D. Encrypt data using native data encryption drivers at the file system level
E. Implement SSL/TLS for all services running on the server
Answer: A, C, D
Q2. You have been given a scope to set up an AWS Media Sharing Framework for a new start up photo
sharing company similar to flickr. The first thing that comes to mind about this is that it will obviously need a huge amount of persistent data storage for this framework. Which of the following storage options would be appropriate for persistent storage?
A. Amazon Glacier or Amazon S3
B. Amazon Glacier or AWS Import/Export
C. AWS Import/Export or Amazon C|oudFront
D. Amazon EBS volumes or Amazon S3
Answer: D
Explanation:
Persistent storage-If you need persistent virtual disk storage similar to a physical disk drive for files or other data that must persist longer than the lifetime of a single Amazon EC2 instance, Amazon EBS volumes or Amazon S3 are more appropriate.
Reference: http://media.amazonwebservices.com/AWS_Storage_Options.pdf
Q3. A user is making a scalable web application with compartmentalization. The user wants the log module to be able to be accessed by all the application functionalities in an asynchronous way. Each module of the application sends data to the log module, and based on the resource availability it will process the logs. Which AWS service helps this functionality?
A. AWS Simple Queue Service.
B. AWS Simple Notification Service.
C. AWS Simple Workflow Service.
D. AWS Simple Email Service.
Answer: A
Explanation:
Amazon Simple Queue Service (SQS) is a highly reliable distributed messaging system for storing messages as they travel between computers. By using Amazon SQS, developers can simply move data between distributed application components. It is used to achieve compartmentalization or loose coupling. In this case all the modules will send a message to the logger queue and the data will be processed by queue as per the resource availability.
Reference: http://media.amazonwebservices.com/AWS_Building_FauIt_To|erant_AppIications.pdf
Q4. In AWS CIoudHSM, in addition to the AWS recommendation that you use two or more HSM appliances in a high-availability configuration to prevent the loss of keys and data, you can also perform a remote backup/restore of a Luna SA partition if you have purchased a:
A. Luna Restore HSNI.
B. Luna Backup HSM.
C. Luna HSNI.
D. Luna SA HSM.
Answer: B
Explanation:
In AWS CIoudHSM, you can perform a remote backup/restore of a Luna SA partition if you have purchased a Luna Backup HSM.
Reference: http://docs.aws.amazon.com/cloudhsm/latest/userguide/cloud-hsm-backup-restore.html
Q5. My Read Replica appears "stuck" after a MuIti-AZ failover and is unable to obtain or apply updates from the source DB Instance. What do I do?
A. You will need to delete the Read Replica and create a new one to rep lace it.
B. You will need to disassociate the DB Engine and re associate it.
C. The instance should be deployed to Single AZ and then moved to MuIti- AZ once again
D. You will need to delete the DB Instance and create a new one to replace it.
Answer: A
Q6. You decide that you need to create a number of Auto Scaling groups to try and save some money as you have noticed that at certain times most of your EC2 instances are not being used. By default, what is the maximum number of Auto Scaling groups that AWS will allow you to create?
A. 12
B. Unlimited
C. 20
D. 2
Answer: C
Explanation:
Auto Scaling is an AWS service that allows you to increase or decrease the number of EC2 instances within your appIication's architecture. With Auto Scaling, you create collections of EC2 instances, called Auto Scaling groups. You can create these groups from scratch, or from existing EC2 instances that are already in production.
Reference: http://docs.aws.amazon.com/general/latest/gr/aws_service_|imits.htm|#Iimits_autoscaIing
Q7. Your system recently experienced down time during the troubleshooting process. You found that a new administrator mistakenly terminated several production EC2 instances.
Which of the following strategies will help prevent a similar situation in the future? The administrator still must be able to:
- launch, start stop, and terminate development resources.
- launch and start production instances.
A. Create an IAM user, which is not allowed to terminate instances by leveraging production EC2 termination protection.
B. Leverage resource based tagging along with an IAM user, which can prevent specific users from terminating production EC2 resources.
C. Leverage EC2 termination protection and multi-factor authentication, which together require users to authenticate before terminating EC2 instances
D. Create an IAM user and apply an IAM role which prevents users from terminating production EC2 instances.
Answer: B
Explanation:
Working with volumes
When an API action requires a caller to specify multiple resources, you must create a policy statement that allows users to access all required resources. If you need to use a Condition element with one or more of these resources, you must create multiple statements as shown in this example.
The following policy allows users to attach volumes with the tag "volume_user=iam-user-name" to instances with the tag "department=dev", and to detach those volumes from those instances. If you attach this policy to an IAM group, the aws:username policy variable gives each IAM user in the group permission to attach or detach volumes from the instances with a tag named voIume_ user that has his or her IAM user name as a value.
{
"Version": "2012-10-I7",
"Statement": [{
"Effect": "A||ow", "Action": [ "ec2:AttachVoIume",
"ec2:DetachVoIume" I,
"Resource": "arn :aws:ec2:us-east-1:123456789012:instanee/*", "Condition": {
"StringEqua|s": { "ec2:ResourceTag/department": "dev" I
I I,
{
"Effect": "A||ow", "Action": [ "ec2:AttachVoIume", "ec2:DetachVoIume" I,
"Resource": "arn:aws:ec2:us-east-1:123456789012:voIume/*", "Condition": {
"StringEqua|s": {
"ec2:ResourceTag/voIume_user": "${aws:username}" I
I I I I
Launching instances (Runlnstances)
The Runlnstances API action launches one or more instances. Runlnstances requires an AM and creates an instance; and users can specify a key pair and security group in the request. Launching into EC2-VPC requires a subnet, and creates a network interface. Launching from an Amazon EBS-backed AM creates a volume. Therefore, the user must have permission to use these Amazon EC2 resources. The caller can also configure the instance using optional parameters to Run Instances, such as the instance type and a subnet. You can create a policy statement that requires users to specify an optional parameter, or restricts users to particular values for a parameter. The examples in this section demonstrate some of the many possible ways that you can control the configuration of an instance that a user can launch.
Note that by default, users don't have permission to describe, start, stop, or terminate the resulting instances. One way to grant the users permission to manage the resulting instances is to create a specific tag for each instance, and then create a statement that enables them to manage instances with that tag. For more information, see 2: Working with instances.
a. AMI
The following policy allows users to launch instances using only the AM|s that have the specified tag, "department=dev", associated with them. The users can't launch instances using other ANI Is because the Condition element of the first statement requires that users specify an AM that has this tag. The users also can't launch into a subnet, as the policy does not grant permissions for the subnet and network interface resources. They can, however, launch into EC2-Ciassic. The second statement uses a wildcard to enable users to create instance resources, and requires users to specify the key pair
project_keypair and the security group sg-1a2b3c4d. Users are still able to launch instances without a key pair.
{
"Version": "2012-10-I7",
"Statement": [{ I,
{
"Effect": "A||ow",
"Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:region::image/ami-*" I,
"Condition": { "StringEqua|s": {
"ec2:ResourceTag/department": "dev" I
I I,
{
"Effect": "A||ow",
"Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:region:account:instance/*", "arn:aws:ec2:region:account:voIume/*",
"arn:aws:ec2:region:account:key-pair/project_keypair",
"arn :aws :ec2: region: account:security-group/sg-1a 2b3c4d" I
I
}
Alternatively, the following policy allows users to launch instances using only the specified AMIs, ami-9e1670f7 and ami-45cf5c3c. The users can't launch an instance using other AMIs (unless another statement grants the users permission to do so), and the users can't launch an instance into a subnet.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "A||ow",
"Action": "ec2:RunInstances", "Resource": [
"arn:aws:ec2:region::image/ami-9e1670f7", "arn:aws:ec2:region::image/ami-45cf5c3c", "arn:aws:ec2:region:account:instance/*", "arn:aws:ec2:region:account:voIume/*", "arn:aws:ec2:region:account:key-pair/*", "arn:aws:ec2:region:account:security-group/*"
}
}
Alternatively, the following policy allows users to launch instances from all AMs owned by Amazon. The Condition element of the first statement tests whether ec2:0wner is amazon. The users can't launch an instance using other AM Is (unless another statement grants the users permission to do so).
The users are able to launch an instance into a subnet. "Version": "2012-10-17",
"Statement": [{
"Effect": "A| low",
"Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:region::image/ami-*" l,
"Condition": { "StringEqua|s": { "ec2:0wner": "amazon"
}
},
{
"Effect": "A||ow",
"Action": "ec2:RunInstances", "Resource" : [ "arn:aws:ec2:region:account:instance/*", "arn:aws:ec2:region:account:subnet/*", "arn:aws:ec2:region:account:voIume/*",
"arn:aws:ec2:region:account:network-interface/*", "arn:aws:ec2:region:account:key-pair/*", "arn:aws:ec2:region:account:security-group/*"
I
} I
}
b. Instance type
The following policy allows users to launch instances using only the t2.micro or t2.sma|I instance type, which you might do to control costs. The users can't launch larger instances because the Condition element of the first statement tests whether ec2:1nstanceType is either t2.micro or t2.smaII.
{
"Version": "2012-10-I7",
"Statement": [{
"Effect": "A| low",
"Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:region:account:instance/*" I,
"Condition": { "StringEqua|s": {
"ec2:1nstanceType": ["t2.micro", "t2.smaII"]
}
}
},
{
"Effect": "A||ow",
"Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:region::image/ami-*", "arn:aws:ec2:region:account:subnet/*",
"arn:aws:ec2:region:account:network-interface/*", "arn:aws:ec2:region:account:voIume/*", "arn:aws:ec2:region:account:key-pair/*", "arn:aws:ec2:region:account:security-group/*"
I
} I
}
Alternatively, you can create a policy that denies users permission to launch any instances except t2.micro and t2.sma|I instance types.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:region:account:instance/*" l,
"Condition": { "StringNotEqua|s": {
"ec2:1nstanceType": ["t2.micro", "t2.smaII"]
}
}
},
{
"Effect": "A||ow",
"Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:region::image/ami-*",
"arn:aws:ec2:region:account:network-interface/* "arn:aws:ec2:region:account:instance/*", "arn:aws:ec2:region:account:subnet/*", "arn:aws:ec2:region:account:voIume/*", "arn:aws:ec2:region:account:key-pair/*", "arn:aws:ec2:region:account:security-group/*"
}
}
c. Subnet
The following policy allows users to launch instances using only the specified subnet, subnet-12345678. The group can't launch instances into any another subnet (unless another statement grants the users permission to do so). Users are still able to launch instances into EC2-Ciassic.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "A||ow",
"Action": "ec2:RunInstances", "Resource": [
"arn :aws :ec2: region:account:subnet/subnet-123456 78",
"arn:aws:ec2:region:account:network-interface/*", "arn:aws:ec2:region:account:instance/*", "arn:aws:ec2:region:account:voIume/*", "arn:aws:ec2:region::image/ami-*", "arn:aws:ec2:region:account:key-pair/*", "arn:aws:ec2:region:account:security-group/*"
}
}
Alternatively, you could create a policy that denies users permission to launch an instance into any other subnet. The statement does this by denying permission to create a network interface, except where subnet subnet-12345678 is specified. This denial overrides any other policies that are created to allow launching instances into other subnets. Users are still able to launch instances into EC2-Classic.
{
"Version": "2012-10-17",
"Statement": [{
"Effect": "Deny",
"Action": "ec2:RunInstances", "Resource": [
"arn:aws:ec2:region:account:network-interface/*" l,
"Condition": { "ArnNotEquaIs": {
"ec2:Subnet": "arn :aws:ec2:region:account:subnet/subnet-12345678"
}
}
},
{
"Effect": "A||ow",
"Action": "ec2:RunInstances", "Resource": [ "arn:aws:ec2:region::image/ami-*",
"arn:aws:ec2:region:account:network-interface/*", "arn:aws:ec2:region:account:instance/*", "arn:aws:ec2:region:account:subnet/*", "arn:aws:ec2:region:account:voIume/*", "arn:aws:ec2:region:account:key-pair/*", "arn:aws:ec2:region:account:security-group/*"
}
}
Q8. A user is running a batch process which runs for 1 hour every day. Which of the below mentioned options is the right instance type and costing model in this case if the user performs the same task for the whole year?
A. EBS backed instance with on-demand instance pricing.
B. EBS backed instance with heavy utilized reserved instance pricing.
C. EBS backed instance with low utilized reserved instance pricing.
D. Instance store backed instance with spot instance pricing.
Answer: A
Explanation:
For Amazon Web Services, the reserved instance helps the user save money if the user is going to run the same instance for a longer period. Generally if the user uses the instances around 30-40% annually it is recommended to use RI. Here as the instance runs only for 1 hour daily it is not recommended to have RI as it will be costlier. The user should use on-demand with EBS in this case.
Reference: http://aws.amazon.com/ec2/purchasing-options/reserved-instances/
Q9. Is there a limit to how many groups a user can be in?
A. Yes for all users
B. Yes for all users except root
C. No
D. Yes unless special permission granted
Answer: A
Q10. True orfalsez A VPC contains multiple subnets, where each subnet can span multiple Availability Zones.
A. This is true only if requested during the set-up of VPC.
B. This is true.
C. This is false.
D. This is true only for US regions.
Answer: C
Explanation:
A VPC can span several Availability Zones. In contrast, a subnet must reside within a single Availability Zone.
Reference: https://aws.amazon.com/vpc/faqs/
Q11. Your supervisor has asked you to build a simple file synchronization service for your department. He doesn't want to spend too much money and he wants to be notified of any changes to files by email. What do you think would be the best Amazon service to use for the email solution?
A. Amazon SES
B. Amazon CIoudSearch
C. Amazon SWF
D. Amazon AppStream
Answer: A
Explanation:
File change notifications can be sent via email to users following the resource with Amazon Simple Email Service (Amazon SES), an easy-to-use, cost-effective email solution.
Reference: http://media.amazonwebservices.com/architecturecenter/AWS_ac_ra_fiIesync_08.pdf
Q12. In Amazon EC2, while sharing an Amazon EBS snapshot, can the snapshots with AWS IV|arketpIace product codes be public?
A. Yes, but only for US-based providers.
B. Yes, they can be public.
C. No, they cannot be made public.
D. Yes, they are automatically made public by the system.
Answer: C
Explanation:
Snapshots with AWS Marketplace product codes can't be made public. Reference:
http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/ebs-modifying-snapshot-permissions.ht ml
Q13. A user comes to you and wants access to Amazon CIoudWatch but only wants to monitor a specific LoadBaIancer. Is it possible to give him access to a specific set of instances or a specific LoadBaIancer?
A. No because you can't use IAM to control access to CIoudWatch data for specific resources.
B. Yes. You can use IAM to control access to CIoudWatch data for specific resources.
C. No because you need to be Sysadmin to access CIoudWatch data.
D. Yes. Any user can see all CIoudWatch data and needs no access rights.
Answer: A
Explanation:
Amazon CIoudWatch integrates with AWS Identity and Access Management (IAM) so that you can
specify which CIoudWatch actions a user in your AWS Account can perform. For example, you could create an IAM policy that gives only certain users in your organization permission to use GetMetricStatistics. They could then use the action to retrieve data about your cloud resources.
You can't use IAM to control access to CIoudWatch data for specific resources. For example, you can't give a user access to CIoudWatch data for only a specific set of instances or a specific LoadBaIancer. Permissions granted using IAM cover all the cloud resources you use with CIoudWatch. In addition, you can't use IAM roles with the Amazon CIoudWatch command line tools.
Using Amazon CIoudWatch with IAM doesn't change how you use CIoudWatch. There are no changes to CIoudWatch actions, and no new CIoudWatch actions related to users and access control.
Reference: http://docs.aws.amazon.com/AmazonC|oudWatch/latest/DeveloperGuide/UsingIAM.htmI
Q14. You need to set up a high level of security for an Amazon Relational Database Service (RDS) you have just built in order to protect the confidential information stored in it. What are all the possible security groups that RDS uses?
A. DB security groups, VPC security groups, and EC2 security groups.
B. DB security groups only.
C. EC2 security groups only.
D. VPC security groups, and EC2 security groups.
Answer: A
Explanation:
A security group controls the access to a DB instance. It does so by allowing access to IP address ranges or Amazon EC2 instances that you specify.
Amazon RDS uses DB security groups, VPC security groups, and EC2 security groups. In simple terms, a DB security group controls access to a DB instance that is not in a VPC, a VPC security group controls access to a DB instance inside a VPC, and an Amazon EC2 security group controls access to an EC2 instance and can be used with a DB instance.
Reference: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Welcome.html
Q15. Once again your customers are concerned about the security of their sensitive data and with their latest enquiry ask about what happens to old storage devices on AWS. What would be the best answer to this QUESTION ?
A. AWS reformats the disks and uses them again.
B. AWS uses the techniques detailed in DoD 5220.22-M to destroy data as part of the decommissioning process.
C. AWS uses their own proprietary software to destroy data as part of the decommissioning process.
D. AWS uses a 3rd party security organization to destroy data as part of the decommissioning process.
Answer: B
Explanation:
When a storage device has reached the end of its useful life, AWS procedures include a decommissioning process that is designed to prevent customer data from being exposed to unauthorized indMduals.
AWS uses the techniques detailed in DoD 5220.22-M ("Nationa| Industrial Security Program Operating ManuaI ") or NIST 800-88 ("GuideIines for Media Sanitization") to destroy data as part of the decommissioning process.
All decommissioned magnetic storage devices are degaussed and physically destroyed in accordance
with industry-standard practices.
Reference: http://d0.awsstatic.com/whitepapers/Security/AWS%20Security%20Whitepaper.pdf