Introducing The New!
Surepassexam Collection
Get Unlimited Access to all
Surepassexam's PREMIUM files
Q1. You have been doing a lot of testing of your VPC Network by deliberately failing EC2 instances to test whether instances are failing over properly. Your customer who will be paying the AWS bill for all this asks you if he being charged for all these instances. You try to explain to him how the billing works on EC2 instances to the best of your knowledge. What would be an appropriate response to give to the customer
in regards to this?
A. Billing commences when Amazon EC2 AM instance is completely up and billing ends as soon as the instance starts to shutdown.
B. Billing only commences only after 1 hour of uptime and billing ends when the instance terminates.
C. Billing commences when Amazon EC2 initiates the boot sequence of an AM instance and billing ends when the instance shuts down.
D. Billing commences when Amazon EC2 initiates the boot sequence of an AM instance and billing ends as soon as the instance starts to shutdown.
Answer: C
Explanation:
Billing commences when Amazon EC2 initiates the boot sequence of an AM instance. Billing ends when the instance shuts down, which could occur through a web services command, by running "shutdown -h", or through instance failure.
Reference: http://aws.amazon.com/ec2/faqs/#BiIIing
Q2. When you view the block device mapping for your instance, you can see only the EBS volumes, not the instance store volumes.
A. Depends on the instance type
B. FALSE
C. Depends on whether you use API call
D. TRUE
Answer: D
Q3. You want to establish a dedicated network connection from your premises to AWS in order to save money by transferring data directly to AWS rather than through your internet service provider. You are sure there must be some other benefits beyond cost savings. Which of the following would not be considered a benefit if you were to establish such a connection?
A. Elasticity
B. Compatibility with all AWS services.
C. Private connectMty to your Amazon VPC.
D. Everything listed is a benefit.
Answer: D
Explanation:
AWS Direct Connect makes it easy to establish a dedicated network connection from your premises to AWS.
Using AWS Direct Connect, you can establish private connectMty between AWS and your datacenter, office, or colocation environment, which in many cases can reduce your network costs, increase bandwidth throughput, and provide a more consistent network experience than internet-based
connections.
You could expect the following benefits if you use AWS Direct Connect. Reduced bandwidth costs
Consistent network performance Compatibility with all AWS services Private connectMty to your Amazon VPC Elasticity
Simplicity
Reference: http://aws.amazon.com/directconnect/
Q4. Which of the following statements is true of Amazon EC2 security groups?
A. You can change the outbound rules for EC2-Classic. Also, you can add and remove rules to a group at any time.
B. You can modify an existing rule in a group. However, you can't add and remove rules to a group.
C. None of the statements are correct.
D. You can't change the outbound rules for EC2-Classic. However, you can add and remove rules to a
group at any time.
Answer: D
Explanation:
When dealing with security groups, bear in mind that you can freely add and remove rules from a group, but you can't change the outbound rules for EC2-Classic. If you're using the Amazon EC2 console, you can modify existing rules, and you can copy the rules from an existing security group to a new security group.
Reference: http://docs.amazonwebservices.com/AWSEC2/latest/UserGuide/using-network-security.htmI
Q5. Can Amazon 53 uploads resume on failure or do they need to restart?
A. Restart from beginning
B. You can resume them, if you flag the "resume on fai lure" option before uploading.
C. Resume on failure
D. Depends on the file size
Answer: C
Q6. A user comes to you and wants access to Amazon CIoudWatch but only wants to monitor a specific LoadBaIancer. Is it possible to give him access to a specific set of instances or a specific LoadBaIancer?
A. No because you can't use IAM to control access to CIoudWatch data for specific resources.
B. Yes. You can use IAM to control access to CIoudWatch data for specific resources.
C. No because you need to be Sysadmin to access CIoudWatch data.
D. Yes. Any user can see all CIoudWatch data and needs no access rights.
Answer: A
Explanation:
Amazon CIoudWatch integrates with AWS Identity and Access Management (IAM) so that you can
specify which CIoudWatch actions a user in your AWS Account can perform. For example, you could create an IAM policy that gives only certain users in your organization permission to use GetMetricStatistics. They could then use the action to retrieve data about your cloud resources.
You can't use IAM to control access to CIoudWatch data for specific resources. For example, you can't give a user access to CIoudWatch data for only a specific set of instances or a specific LoadBaIancer. Permissions granted using IAM cover all the cloud resources you use with CIoudWatch. In addition, you can't use IAM roles with the Amazon CIoudWatch command line tools.
Using Amazon CIoudWatch with IAM doesn't change how you use CIoudWatch. There are no changes to CIoudWatch actions, and no new CIoudWatch actions related to users and access control.
Reference: http://docs.aws.amazon.com/AmazonC|oudWatch/latest/DeveloperGuide/UsingIAM.htmI
Q7. You need to set up a complex network infrastructure for your organization that will be reasonably easy to deploy, replicate, control, and track changes on. Which AWS service would be best to use to help you accomplish this?
A. AWS Import/Export
B. AWS CIoudFormation
C. Amazon Route 53
D. Amazon CIoudWatch
Answer: B
Explanation:
AWS CIoudFormation is a service that helps you model and set up your Amazon Web Services resources so that you can spend less time managing those resources and more time focusing on your applications that run in AWS. You create a template that describes all the AWS resources that you want (like Amazon EC2 instances or Amazon RDS DB instances), and AWS CIoudFormation takes care of provisioning and configuring those resources for you. You don't need to indMdually create and configure AWS resources
and figure out what's dependent on what. AWS CIoudFormation handles all of that.
Reference: http://docs.aws.amazon.com/AWSCIoudFormation/latest/UserGuide/WeIcome.htmI
Q8. You have just set up a large site for a client which involved a huge database which you set up with Amazon RDS to run as a Mu|ti-AZ deployment. You now start to worry about what will happen if the database instance fails. Which statement best describes how this database will function if there is a database failure?
A. Updates to your DB Instance are synchronously replicated across Availability Zones to the standby in order to keep both in sync and protect your latest database updates against DB Instance failure.
B. Your database will not resume operation without manual administrative intervention.
C. Updates to your DB Instance are asynchronously replicated across Availability Zones to the standby in order to keep both in sync and protect your latest database updates against DB Instance failure.
D. Updates to your DB Instance are synchronously replicated across S3 to the standby in order to keep both in sync and protect your latest database updates against DB Instance failure.
Answer: A
Explanation:
Amazon Relational Database Service (Amazon RDS) is a managed service that makes it easy to set up, operate, and scale a relational database in the cloud. It provides cost-efficient and resizable capacity, while managing time-consuming database administration tasks, freeing you up to focus on your applications and business.
When you create or modify your DB Instance to run as a MuIti-AZ deployment, Amazon RDS automatically provisions and maintains a synchronous "standby" replica in a different Availability Zone. Updates to your DB Instance are synchronously replicated across Availability Zones to the standby in order to keep both in sync and protect your latest database updates against DB Instance failure.
During certain types of planned maintenance, or in the unlikely event of DB Instance failure or Availability Zone failure, Amazon RDS will automatically failover to the standby so that you can resume database writes and reads as soon as the standby is promoted. Since the name record for your DB Instance
remains the same, you application can resume database operation without the need for manual administrative intervention. With Mu|ti-AZ deployments, replication is transparent: you do not interact directly with the standby, and it cannot be used to serve read traffic. If you are using Amazon RDS for MySQL and are looking to scale read traffic beyond the capacity constraints of a single DB Instance, you can deploy one or more Read Replicas.
Reference: http://aws.amazon.com/rds/faqs/
Q9. A government client needs you to set up secure cryptographic key storage for some of their extremely confidential data. You decide that the AWS CIoudHSM is the best service for this. However, there seem to be a few pre-requisites before this can happen, one of those being a security group that has certain ports open. Which of the following is correct in regards to those security groups?
A. A security group that has port 22 (for SSH) or port 3389 (for RDP) open to your network.
B. A security group that has no ports open to your network.
C. A security group that has only port 3389 (for RDP) open to your network.
D. A security group that has only port 22 (for SSH) open to your network.
Answer: A
Explanation:
AWS CIoudHSM provides secure cryptographic key storage to customers by making hardware security modules (HSMs) available in the AWS cloud.
AWS C|oudHSM requires the following environment before an HSM appliance can be provisioned. A virtual private cloud (VPC) in the region where you want the AWS CIoudHSM service.
One private subnet (a subnet with no Internet gateway) in the VPC. The HSM appliance is provisioned into this subnet.
One public subnet (a subnet with an Internet gateway attached). The control instances are attached to this subnet.
An AWS Identity and Access Management (IAM) role that delegates access to your AWS resources to AWS CIoudHSM.
An EC2 instance, in the same VPC as the HSM appliance, that has the SafeNet client software installed. This instance is referred to as the control instance and is used to connect to and manage the HSM appliance.
A security group that has port 22 (for SSH) or port 3389 (for RDP) open to your network. This security group is attached to your control instances so you can access them remotely.
Q10. A user needs to run a batch process which runs for 10 minutes. This will only be run once, or at maximum twice, in the next month, so the processes will be temporary only. The process needs 15 X-Large instances. The process downloads the code from S3 on each instance when it is launched, and then generates a temporary log file. Once the instance is terminated, all the data will be lost. Which of the below mentioned pricing models should the user choose in this case?
A. Spot instance.
B. Reserved instance.
C. On-demand instance.
D. EBS optimized instance.
Answer: A
Explanation:
In Amazon Web Services, the spot instance is useful when the user wants to run a process temporarily. The spot instance can terminate the instance if the other user outbids the existing bid. In this case all storage is temporary and the data is not required to be persistent. Thus, the spot instance is a good option to save money.
Reference: http://aws.amazon.com/ec2/purchasing-options/spot-instances/
Q11. In AWS CIoudHSM, in addition to the AWS recommendation that you use two or more HSM appliances in a high-availability configuration to prevent the loss of keys and data, you can also perform a remote backup/restore of a Luna SA partition if you have purchased a:
A. Luna Restore HSNI.
B. Luna Backup HSM.
C. Luna HSNI.
D. Luna SA HSM.
Answer: B
Explanation:
In AWS CIoudHSM, you can perform a remote backup/restore of a Luna SA partition if you have purchased a Luna Backup HSM.
Reference: http://docs.aws.amazon.com/cloudhsm/latest/userguide/cloud-hsm-backup-restore.html
Q12. You are designing a data leak prevention solution for your VPC environment. You want your VPC Instances to be able to access software depots and distributions on the Internet for product updates. The depots and distributions are accessible via third party CONs by their URLs. You want to explicitly deny any other outbound connections from your VPC instances to hosts on the internet.
Which of the following options would you consider?
A. Configure a web proxy server in your VPC and enforce URL-based ru les for outbound access Remove
default routes.
B. Implement security groups and configure outbound rules to only permit traffic to software depots.
C. Move all your instances into private VPC subnets remove default routes from all routing tables and add specific routes to the software depots and distributions only.
D. Implement network access control lists to all specific destinations, with an Implicit deny as a rule.
Answer: A
Q13. A user is currently building a website which will require a large number of instances in six months, when a demonstration of the new site will be given upon launch.
Which of the below mentioned options allows the user to procure the resources beforehand so that they need not worry about infrastructure availability during the demonstration?
A. Procure all the instances as reserved instances beforehand.
B. Launch all the instances as part of the cluster group to ensure resource availability.
C. Pre-warm all the instances one month prior to ensure resource availability.
D. Ask AWS now to procure the dedicated instances in 6 months.
Answer: A
Explanation:
Amazon Web Services has massive hardware resources at its data centers, but they are finite. The best way for users to maximize their access to these resources is by reserving a portion of the computing capacity that they require. This can be done through reserved instances. With reserved instances, the user literally reserves the computing capacity in the Amazon Web Services cloud.
Reference: http://media.amazonwebservices.com/AWS_Building_FauIt_To|erant_AppIications.pdf
Q14. Which of the following statements is NOT true about using Elastic IP Address (EIP) in EC2-Classic and EC2-VPC platforms?
A. In the EC2-VPC platform, the Elastic IP Address (EIP) does not remain associated with the instance when you stop it.
B. In the EC2-Classic platform, stopping the instance disassociates the Elastic IP Address (EIP) from it.
C. In the EC2-VPC platform, if you have attached a second network interface to an instance, when you disassociate the Elastic IP Address (EIP) from that instance, a new public IP address is not assigned to the instance automatically; you'II have to associate an EIP with it manually.
D. In the EC2-Classic platform, if you disassociate an Elastic IP Address (EIP) from the instance, the instance is automatically assigned a new public IP address within a few minutes.
Answer: A
Explanation:
In the EC2-Classic platform, when you associate an Elastic IP Address (EIP) with an instance, the instance's current public IP address is released to the EC2-Classic public IP address pool. If you disassociate an EIP from the instance, the instance is automatically assigned a new public IP address within a few minutes. In addition, stopping the instance also disassociates the EIP from it.
But in the EC2-VPC platform, when you associate an EIP with an instance in a default Virtual Private Cloud (VPC), or an instance in which you assigned a public IP to the eth0 network interface during launch, its current public IP address is released to the EC2-VPC public IP address pool. If you disassociate an
EIP from the instance, the instance is automatically assigned a new public IP address within a few minutes. However, if you have attached a second network interface to the instance, the instance is not automatically assigned a new public IP address; you'II have to associate an EIP with it manually. The EIP remains associated with the instance when you stop it.
Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/elastic-ip-addresses-eip.htmI
Q15. What does Amazon Cloud Formation provide?
A. The ability to setup Autoscaling for Amazon EC2 instances.
B. None of these.
C. A templated resource creation for Amazon Web Services.
D. A template to map network resources for Amazon Web Services.
Answer: D