1. A company hosts a popular web application that connects to an Amazon RDS MySQL DB instance running in a private VPC subnet created with default ACL settings.

The IT Security department has identified a DoS attack from a suspecting IP. How can you protect the subnets from this attack?

  1. Change the Inbound Security Groups to deny access from the suspecting IP.
  2. Change the Outbound Security Groups to deny access from the suspecting IP
  3. Change the Inbound NACL to deny access from the suspecting IP
  4. Change the Outbound NACL to deny access from the suspecting IP

2. A company is planning on allowing their users to upload and read objects from an S3 bucket.

Due to the numerous amount of users, the read/write traffic will be very high.

How should the architect maximize Amazon S3 performance?

  1. Prefix each object name with a random string.
  2. Use the STANDARD_IA storage class.
  3. Prefix each object name with the curer nt data.
  4. Enable versioning on the S3 bucket.

解析: If the request rate is high, you can use hash keys or random strings to prefix to the object name. Here,partitions used to store the objects will be better distributed and hence allow for better read/write performance for your objects. For more information on how to ensure performance in S3, please visit the following URL: (https://docs.aws.amazon.com/AmazonS3/latest/dev/request-rate-perf-considerations.html)

3. A concern raised in your company is that developers could potentially delete production-based EC2 resources.

As a Cloud Admin, which of the below options would you choose to help alleviate this concern? Choose 2 options.

  1. Tag the production instances with production-identifying tag and add resource-level permissions to the developers with an explicit deny on the terminate API call to instances with the production tag.
  2. Create a separate AWS account and add the developers to that account.
  3. Modify the IAM policy on the developers to require MFA before deleting EC2 instances, and disable MFA access to the employee.
  4. Modify the IAM policy on the developers to require MFA before deleting EC2 instances.

4. You are developing a mobile application that needs to issue temporary security credentials to users.

This is essential due to security concerns. Which of the below services can help achieve this?

  1. AWS STS
  2. AWS Config
  3. AWS Trusted Advisor
  4. AWS Inspector

解析:

AWS Documentation mentions the following:

You can use the AWS Security Token Service (AWS STS) to create and provide trusted users with temporary security credentials that can control access to your AWS resources. Temporary security credentials are short-term, as the name implies. They can be configured to last for anywhere from a few minutes to several hours. After the credentials expire, AWS no longer recognizes them or allows any kind of access from API requests made with them.

For more information on the Secure Token Service, please visit the following URL:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html

5. Your company is planning on using the API Gateway service to manage APIs for developers and users.

There is a need to segregate the access rights for both developers and users. How can this be accomplished?

  1. Use IAM permissions to control the access.
  2. Use AWS Access keys to manage the access.
  3. Use AWS KMS service to manage the access.
  4. Use AWS Config Service to control the access.

解析:

AWS Documentation mentions the following:

You control access to Amazon API Gateway with IAM permissions by controlling access to the following two API Gateway component processes:

To create, deploy, and manage an API in API Gateway, you must grant the API developer permissions to perform the required actions supported by the API management component of API Gateway.
To call a deployed API or to refresh the API caching, you must grant the API caller permissions to perform required IAM actions supported by the API execution component of API Gateway.
For more information on permissions for the API gateway, please visit the URL:

https://docs.aws.amazon.com/apigateway/latest/developerguide/permissions.html

6. You have an S3 bucket hosted in AWS which is used to store promotional videos you upload.

You need to provide access to users for a limited duration of time. How can this be achieved?

  1. Use versioning and enable a timestamp for each version.
  2. Use Pre-Signed URLs.
  3. Use IAM Roles with a timestamp to limit the access.
  4. Use IAM policies with a timestamp to limit the access.

解析:

AWS Documentation mentions the following:

You control access to Amazon API Gateway with IAM permissions by controlling access to the following two API Gateway component processes:

To create, deploy, and manage an API in API Gateway, you must grant the API developer permissions to perform the required actions supported by the API management component of API Gateway.
To call a deployed API or to refresh the API caching, you must grant the API caller permissions to perform required IAM actions supported by the API execution component of API Gateway.
For more information on permissions for the API gateway, please visit the URL:

https://docs.aws.amazon.com/apigateway/latest/developerguide/permissions.html

7. Your company has recently started using AWS services for their daily operations.

As a cloud administrator, which of the following services would you recommend using to have an insight on securing the infrastructure and for cost optimization?

  1. AWS Inspector
  2. AWS Trusted Advisor
  3. AWS WAF
  4. AWS Config

解析:AWS Documentation mentions the following on Trusted Advisor:
An online resource to help you reduce cost, increase performance, and improve security by optimizing your AWS environment, Trusted Advisor provides real time guidance to help you provision your resources following AWS best practices.
For more information on the Trusted Advisor, please visit the below URL:
https://aws.amazon.com/premiumsupport/trustedadvisor/

8. Your IT Security department has mandated that all traffic flowing in and out of EC2 instances needs to be monitored.

Which of the below services can help achieve this?

  1. Trusted Advisor
  2. VPC Flow Logs
  3. Use CloudWatch metrics
  4. Use CloudTrail

解析: AWS Documentation mentions the following:
VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC. Flow log data is stored using Amazon CloudWatch Logs. After you’ve created a flow log, you can view and retrieve its data in Amazon CloudWatch Logs.
For more information on VPC Flow Logs, please visit the following URL:
https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/flow-logs.html

9. A company is currently utilising Redshift cluster as their production warehouse.

As a cloud architect, you are tasked to ensure that the disaster recovery is in place. Which of the following options is best in addressing this issue?

  • Take a copy of the underlying EBS volumes to S3 and then do Cross-Region Replication.
  • Enable Cross-Region Snapshots for the Redshift Cluster.
  • Create a CloudFormation template to restore the Cluster in another region.
  • Enable Cross Availability Zone Snapshots for the Redshift Cluster.

解析: The below diagram shows that snapshots are available for Redshift clusters enabling them to be available in different regions: For more information on managing Redshift Snapshots, please visit theo fllowing URL: (https://docs.aws.amazon.com/redshift/latest/mgmt/managing-snapshots-console.html)

10. Your organization is building a collaboration platform for which they chose AWS EC2 for web and application servers and MySQL RDS instance as the database.

Due to the nature of the traffic to the application, they would like to increase the number of connections to RDS instance. How can this be achieved?

  1. Login to RDS instance and modify database config file under /etc/mysql/my.cnf
  2. Create a new parameter group, attach it to DB instance and change the setting .
  3. Create a new option group, attach it to DB instance and change the setting.
  4. Modify setting in default options group attached to DB instance.

解析: You manage your DB engine configuration through the use of parameters in a DB parameter group . DB parameter groups act as a container for engine configuration values that are applied to one or more DB instances.A default DB parameter group is created if you create a DB instance without specifying a customer-created DB parameter group. Each default DB parameter group contains database engine defaults and Amazon RDS system defaults based on the engine, compute class, and allocated storage of the instance. You cannot modify the parameter settings of a default DB parameter group; you must create your own DB parameter group to change parameter settings from their default value. Note that not all DB engine parameters can be changed in a customer-created DB parameter group.If you want to use your own DB parameter group, you simply create a new DB parameter group, modify the desired parameters, and modify your DB instance to use the new DB parameter group. All DB instances that are associated with a particular DB parameter group get all parameter updates to that DB parameter group.For more information;https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/USER_WorkingWithParamGroups.html

11. You have configured an Auto-scaling group for which the minimum running instance is 2 and maximum running instance is 10.

For the past 30 minutes, all five instances have been running at 100 CPU Utilization; however, the Auto Scaling group has not added any more instances to the group. What is the most likely cause for this? Choose 2 answers from the options given below.

  1. You already have 20 on-demand instances running.
  2. The Auto Scaling group’s MAX size is set at five.
  3. The Auto Scaling group’s scale down policy is too high.
  4. The Auto Scaling group’s scale up policy has not yet been reached.

解析: By default, you can run up to 20 On-Demand EC2 instances. If you need more, you have to complete a requisition form and submit it to AWS. However in the question, we have already mentioned that MAX is set to 10. In that case option B is invalid and hence cannot be marked as an answer. But the question does not mention that the metric chosen for this Auto Scaling policy is CPUUtilization Metric. It could be DiskWrites or Network In/Out metric. Assuming the current set up is to do with a metric other than CPUUtilization we can choose option D as a right choice. In this scenario, we are only discussing about the non-functioning Scaling up process and not about the Scaling down scenario. This is explained in the AWS documentation: Depending on the instance types, some instance types only support up to 5 on-demand instances. However the maximum for most of the instance types are 20 on-demand instances. So based on that, Option A is correct. instance(s) are already running. Launching EC2 instance failed. Cause: The Auto Scaling group has reached the limit set by the DesiredCapacity parameter. Solution: Update your Auto Scaling group by providing a new value for the –desired-capacity parameter using the update-auto-scaling-group command. If you’ve reached your limit for the number of EC2 instances, you can request an increase. For more information, see AWS Service Limits. For more information on troubleshooting Auto Scaling, please refer to the following link: (http://docs.aws.amazon.com/autoscaling/latest/userguide/ts-as-capacity.html) The link below provides information on EC2 instance limits: (https://docs.aws.amazon.com/general/latest/gr/aws_service_limits.html#limits_ec2) More information on limits of on-demand EC2 instances is available at: (https://aws.amazon.com/ec2/faqs/#How_many_instances_can_I_run_in_Amazon_EC2)

12. A company has an application hosted in AWS.

This application consists of EC2 Instances that sit behind an ELB. The following are requirements from an administrative perspective:

a) Must be able to collect and analyse logs with regard to ELB’s performance.
b) Ensure that notifications are sent when the latency goes beyond 10 seconds.

Which of the following can be used to achieve this requirement? Choose 2 answers from the options given below.

  1. Use CloudWatch for monitoring.
  2. Enable CloudWatch logs and then investigate the logs whenever there is an issue.
  3. Enable the logs on the ELB with Latency Alarm that sends an email and then investigate the logs whenever there is an issue.
  4. Use CloudTrail to monitor whatever metrics need to be monitored.

13. An IT company has a set of EC2 Instances hosted in a VPC.

They are hosted in a private subnet. These instances now need to access resources stored in an S3 bucket. The traffic should not traverse the internet. The addition of which of the following would help fulfill this requirement?

  1. VPC Endpoint
  2. NAT Instance
  3. NAT Gateway
  4. Internet Gateway

解析: A VPC endpoint enables you to privately connect your VPC to supported AWS services and VPC endpoint services powered by PrivateLink without requiring an internet gateway, NAT device, VPN connection, or AWS Direct Connect connection. Instances in your VPC do not require public IP addresses to communicate with resources in the service. Traffic between your VPC and the other service does not leave the Amazon network. For more information on AWS VPC endpoints, please visit the following URL: (https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-endpoints.html)

14. Your team has developed an application and now needs to deploy that application onto an EC2 Instance.

This application interacts with a DynamoDB table. Which of the following is the correct and MOST SECURE way to ensure that the application interacts with the DynamoDB table.

  1. Create a role which has the necessary permissions and can be assumed yb the EC2 instance
  2. Use the API credentials from an EC2 instance. Ensure the environment variables areupdated with the API access keys.
  3. Use the API credentials from a bastion host. Make the application on the EC2 Instance send requests via the bastion host.
  4. Use the API credentials from a NAT Instance. Make the application on the EC2 Instance send requests via the NAT Instance

15. Your development team has created a web application that needs to be tested on VPC.

You need to advise the IT admin team on how they should implement the VPC to ensure the application can be accessed from the Internet. Which of the following components would be part of the design. Choose 3 answers from the options given below

  1. An Internet gateway attached to the VPC.