AWS Certified Solutions Architect - Professional Questions and Answers (Dumps and Practice Questions)
Question : : Select the in-correct statement for Network ACL
1. Operates at the subnet level (second layer of defense)
2. Supports allow rules and deny rules
3. Is stateless: Return traffic must be explicitly allowed by rules
4. Automatically applies to all instances in the subnets it's associated
5. None of above
Correct Answer : 5
Explanation: You can use AWS Identity and Access Management to control who in your organization has permission to create and manage security groups and network ACLs. For example, you can
give only your network administrators that permission, but not personnel who only need to launch instances. For more information, see Controlling Access to Amazon VPC Resources.
Amazon security groups and network ACLs don't filter traffic to or from link-local addresses (169.254.0.0/16) or AWS reserved addresses (the first four IP addresses and the last one
in each subnet). These addresses support the services: Domain Name Services (DNS), Dynamic Host Configuration Protocol (DHCP), Amazon EC2 instance metadata, Key Management Server
(KMS-license management for Windows instances), and routing in the subnet. You can implement additional firewall solutions in your instances to block network communication with
link-local addresses.
Comparison of Security Groups and Network ACLs
The following table summarizes the basic differences between security groups and network ACLs.
Security Group
Operates at the instance level (first layer of defense)
Supports allow rules only
Is stateful: Return traffic is automatically allowed, regardless of any rules
We evaluate all rules before deciding whether to allow traffic
Applies to an instance only if someone specifies the security group when launching the instance, or associates the security group with the instance later on
Network ACL :
Supports allow rules and deny rules
Operates at the subnet level (second layer of defense)
Is stateless: Return traffic must be explicitly allowed by rules
We process rules in number order when deciding whether to allow traffic
Automatically applies to all instances in the subnets it's associated with (backup layer of defense, so you don't have to rely on someone specifying the security group)
Question : When you launch an instance in a VPC, you can assign the instance to up to___________ security groups.
1. 1
2. 2
3. 3
4. 4
5. 5
Correct Answer : 5
Explanation: A security group acts as a virtual firewall for your instance to control inbound and outbound traffic. When you launch an instance in a VPC, you can assign
the instance to up to five security groups. Security groups act at the instance level, not the subnet level. Therefore, each instance in a subnet in your VPC could be assigned to a
different set of security groups. If you don't specify a particular group at launch time, the instance is automatically assigned to the default security group for the VPC.
For each security group, you add rules that control the inbound traffic to instances, and a separate set of rules that control the outbound traffic. This section describes the basics
things you need to know about security groups for your VPC and their rules.
Question : You have created a VPC for your website and launched one EC instance in it. However, you forgot to assign security group to this instance, please
select the correct statement which applies.
1. Allow inbound traffic from instances assigned to the same security group
2. Allow all outbound traffic
3. Allow inbound traffic from instances assigned from any security group
4. 1 and 2
5. 2 and 3
Correct Answer : 4
Explanation: Your VPC automatically comes with a default security group. Each EC2 instance that you launch in your VPC is automatically associated with the default
security group if you don't specify a different security group when you launch the instance.
The following table describes the default rules for a default security group.
Inbound
Source Protocol Port Range Comments
The security group ID (sg-xxxxxxxx) All All Allow inbound traffic from instances assigned to the same security group
Outbound
Destination Protocol Port Range Comments
0.0.0.0/0 All All Allow all outbound traffic
Related Questions
Question : QuickTechie.com is planning to host a web server apache tomcat as well as a JEE app server weblogic on a single EC instance which
is a part of the public subnet of a VPC. How can QuickTechie setup to have two separate public IPs and separate security groups for
both the Weblogic as well as the tomcat servers?
1. Launch a VPC with ELB such that it redirects requests to separate VPC instances of the public subnet.
2. Launch a VPC instance with two network interfaces. Assign a separate security group and elastic IP to them
3. Access Mostly Uused Products by 50000+ Subscribers
4. Launch a VPC instance with two network interfaces. Assign a separate security group to each and AWS will assign a separate public IP to them.
Question : Map the following storage and its characteristics
A. Amazon EBS
B. Amazon EC2 Instance Store
C. Amazon S3
D. Root Storage
1. recommended storage option when you run a database on an instance
2. if you stop or terminate an instance, any data stored on volumes is lost
3. Access Mostly Uused Products by 50000+ Subscribers
4. contains all the information necessary to boot the instance
1. A-1 , B-2, C-3, D-4
2. A-2 , B-1, C-4, D-3
3. Access Mostly Uused Products by 50000+ Subscribers
4. A-3 , B-4, C-1, D-2
5. A-1 , B-2, C-4, D-3
Question : Select the correct statement for EBS
1. You can create Amazon EBS volumes from 1 GiB to 1 TiB in size. You can mount these volumes as devices on your Amazon EC2 instances.
2. You can create point-in-time snapshots of Amazon EBS volumes, which are persisted to Amazon S3.
3. Access Mostly Uused Products by 50000+ Subscribers
4. 1 and 2
4. 2 and 3
Question : QuickTechie.com has an EC instance on which this website is running, but they realized that this instance is not good enough for heavy workload.
Hence they decided to upgrade EC2 instance, however, the attached volume (EBS) they do not want to loose so created a snapshot of the volume, after upgrading
the EC2 instance they attached the previous snapshot of EBS volume. Select the correct statemen in this scenerio...
1. New volumes created from existing Amazon S3 snapshots load lazily in the background.
2. New volumes created from existing Amazon S3 snapshots loaded first before starting new instance.
3. Access Mostly Uused Products by 50000+ Subscribers
4. New volumes created from existing Amazon S3 snapshots first needs to be decrypted first and then load lazily in the background.
Question : QuickTechie.com has an EC instance on which this website is running, but they realized that this instance is not good enough for heavy workload.
Hence they decided to upgrade EC2 instance, however, the attached volume (EBS) they do not want to loose so created a snapshot of the volume, after upgrading
the EC2 instance they attached the previous snapshot of EBS volume. As this is the production snapshot, select the correct statement for this.
1. To avoid the possibility of increased read or write latency on a production workload, you should first access all of the blocks on the volume to ensure optimal
performance
2. To avoid the possibility of increased read or write latency on a production workload, you should wait all the data to be downloaded and then start EC2 instance
3. Access Mostly Uused Products by 50000+ Subscribers
4. None of the above
Question : You are using EBS volume for storing your website data, but you realized that the volume is about to fill. How can you increase the volume size.
1. Requesting AWS with the volume id
2. You can change volume size from AWS console
3. Access Mostly Uused Products by 50000+ Subscribers
4. You can expand the storage space of an Amazon EBS volume by migrating your data to a larger volume and then extending the file system on the volume to recognize the
newly-available space.
5. None of the above