AWS Certified Solutions Architect – Associate Questions and Answers (Dumps and Practice Questions)

Question : A customer has a single -TB volume on-premises that is used to hold a large repository of
images and print layout files. This repository is growing at 500 GB a year and must be
presented as a single logical volume. The customer is becoming increasingly constrained
with their local storage capacity and wants an off-site backup of this data, while maintaining
low-latency access to their frequently accessed data. Which AWS Storage Gateway
configuration meets the customer requirements?

1. Gateway-Cached volumes with snapshots scheduled to Amazon S3
2. Gateway-Stored volumes with snapshots scheduled to Amazon S3
3. Access Mostly Uused Products by 50000+ Subscribers
4. Gateway-Virtual Tape Library with snapshots to Amazon Glacier

Correct Answer : Get Lastest Questions and Answer : The AWS Storage Gateway supports three configurations:

Gateway-Cached Volumes: You can store your primary data in Amazon S3, and retain your frequently accessed data locally. Gateway-Cached volumes provide
substantial cost savings on primary storage, minimize the need to scale your storage on-premises, and retain low-latency access to your frequently
accessed
data.

Gateway-Stored Volumes: In the event you need low-latency access to your entire data set, you can configure your on-premises data gateway to store your
primary data locally, and asynchronously back up point-in-time snapshots of this data to Amazon S3. Gateway-Stored volumes provide durable and
inexpensive
off-site backups that you can recover locally or from Amazon EC2 if, for example, you need replacement capacity for disaster recovery.

Gateway-Virtual Tape Library (Gateway-VTL): With Gateway-VTL you can have a limitless collection of virtual tapes. Each virtual tape can be stored in a
Virtual Tape Library backed by Amazon S3 or a Virtual Tape Shelf backed by Amazon Glacier. The Virtual Tape Library exposes an industry standard iSCSI
interface which provides your backup application with on-line access to the virtual tapes. When you no longer require immediate or frequent access to
data
contained on a virtual tape, you can use your backup application to move it from its Virtual Tape Library to your Virtual Tape Shelf in order to further
reduce your storage costs.

Question : A t.medium EC instance type must be launched with what type of Amazon MachineImage (AMI)?

1. An Instance store Hardware Virtual Machine AMI
2. An Instance store Paravirtual AMI
3. Access Mostly Uused Products by 50000+ Subscribers
4. An Amazon EBS-backed Paravirtual AMI
Ans : 1 Exp : Amazon Machine Images use one of two types of virtualization: paravirtual (PV) or hardware virtual machine (HVM). All current generation
instance types support HVM AMIs. Some previous generation instance types do not support Linux HVM AMIs. Some current generation instance types do not
support PV AMIs. You can't change the virtualization type of an instance or an AMI; an instance can only be resized to an instance type that supports its
method of virtualization, and AMIs can only be launched on instance types that support their method of virtualization. For more information, see Linux
AMI
Virtualization Types.

T2 instances must be launched into a VPC using HVM AMIs; they are not supported on the EC2-Classic platform and they do not support PV AMIs. If your
account
supports EC2-Classic and you have not created a nondefault VPC, you can't change your instance type to T2 in the console. If your instance uses HVM
virtualization and it was launched in a VPC, then you can resize that instance to a T2 instance. For more information, see T2 Instances, Amazon EC2 and
Amazon Virtual Private Cloud, and Linux AMI Virtualization Types.

All Amazon EC2 instance types support 64-bit AMIs, but only the following instance types support 32-bit AMIs: t1.micro, t2.micro, t2.small, t1.micro,
m1.small, m1.medium, and c1.medium. If you are resizing a 32-bit instance, you are limited to these instance types.

You can't add instance store volumes when you resize your instance; instance store volumes may only be added at launch time. If you want to add instance
store volumes, consider creating an AMI from your instance and launching a new instance from that AMI with instance store volumes. For more information,
see
Amazon EC2 Instance Store.

Question : Which of the following are true regarding encrypted Amazon Elastic Block Store (EBS) volumes? Choose answers
A. Supported on all Amazon EBS volume types
B. Snapshots are automatically encrypted
C. Available to all instance types
D. Existing volumes can be encrypted
E. shared volumes can be encrypted

1. A,B
2. B,C
3. Access Mostly Uused Products by 50000+ Subscribers
4. D,E

Ans : 1 Exp : Amazon EBS Encryption

Amazon EBS encryption offers you a simple encryption solution for your EBS volumes without the need for you to build, maintain, and secure your own key
management infrastructure. When you create an encrypted EBS volume and attach it to a supported instance type, data stored at rest on the volume, disk
I/O,
and snapshots created from the volume are all encrypted. The encryption occurs on the servers that host EC2 instances, providing encryption of
data-in-transit from EC2 instances to EBS storage.

Amazon EBS encryption uses AWS Key Management Service (AWS KMS) Customer Master Keys (CMKs) when creating encrypted volumes and any snapshots created
from
your encrypted volumes. The first time you create an encrypted volume in a region, a default CMK is created for you automatically. This key is used for
Amazon EBS encryption unless you select a CMK that you created separately using AWS Key Management Service. Creating your own CMK gives you more
flexibility, including the ability to create, rotate, disable, define access controls, and audit the encryption keys used to protect your data. For more
information, see the AWS Key Management Service Developer Guide.

This feature is supported with all EBS volume types (General Purpose (SSD), Provisioned IOPS (SSD), and Magnetic), and you can expect the same IOPS
performance on encrypted volumes as you would with unencrypted volumes with a minimal effect on latency. You can access encrypted volumes the same way
that
you access existing volumes; encryption and decryption are handled transparently and they require no additional action from you, your EC2 instance, or
your
application. Snapshots of encrypted EBS volumes are automatically encrypted, and volumes that are created from encrypted EBS snapshots are also
automatically encrypted.

Important
Encrypted boot volumes are not supported at this time.
The Amazon EBS encryption feature is also extended to snapshots of your encrypted volumes. Snapshots that are taken from encrypted volumes are
automatically
encrypted. Volumes that are created from encrypted snapshots are also automatically encrypted. Your encrypted volumes and any associated snapshots always
remain protected.

Amazon EBS encryption is only available on select instance types. You can attach both encrypted and unencrypted volumes to a supported instance type

Question : An existing application stores sensitive information on a non-boot Amazon EBS data volume attached to an Amazon Elastic Compute Cloud instance. Which of the following
approaches would protect the sensitive data on an Amazon EBS volume?

1. Upload your customer keys to AWS CloudHSM. Associate the Amazon EBS volume with AWS CloudHSM. Re-mount the Amazon EBS volume.
2. Create and mount a new, encrypted Amazon EBS volume. Move the data to the new volume. Delete the old Amazon EBS volume.
3. Access Mostly Uused Products by 50000+ Subscribers
4. Snapshot the current Amazon EBS volume. Restore the snapshot to a new, encrypted Amazon EBS volume. Mount the Amazon EBS volume

Correct Answer : Get Lastest Questions and Answer :
Explanation: After you attach an Amazon EBS volume to your instance, it is exposed as a block device. You can format the volume with any
file
system and then mount it. After you make the EBS volume available for use, you can access it in the same ways that you access any other volume. Any data
written to this file system is written to the EBS volume and is transparent to applications using the device. You can back up the data on your EBS
volumes
to Amazon S3 by taking point-in-time snapshots. Snapshots are incremental backups, which means that only the blocks on the device that have changed after
your most recent snapshot are saved. When you delete a snapshot, only the data exclusive to that snapshot is removed. Active snapshots contain all of the
information needed to restore your data (from the time the snapshot was taken) to a new EBS volume.

If you are dealing with snapshots of sensitive data, you should consider encrypting your data manually before taking the snapshot or storing the data on
a
volume that is enabled with Amazon EBS encryption. For more information, see Amazon EBS Encryption.

When you create an EBS volume, you can create it based on an existing snapshot. The new volume begins as an exact replica of the original volume that was
used to create the snapshot. When you create a volume from an existing snapshot, it loads lazily in the background so that you can begin using them right
away. If you access a piece of data that hasn't been loaded yet, the volume immediately downloads the requested data from Amazon S3, and then continues
loading the rest of the volume's data in the background. For more information, see Creating an Amazon EBS Snapshot. Snapshots of encrypted volumes are
automatically encrypted. Volumes that are created from encrypted snapshots are also automatically encrypted. Your encrypted volumes and any associated
snapshots always remain protected. For more information, see Amazon EBS Encryption.

You can share your unencrypted snapshots with specific AWS accounts, make them public to share them with the entire AWS community. User with access to
your
snapshots can create their own EBS volumes from your snapshot. This doesn't affect your snapshot. For more information about how to share snapshots, see
Sharing an Amazon EBS Snapshot. Note that you can't share encrypted snapshots, because your volume encryption keys and master key are specific to your
account. If you need to your encrypted snapshot data, you can migrate the data to an unencrypted volume and then share a snapshot of that volume. For
more
information, see Migrating Data.

Snapshots are constrained to the region in which they are created. After you have created a snapshot of an EBS volume, you can use it to create new
volumes
in the same region. For more information, see Restoring an Amazon EBS Volume from a Snapshot. You can also copy snapshots across regions, making it
easier
to leverage multiple regions for geographical expansion, data center migration and disaster recovery. You can copy any accessible snapshots that are in
the
available state. For more information, see Copying an Amazon EBS Snapshot.

Question : A company is building software on AWS that requires access to various AWS services.
Which configuration should be used to ensure that AWS credentials (i.e., Access Key ID/Secret Access Key combination) are not compromised?

1. Enable Multi-Factor Authentication for your AWS root account.
2. Assign an IAM role to the Amazon EC2 instance.
3. Access Mostly Uused Products by 50000+ Subscribers
4. Assign an IAM user to the Amazon EC2 Instance.

Ans : 1 Exp :For extra security, enable multifactor authentication (MFA) for privileged IAM users (users who are allowed access to sensitive resources or
APIs). With MFA, users have a device that generates a unique authentication code (a one-time password, or OTP) and users must provide both their normal
credentials (like their user name and password) and the OTP. The MFA device can either be a special piece of hardware, or it can be a virtual device (for
example, it can run in an app on a smartphone). For increased security, we recommend that you protect your AWS resources by configuring AWS multi-factor
authentication (MFA). MFA adds extra security by requiring users to enter a unique authentication code from their authentication device when accessing
AWS
websites or services.

For MFA to work, you must assign an MFA device (hardware or virtual) to the IAM user or root account. The MFA device must be unique for each user; a user
cannot enter a code from another user's device to authenticate. This section shows you how to set up and enable a new MFA device, as well as how to
synchronize and deactivate existing devices, and what to do when a device is lost or stops working.

Question : You manually launch a NAT AMI in a public subnet. The network is properly configured.
Security groups and network access control lists are property configured. Instances in a
private subnet can access the NAT. The NAT can access the Internet. However, private
instances cannot access the Internet. What additional step is required to allow access from
the private instances?

1. Enable Source/Destination Check on the private Instances.
2. Enable Source/Destination Check on the NAT instance.
3. Access Mostly Uused Products by 50000+ Subscribers
4. Disable Source/Destination Check on the NAT instance.

Ans : 4 Exp : Disabling Source/Destination Checks

Each EC2 instance performs source/destination checks by default. This means that the instance must be the source or destination of any traffic it sends
or
receives. However, a NAT instance must be able to send and receive traffic when the source or destination is not itself. Therefore, you must disable
source/destination checks on the NAT instance.

You can disable the SrcDestCheck attribute for a NAT instance that's either running or stopped using the console or the command line.

Question : A customer is running a multi-tier web application farm in a virtual private cloud (VPC) that
is not connected to their corporate network. They are connecting to the VPC over the
Internet to manage all of their Amazon EC2 instances running in both the public and private
subnets. They have only authorized the bastion-security-group with Microsoft Remote
Desktop Protocol (RDP) access to the application instance security groups, but the
company wants to further limit administrative access to all of the instances in the VPC.
Which of the following Bastion deployment scenarios will meet this requirement?

1. Deploy a Windows Bastion host on the corporate network that has RDP access to all instances in the VPC.
2. Deploy a Windows Bastion host with an Elastic IP address in the public subnet and allow SSH access to the bastion from anywhere.
3. Access Mostly Uused Products by 50000+ Subscribers
corporate public IP addresses.
4. Deploy a Windows Bastion host with an auto-assigned Public IP address in the public subnet, and allow RDP access to the bastion from
only
the corporate public IP addresses.

Ans : 4 Exp : If you run Microsoft Windows instances in EC2, then you most likely use the Remote Desktop Protocol (RDP) for remote administration. To
define the source IPs that are allowed to connect to your EC2 instances, RDP port (TCP/3389), you configure the instance,s security group rules. When
configuring your security groups, it,s a best practice to apply the principle of least privilege, allowing only connections to the RDP port from IP
addresses your administrators will be connecting from and denying all others. However, in cases where an administrator could be connecting from
anywhere on
the Internet, however, trying to determine which IPs to allow can be difficult. As a result, we often see customers setting security groups for RDP
access
to allow every IP (0.0.0.0/0), thereby failing to enforce least privilege at the network layer.

One solution to this problem is to protect your Windows instances at the network layer using Microsoft Remote Desktop (RD) Gateway server set up as a
bastion. RD Gateway can be configured to accept connections via HTTPS (TCP/443) from every IP on the Internet, then proxy them to your other Windows
instances using RDP port (TCP/3389). Only users who authenticate to your RD Gateway instance are allowed to proceed on to the protected Windows instances
behind the proxy.

Question : You have kept a Windows EC instance in a private subnet and configured security group to allow traffic on Internet, and deny on any incoming traffic from internet. Now, you need to install a patch which can only be downloaded from vendor website. Please select the correct statement which applies.
A. You have logged in from windows EC2 instance which send request over internet however, patch download will fail. Because, you can send request on internet but incoming is denied.
B. You have logged in from windows EC2 instance which send request over internet, patch download will success.
C. You have logged in from windows EC2 instance which send request over internet, patch download will success, only if you have requent_id parameters with the request. So that response can be authenticated with the same request_id.
D. No, you cannot install Patch your own. You have to raise AWS support request.

1. You have logged in from windows EC2 instance which send request over internet however, patch download will fail. Because, you can send request on internet but incoming is denied.

2. You have logged in from windows EC2 instance which send request over internet, patch download will success.

3. Access Mostly Uused Products by 50000+ Subscribers

4. No, you cannot install Patch your own. You have to raise AWS support request.

Correct Answer : Get Lastest Questions and Answer :
Explanation: Security group are stateful. Hence, any request send, its response will be accepted. It does not matter what deny rule you have configured.

AWS Certified Solutions Architect – Associate Questions and Answers (Dumps and Practice Questions)

Related Questions