AWS Certified SysOps Administrator - Associate Questions and Answers (Dumps and Practice Questions)
Question : Which of the following are characteristics of Amazon VPC subnets?
Choose 2 answers
A. Each subnet maps to a single Availability Zone
B. A CIDR block mask of /25 is the smallest range supported
C. Instances in a private subnet can communicate with the internet only if they have an Elastic IP.
D. By default, all subnets can route between each other, whether they are private or public
E. Each subnet spans at least 2 Availability zones to provide a high-availability environment
1. A,B
2. A,D
3. Access Mostly Uused Products by 50000+ Subscribers
4. C,E
5. A,E
Correct Answer : Get Lastest Questions and Answer :
Explanation: - B is wrong: /28 is the smallest
- C is wrong: private subnet should go via NAT (EIP only in public subnet)
- E is wrong: subnet can only map to ONE AZ (not span multiple)
Q. Within which Amazon EC2 region(s) is Amazon VPC available?
Amazon VPC is currently available in multiple Availability Zones in all Amazon EC2 regions.
Q. Can a VPC span multiple Availability Zones?
Yes.
Q. Can a subnet span Availability Zones?
No. A subnet must reside within a single Availability Zone.
Currently, Amazon VPC supports VPCs between /28 (in CIDR notation) and /16 in size. The IP address range of your VPC should not overlap with the IP address ranges of your existing
network.
Q. Is there a limit on how large or small a subnet can be?
The minimum size of a subnet is a /28 (or 14 IP addresses.) Subnets cannot be larger than the VPC in which they are created
with default vpc, amazon dhcp gives the instances a private ip, which cannot be routed out from the aws internet gateway (this device looks like IGW-xxxxxxx via console). so unless
the aws instances route to the internet thru the ipsec tunnel gateway (looks like VGW-xxxxxx), there are two ways to allow connectivity out to the internet.
1) give vpc instances public elastic ip's, ensure a default route to the amazon internet gateway, then add a route for your private lan to the ipsec termination gateway
2) set up a second instance with iptables masquerading, and then have default route to that device, while keeping the private lan route to the ipsec termination point (back to your
offic)
with #1, if instances have public eip, then may be connected to from the internet, if you are not careful with security groups.
with #2, all traffic is limited by the masquarading instance, which is then a point of failure. (by using amazons internet gateway, im sure they use VRRP/HSRP/CARP/ETC, so its HA).
also, although it has not happened to me personally, the private ip of the masq'ing box could change, and so you would need to update dhcp lease info, and then force/wait to renew
instance leases.
Question : When an EC instance that is backed by an S-based AMI Is terminated, what happens to the data on the root volume?
1. Data is automatically saved as an EBS volume.
2. Data is automatically saved as an EBS snapshot.
3. Access Mostly Uused Products by 50000+ Subscribers
4. Data is unavailable until the instance is restarted
Correct Answer : Get Lastest Questions and Answer :
Explanation: Instances that use instance stores for the root device automatically have instance store volumes available, with one serving as the root device volume. When an instance is
launched, the image that is used to boot the instance is copied to the root volume (typically sda1). Any data on the instance store volumes persists as long as the instance is
running, but this data is deleted when the instance is terminated (instance store-backed instances do not support the Stop action) or if it fails (such as if an underlying drive has
issues).
After an instance store-backed instance fails or terminates, it cannot be restored. If you plan to use Amazon EC2 instance store-backed instances, we highly recommend that you
distribute the data on your instance stores across multiple Availability Zones. You should also back up the data on your instance store volumes to persistent storage on a regular
basis.
Recommend that you use AMIs backed by Amazon EBS, because they launch faster and use persistent storage.
Question : You are creating an Auto Scaling group whose Instances need to insert a custom metric into CloudWatch.
Which method would be the best way to authenticate your CloudWatch PUT request?
1. Create an IAM role with the PutMetricData permission and modify the Auto Scaling launch configuration to launch instances in that role
2. Create an IAM user with the PutMetricData permission and modify the Auto Scaling launch configuration to inject the userscredentials into the instance User Data
3. Access Mostly Uused Products by 50000+ Subscribers
4. Create an IAM user with the PutMetricData permission and put the credentials in a private repository and have applications on the server pull the credentials as needed
Correct Answer : Get Lastest Questions and Answer :
Explanation: Amazon CloudWatch integrates with AWS Identity and Access Management (IAM) so that you can specify which CloudWatch actions a user in your AWS Account can perform. For example,
you could create an IAM policy that gives only certain users in your organization permission to use GetMetricStatistics. They could then use the action to retrieve data about your
cloud resources.
You can't use IAM to control access to CloudWatch data for specific resources. For example, you can't give a user access to CloudWatch data for only a specific set of instances or a
specific LoadBalancer. Permissions granted using IAM cover all the cloud resources you use with CloudWatch. In addition, you can't use IAM roles with the Amazon CloudWatch command
line tools.
Although you can only access instance metadata and user data from within the instance itself, the data is not protected by cryptographic methods. Anyone who can access the instance
can view its metadata. Therefore, you should take suitable precautions to protect sensitive data (such as long-lived encryption keys). You should not store sensitive data, such as
passwords, as user data.
IAM role is the right answer as thats the way to allocate permission for AWS services to interact with EC2 in a secured way.
Related Questions
Question : The CFO of a company wants to allow one of his employees to view only the AWS usage report page. Which of the below mentioned IAM policy
statements allows the user to have access to the AWS usage report page?
1. "Effect": "Allow", "Action": ["Describe"], "Resource": "Billing"
2. "Effect": "Allow", "Action": ["AccountUsage], "Resource": "*"
3. Access Mostly Uused Products by 50000+ Subscribers
4. "Effect": "Allow", "Action": ["aws-portal: ViewBilling"], "Resource": "*"
Question : An organization has created IAM users. The organization wants each of the IAM users to have access to a separate DyanmoDB table. All the
users are added to the same group and the organization wants to setup a group level policy for this. How can the organization achieve this?
1. Define the group policy and add a condition which allows the access based on the IAM name
2. Create a DynamoDB table with the same name as the IAM user name and define the policy rule which grants access based on the DynamoDB ARN using a variable
3. Access Mostly Uused Products by 50000+ Subscribers
4. It is not possible to have a group level policy which allows different IAM users to different DynamoDB Tables
Question : A user has configured an HTTPS listener on an ELB. The user has not configured any security policy which can help to negotiate SSL between
the client and ELB. What will ELB do in this scenario?
1. By default ELB will select the first version of the security policy
2. By default ELB will select the latest version of the policy
3. Access Mostly Uused Products by 50000+ Subscribers
4. It is not required to have a security policy since SSL is already installed
Question : A user is creating a Cloudformation stack. Which of the below mentioned limitations does not hold true for
Cloudformation?
1. One account by default is limited to 100 templates
2. The user can use 60 parameters and 60 outputs in a single template
3. Access Mostly Uused Products by 50000+ Subscribers
4. One account by default is limited to 20 stacks
Question : A user has two EC instances running in two separate regions. The user is running an internal memory
management tool, which captures the data and sends it to CloudWatch in US East, using a CLI with the same namespace and metric. Which of
the below mentioned options is true with respect to the above statement?
1. The setup will not work as CloudWatch cannot receive data across regions
2. CloudWatch will receive and aggregate the data based on the namespace and metric
3. Access Mostly Uused Products by 50000+ Subscribers
4. CloudWatch will take the data of the server, which sends the data first
Question : An organization has created a Queue named "modularqueue" with SQS. The organization is not performing any operations such as SendMessage,
ReceiveMessage, DeleteMessage, GetQueueAttributes, SetQueueAttributes, AddPermission, and RemovePermission on the queue.
What can happen in this scenario?
1. AWS SQS sends notification after 15 days for inactivity on queue
2. AWS SQS can delete queue after 30 days without notification
3. Access Mostly Uused Products by 50000+ Subscribers
4. AWS SQS notifies the user after 2 weeks and deletes the queue after 3 weeks.