AWS Certified Solutions Architect – Associate Questions and Answers (Dumps and Practice Questions)
Question :EC Instances deployed in VPC within a private subnet can be accessed from the Internet via _____ that must be
launched within a public subnet of your VPC.
1. Firewall
2. Bastion host
3. Access Mostly Uused Products by 50000+ Subscribers
4. None of the above
Correct Answer : Get Lastest Questions and Answer :
Explanation: If your Amazon EC2 instances are located inside the private subnet, you will not be able to connect to them directly. To connect to your instances,
you need to create and connect to a bastion host in your public subnet. This section provides an example of how to create a VPC with a private and public
subnet. The instances are located inside the private subnet, and the bastion host, NAT instance, and Elastic Load Balancing load balancer are located inside
the public subnet.
Question : What is the most secure option to connect to instances without Internet connectivity in private subnet VPC?
1. Using a bastion host server to connect to the instances.
2. Enable internet connectivity and configure security group to connect to the instances
3. Access Mostly Uused Products by 50000+ Subscribers
4. Enable internet connectivity and configure NACL and security group to connect to the instances.
Correct Answer : Get Lastest Questions and Answer :
Explanation: To help manage the instances in the private subnet, you can set up bastion servers in the public subnet to act as proxies. For example, you can set up
SSH port forwarders or RDP gateways in the public subnet to proxy the traffic going to your database servers from your own network.
The configuration for this scenario includes a virtual private cloud (VPC) with a public subnet and a private subnet. We recommend this scenario if you want
to run a public-facing web application, while maintaining back-end servers that aren't publicly accessible. A common example is a multi-tier website, with
the web servers in a public subnet and the database servers in a private subnet. You can set up security and routing so that the web servers can communicate
with the database servers.
The instances in the public subnet can receive inbound traffic directly from the Internet, whereas the instances in the private subnet can't. The instances
in the public subnet can send outbound traffic directly to the Internet, whereas the instances in the private subnet can't. Instead, the instances in the
private subnet can access the Internet by using a network address translation (NAT) instance that you launch into the public subnet.
Question : Which AWS service could be used for exporting data in Amazon DynamoDB to Amazon S and importing
data in Amazon S3 to Amazon DynamoDB and Querying live Amazon DynamoDB data using SQL-like statements:
1. Amazon Redshift
2. Amazon OpsWorks
3. Access Mostly Uused Products by 50000+ Subscribers
4. Amazon Elastic MapReduce
Ans : 4
Exp : use Amazon Elastic MapReduce (Amazon EMR) with a customized version of Hive that includes connectivity to Amazon DynamoDB to perform operations on
data stored in DynamoDB, such as:
Exporting data stored in DynamoDB to Amazon S3.
Importing data in Amazon S3 to DynamoDB.
Querying live DynamoDB data using SQL-like statements (HiveQL).
Joining data stored in DynamoDB and exporting it or querying against the joined data.
Loading DynamoDB data into the Hadoop Distributed File System (HDFS) and using it as input into an Amazon EMR job flow.
Question :Which AWS service can be used to define a Virtual Network that closely resembles a traditional data center?
1. Amazon ServiceBus
2. Amazon EMR
3. Access Mostly Uused Products by 50000+ Subscribers
4. Amazon VPC
Ans: 4
Exp : Amazon VPC lets you provision a logically isolated section of the Amazon Web Services (AWS) Cloud where you can launch AWS resources in a
virtual network that you define. You have complete control over your virtual networking environment, including selection of your own IP address
range, creation of subnets, and configuration of route tables and network gateways. You can also create a Hardware Virtual Private Network (VPN)
connection between your corporate datacenter and your VPC and leverage the AWS cloud as an extension of your corporate datacenter.
You can easily customize the network configuration for your Amazon VPC. For example, you can create a public-facing subnet for your web servers that have
access to the Internet, and place your backend systems such as databases or application servers in a private-facing subnet with no Internet access. You can
leverage multiple layers of security, including security groups and network access control lists, to help control access to Amazon EC2 instances in each
subnet.
Question :Apache Hive is a software layer that you can use to query map reduce job flows using a simplified,
SQL-like query language called HiveQL. It runs on top of the __________ architecture
1. HDFS
2. Hadoop
3. Access Mostly Uused Products by 50000+ Subscribers
4. Parallel Query
Ans : 2
Exp : Apache Hive is a software layer that you can use to query map reduce job flows using a simplified, SQL-like query language called HiveQL. It runs
on top of the Hadoop architecture. For more information about Hive and HiveQL
There are several ways to launch an Amazon EMR job flow: you can use the AWS Management Console Amazon EMR tab, the Amazon EMR command-line interface (CLI),
or you can program your job flow using the AWS SDK or the API. You can also choose whether to run a Hive job flow interactively or from a script. In this
document, we will show you how to launch an interactive Hive job flow from the console and the CLI.
Using Hive interactively is a great way to test query performance and tune your application. Once you have established a set of Hive commands that will run
on a regular basis, consider creating a Hive script that Amazon EMR can run for you.
Question : Which of the following is NOT a status for standard and provisioned IOPS volumes?
1. insufficient-data
2. warning
3. Access Mostly Uused Products by 50000+ Subscribers
4. impaired
Ans :3
Exp : Overall Volume Status
Ok , warning , impaired and insufficient-data
Question : Which of the following strategies can NOT be used to control access to your Amazon EC instances?
1. IAM Policies
2. DB Security Groups
3. Access Mostly Uused Products by 50000+ Subscribers
4. EC2 Security Groups
Ans : 1
Exp : IAM policies allow you to specify what actions your IAM users are allowed to perform against your EC2 Instances. However, when it comes to access
control, Security Groups are what you need in order to define and control the way you want your instances to be accessed, and whether or not certain
kind of communications are allowed or not.
Question : Each Amazon EBS Snapshot has a ______ attribute that you can set to one or more AWS Account IDs in order to share the AMI with those AWS Accounts.
1. LaunchPermission
2. AccessPermission
3. Access Mostly Uused Products by 50000+ Subscribers
4. VolumePermission
Ans : 4
Exp : Each Amazon EBS Snapshot has a VolumePermission attribute that you can set to one or more AWS Account IDs in order to share the AMI with those AWS
Accounts. To allow several AWS Accounts to use a particular EBS snapshot, you can use the snapshots's VolumePermission attribute to include a list of
the accounts that can use it.
Question :
If you delete a user in IAM, any residual remote references to that user (e.g., an Amazon SQS policy) display its associated unique ID
in the user's ______ instead of the users friendly name.
1. ID
2. ARN
3. Access Mostly Uused Products by 50000+ Subscribers
4. UID
Ans : 2
Exp : You might delete an IAM user from your account if someone quits your company. If the user is only temporarily unavailable, you can disable the
user's credentials instead of deleting the user entirely from the AWS account. That way, you can prevent the user from accessing the AWS account's
resources during the absence but you can re-enable the user later.
After you delete a user, any residual references to that user in other services (for example, in an Amazon SQS policy) display the unique ID in the user's
ARN instead of the user's friendly name. If you've stored the unique ID in your own system, you can then use the displayed unique ID to identify the deleted
user being referred to.
Question :
In Amazon AWS, it is recommend that you use the local instance store for temporary data and, for data requiring a higher level of durability, we recommend
using
1. Backing up the data to Amazon S3
2. Amazon EBS volumes or backing up the data to Amazon S3
3. Access Mostly Uused Products by 50000+ Subscribers
4. Amazon EC2 instances
Ans : 2
Exp : The data stored on a local instance store will persist only as long as that instance is alive. However, data that is stored on an Amazon EBS
volume will persist independently of the life of the instance. Therefore, we recommend that you use the local instance store for temporary data and, for
data requiring a higher level of durability, we recommend using Amazon EBS volumes or backing up the data to Amazon S3. If you are using an Amazon EBS
volume as a root partition, you will need to set the Delete On Terminate flag to "N" if you want your Amazon EBS volume to persist outside the life of
the instance.
Question :
Which kind of IP address should be given to an EC2 instance in order to make it publicly and consistently accessible?
1. Dynamic IP Address
2. Class A IP Address
3. Access Mostly Uused Products by 50000+ Subscribers
4. Class D IP Address
Ans : 3
Exp : Elastic IP Addresses in EC2-Classic
By default, we assign each instance in EC2-Classic two IP addresses at launch: a private IP address and a public IP address that is mapped to the private IP
address through network address translation (NAT). The public IP address is allocated from the EC2-Classic public IP address pool, and is associated with
your instance, not with your AWS account. You cannot reuse a public IP address after it's been disassociated from your instance.
If you use dynamic DNS to map an existing DNS name to a new instance's public IP address, it might take up to 24 hours for the IP address to propagate
through the Internet. As a result, new instances might not receive traffic while terminated instances continue to receive requests. To solve this problem,
use an EIP.
When you associate an EIP with an instance, the instance's current public IP address is released to the EC2-Classic public IP address pool. If you
disassociate an EIP from the instance, the instance is automatically assigned a new public IP address within a few minutes. In addition, stopping the
instance also disassociates the EIP from it.
Elastic IP Addresses in a VPC
We assign each instance in a default VPC two IP addresses at launch: a private IP address and a public IP address that is mapped to the private IP address
through network address translation (NAT). The public IP address is allocated from the EC2-VPC public IP address pool, and is associated with your instance,
not with your AWS account. You cannot reuse a public IP address after it's been disassociated from your instance.
We assign each instance in a nondefault VPC only a private IP address, unless you specifically request a public IP address during launch. To ensure that an
instance in a nondefault VPC that has not been assigned a public IP address can communicate with the Internet, you must allocate an Elastic IP address for
use with a VPC, and then associate that EIP with the elastic network interface (ENI) attached to the instance.
When you associate an EIP with an instance in a default VPC, or an instance in which you assigned a public IP to the eth0 network interface during launch,
its current public IP address is released to the EC2-VPC public IP address pool. If you disassociate an EIP from the instance, the instance is automatically
assigned a new public IP address within a few minutes. However, if you have attached a second network interface to the instance, the instance is not
automatically assigned a new public IP address; you'll have to associate an EIP with it manually. The EIP remains associated with the instance when you stop
it.
Question :
the following query strings cause CloudFront to cache
http://d111111abcdef8.cloudfront.net/images/image.jpg?parameter1=a
http://d111111abcdef8.cloudfront.net/images/image.jpg?parameter1=b
http://d111111abcdef8.cloudfront.net/images/image.jpg?parameter1=c
1. one object
2. four objects
3. Access Mostly Uused Products by 50000+ Subscribers
4. nothing
Ans :3
Exp : For web distributions, you can specify whether you want CloudFront to include query strings when it forwards requests to your origin. For example,
you can specify whether you want CloudFront to forward the ?parameter1=a part of the following URL:
http://d111111abcdef8.cloudfront.net/images/image.jpg?parameter1=a
If you configure CloudFront to forward query strings to your origin, CloudFront will include the query string portion of the URL when caching the object.
Above query strings in question cause CloudFront to cache three objects. This is true even if your origin always returns the same image.jpg regardless of
the query string
Question :
A new instance is launched in public VPC subnet. There is an internet gateway and a route entry as 0.0.0.0/0 but instance
can not reach internet. Other instances in this subnet have no issue. How can this problem be solved?
1. Instance should have either public IP or elastic IP.
2. A new security group should be created and allow outbound for any. Then instance should be attached to this security group.
3. Access Mostly Uused Products by 50000+ Subscribers
4. instance should be terminated and relaunched again.
Ans : 1
Exp : By default, instances launched into a nondefault VPC are not assigned a public IP address. To be able to connect to your instance, you can assign
a public IP address now, or allocate an Elastic IP address and assign it to your instance after it's launched.
Question :
If you believe that the tunnel credentials for your VPN connection to your VPC, have been compromised, you can change the .
1. IKE pre-shared key
2. Ipsec pre-shared key
3. Access Mostly Uused Products by 50000+ Subscribers
4. Tunnel pre-shared key
Correct Answer : Get Lastest Questions and Answer :
Explanation: If you believe that the tunnel credentials for your VPN connection have been compromised, you can change the IKE preshared key. To do so, delete the
VPN connection, create a new one using the same virtual private gateway, and configure the new keys on your customer gateway. You also need to confirm that
the tunnels inside and outside addresses match, because these might change when you recreate the VPN connection. While you perform the procedure,
communication with your instances in the VPC stops, but the instances continue to run uninterrupted. After the network administrator implements the new
configuration information, your VPN connection uses the new credentials, and the network connection to your instances in the VPC resumes.
Important
This procedure requires assistance from your network administrator group.
Related Questions
Question : Which of the following permissions can be implemented using IAM?
A. Installing Anti-virus on windows based EC2 instance
B. Launching new Amazon EC2 Instance
C. Query the data from Amazon MySQL RDS instance
D. Sending Cloud watch alarm to SNS queue and from there on mobile application.
1. A,B
2. B,C
3. Access Mostly Uused Products by 50000+ Subscribers
4. A,D
5. B,D
Question : You are working with a Big Finance company, who is using AWS IT infrastructure. However, there are many issues related to security and your
chief technical architect asked you implement following things. Which of the following you can have as part of IAM security policy
A. Implementing password policies
B. Enable Multi Factor Authentication
C. Enabling NACL to restrict access on private subnet
D. Creating proper security rules insecurity group
1. A,B
2. B,C
3. Access Mostly Uused Products by 50000+ Subscribers
4. A,D
5. B,D
Question : You are working under AWS chief technical architect and he suggested that you should always use IAM roles and not the Principal Credential
directly, what are the all benefits you see in this case?
A. When you use IAM Role, you are not worried about credential theft or miss use.
B. When you use IAM Role, you don’t have to regularly rotate the access keys.
C. All the AWS Access resource policies are not required to be created.
D. You can very easily integrate with Kerberos for authentication
1. A,B
2. B,C
3. Access Mostly Uused Products by 50000+ Subscribers
4. A,D
5. B,D
Question : As an AWS architect you have saved training courses videos to Amazon S buckte and some PDF files. Now you wanted to know that who has
accessed
your S3 content. How will you do that ?
1. We should have used CloudFront logs
2. We should have used Cloud Monitoring detail statistics
3. Access Mostly Uused Products by 50000+ Subscribers
4. We should enabled Server Access Logging on S3 bucket
Question : You are using IAM, for Access control. You also want to have access key rotation enabled. So how many active access keys are possible in
IAM ?
1. 1
2. 2
3. Access Mostly Uused Products by 50000+ Subscribers
4. 100
5. Unlimited
Question :
Who is responsible for modifying the routing tables and networking ACLs in a VPC to ensure that a DB instance is reachable from other instances in the
VPC?
1. The DB Instance Creator.
2. Anybody who is the owner of the AWS account.
3. Access Mostly Uused Products by 50000+ Subscribers
4. AWS administrator of your company.