Domain 8
Practice Test

Which of the following is not a valid ECS metric?
1. MemoryUtilization
2. GPUReservation
3. ClusterService
4. CPUReservation
Which of the following may cause an EC2 instance to fail its status check? (Choose two.)
1. Boot sector corruption
2. Overloaded network interface
3. Application memory leak
4. Disk full
Which AWS CLI command can show you the system status of an EC2 instance?
1. aws cloudwatch describe-instance-status
2. aws ec2 describe-instance-status
3. aws ec2 describe-system-status
4. aws cloudwatch get-instance-status
A junior administrator uses the AWS CLI for routine tasks. He’s trying to use the AWS CLI to view the status of EC2 instances. Every time he tries, he receives an error indicating he doesn’t have access. How can you resolve this?
1. Grant the admin permissions in the CloudWatchReadOnlyAccess AWS managed IAM policy.
2. Grant the admin permissions in the AmazonEC2ReadOnly AWS managed IAM policy.
3. Create a new API key for the admin.
4. Tell the admin to use the AWS management Console.
Which of the following operating systems can the CloudWatch agent not run on?
1. BSD
2. Windows Server 2008
3. RHEL
4. SUSE Linux
You want to find out which users are authenticating to a Windows server running on-premises. Which of the following can help you gather this information?
1. CloudWatch Logs agent
2. EC2
3. CloudWatch Events
4. AWS Directory Service
What does the CloudWatch Logs agent use to encrypt log data in transit?
1. PGP
2. KMS
3. HTTPS
4. SSL
What does the CloudWatch Logs use to encrypt log data at rest?
1. KMS
2. PGP
3. Client encryption
4. CloudHSM
Which of the following shows you all AWS service issues?
1. Simple Notification Service
2. Service Health Dashboard
3. CloudWatch
4. Personal Health Dashboard
Which of the following AWS services analyzes VPC traffic for security threats?
1. Inspector
2. GuardDuty
3. CloudTrail
4. VPC Flow Logs
Which of the following lets you securely run arbitrary commands on a Red Hat EC2 instance in a private subnet without using your own SSH client?
1. Telnet
2. EC2 Instance Connect
3. RDP
4. EC2 Console Output
Which of the following services uses SQL?
1. EMR
2. RedShift
3. CloudWatch Log Insights
4. Minerva
Which EC2 Auto Scaling option requires the least effort to implement?
1. Dynamic scaling policies
2. Scheduled scaling
3. Predictive scaling
4. Lifecycle scaling
You’re running a dynamic web application on two EC2 instances in different regions. You’re load balancing traffic to the application using Route 53 latency resource records. The CPU utilization on these instances intermittently spikes to nearly 100% and users report a slowdown during this time. Which of the following will offer the most performance improvement?
1. Implement Auto Scaling groups.
2. Move the instances into the same region.
3. Implement an application load balancer.
4. Use Route 53 weighted records instead of latency records.
Which of the following is true of a launch template?
1. It’s versioned.
2. It can be used with ECS.
3. It can’t be edited.
4. You can tag specific versions of a launch template.
5. It requires an AMI ID.
Which of the following is true of a launch configuration? (Choose two.)
1. It’s not versioned.
2. It can be used with ECS.
3. It can’t be edited.
4. It requires an AMI ID.
You need to implement a highly available MySQL database in AWS. It must be synchronously backed up. Which of the following Relational Database Service (RDS) options should you choose?
1. Automated snapshots
2. Multi-AZ
3. Amazon Aurora
4. Read replica
Which of the following services allows for decoupling application components by reliably passing messages between applications?
1. Lambda
2. SQS
3. Email
4. SNS
By default, how long does a sent message remain in an SQS queue?
1. It’s deleted immediately.
2. 1 day
3. 4 days
4. 14 days
5. 30 days
What’s the longest a sent message can stay in an SQS queue?
1. 1 minute
2. 1 day
3. 4 days
4. 14 days
5. 30 days
Which of the following can be used to temporarily store a 1 MB binary file? (Choose two.)
1. S3
2. DynamoDB
3. SQS
4. Lambda
5. SNS
Which of the following should you not use to store session state?
1. DynamoDB
2. Redis
3. Elasticache
4. Memecached
5. SQS
You have two different AWS accounts. In one account you have an instance in the availability zone us-east-1a, while in the other account you have an instance in the AZ us-east-1b. Which of the following is true of this configuration?
1. This is a violation of the AWS terms of service.
2. The instances are in different physical locations.
3. The instances may be in the same physical location.
4. The instances may be in different regions.
Using one domain name, you want to direct traffic to a different instance based on the URL path. Which of the following should you use? (Choose two.)
1. Network load balancer
2. Application load balancer
3. Host-based routing
4. Path-based routing
A friend who uses AWS for her personal website is reporting that the US-West-1c availability zone is having an EC2 outage. Your company has EC2 instances in the US-West-1c zone but isn’t experiencing any problems. How should you respond to your friend’s report?
1. Take no action.
2. Migrate your instances to a different zone.
3. Create an Auto Scaling group.
4. Open a proactive support ticket with AWS.
You want to grant a user in another AWS account access to a file in an S3 bucket. Which of the following should you do?
1. Use an IAM policy.
2. Disable SSE-S3 encryption.
3. Make the file public.
4. Use a resource-based policy.
You have an EC2 instance running an Apache web server on TCP port 444. A public-facing application load balancer is configured to listen for HTTPS traffic and proxy it to the instance. But when you browse to the load balancer’s endpoint, you get a “gateway timeout” error. Which of the following should do to resolve this? (Choose two.)
1. On the security group attached to the instance, add an inbound rule for HTTPS.
2. On the security group attached to the instance, add an inbound rule for TCP port 444.
3. On the security group attached to the application load balancer, add an outbound rule for TCP port 444.
4. On the security group attached to the application load balancer, add an outbound rule for HTTPS.
Which of the following is designed to store long-term credentials?
1. IAM
2. STS
3. Secrets Manager
4. KMS
You have an IAM role to grant specific permissions to DynamoDB. This role is attached to an instance profile. You need to also grant the role permissions to an S3 bucket. Which of the following can you do to accomplish this? (Choose two.)
1. Create a bucket policy to grant the role access.
2. Add the permissions to the instance profile.
3. Create a new IAM role with just the S3 permissions and add it to the instance profile.
4. Add the permissions to the IAM role.
The KMS custom key store depends on which of the following?
1. IAM
2. CloudHSM
3. VPC
4. CloudTrail
Which of the following can you export?
1. KMS-generated CMK
2. Private TLS certificates from ACM
3. Marketplace AMIs
4. SSE-S3 key
You’ve created a custom Windows AMI and used it to successfully launch several EC2 instances, but none of the instances show up in AWS Simple Systems Manager inventory. Which of the following could be the reason? (Choose two.)
1. The instances are in a private subnet.
2. The SSM agent never ran.
3. The instances are in a public subnet.
4. The instances’ security group has no outbound rules.
5. The instances aren’t running.
You need to provide a client’s IAM principal with access to an S3 bucket. The client has given you a 64-character string. What else do you need to grant them access?
1. ARN
2. Account number
3. IAM username
4. The IAM principal’s access key ID
A colleague wants to create a VPC subnet with a CIDR of 10.0.0.0/28. What should you tell them?
1. AWS doesn’t allow this CIDR.
2. It will give them 11 usable addresses.
3. It will give them 10 usable addresses.
4. It will give them 16 usable addresses.
5. This CIDR will leave room for only one subnet.
You’ve attempted to use your root access key to enumerate some AWS resources using the AWS CLI, but you’re getting an error. Which of the following could be the reason?
1. The access key is expired.
2. Root access keys are blocked by default.
3. The time on your workstation is wrong.
4. The root user doesn’t have the proper permissions.
For the next 24 hours you want to monitor a VPC for unusually large volumes of traffic Which of the following should you do?
1. Enable GuardDuty.
2. Enable VPC flow logging.
3. Enable Inspector.
4. Create a CloudWatch alarm to monitor VPC traffic.
You’re running a web service on an EC2 instance. You want Route 53 to return the private IP address of the instance. How can you achieve this?
1. Use a private hosted zone.
2. Create a simple resource record.
3. Create an alias record.
4. This isn’t possible.
You’re attempting to set up a VPC peering connection between two VPCs, VPC A and VPC B. In VPC A you’ve created the peering connection and configured the route table, NACLs, and security groups to allow access to an ENI in VPC B. Which of the following must you do to get a working VPC peering connection? (Choose two.)
1. Create a new peering connection on the VPC B side.
2. Accept the peering connection on the VPC B side.
3. Create a transit gateway in VPC A.
4. Configure the route table, security groups, and NACLs in VPC B.
5. Create a transit gateway in VPC B.
A dual-stack Windows application requires IPv4 and IPv6. Which of the following is required to implement this application in a VPC?
1. Allocate an IPv6 CIDR for the VPC.
2. Place the instance in a public subnet.
3. Create an IPv6 gateway.
4. IPv6 isn’t supported for Windows instances.
Which of the following does Direct Connect provide?
1. Reduced jitter
2. Packet capture
3. Encryption
4. Authentication
Which of the following elastic load balancing features can result in an uneven distribution of traffic to instances?
1. Session stickiness
2. Cross-zone load balancing
3. SSL offload
4. Path-based routing
You have an EC2 instance with an elastic IP address associated with it. IPv6 is enabled in the instance’s public subnet. How can you ensure that hosts on the Internet are able to reach the instance via IPv6?
1. Disable IPv4 on the instance.
2. Assign a global unicast IPv6 address to the instance.
3. Allocate and associate an elastic IPv6 address to the instance.
4. Create an egress-only Internet gateway.
Which of the following VPC attributes determines whether the Amazon DNS server is enabled?
1. enableDnsSupport
2. enableDnsHostnames
3. enableDnsResolution
4. enableDns
You suspect unauthorized SSH access to an EC2 instance. How can you immediately shut down all SSH access to the instance without affecting other instances in the same subnet?
1. Shut down the instance.
2. Modify the instance’s security group to remove the rule allowing SSH access.
3. Create an inbound NACL rule to deny SSH access to the instance’s private IP address.
4. Create an inbound NACL rule to deny SSH access to the instance’s public IP address.
Which of the following does the URL https://d123456abcdef7.cloudfront.net indicate?
1. An elastic load balancer
2. A CloudFlare distribution
3. An HTTP distribution
4. An RTMP distribution
Which of the following cannot be a CloudFront origin?
1. A public S3 bucket configured for static website hosting
2. An elastic load balancer
3. A public web server
4. A Lambda function
You have an EC2 instance with a private and public IP address. You want to add this instance as a target to a network load balancer target group in the same VPC. How can you do this?
1. Add the instance’s private IP address to the target group.
2. Add the instance’s public IP address to the target group.
3. Create a VPN connection.
4. Create an elastic IP address for the instance.
When browsing to the public URL of an application load balancer, users receive a “503 Service Unavailable” error. The target group contains only EC2 instances. What could this indicate?
1. The target instance didn’t accept the connection from the load balancer.
2. The target instance closed the connection from the load balancer.
3. There are no healthy instances.
4. The users are unable to connect to the application load balancer.
You want to use CloudWatch to find the average CPU utilization for an instance over a 30-minute period. The metric is updated every 5 minutes. Which statistic and period should you use?
1. The Average statistic with a 5-minute period
2. The Sample Count statistic with a 6-minute period
3. The p50 statistic with a 30-minute period
4. The Average statistic with a 30-minute period
5. The Average statistic with a 6-minute period
You’re running a relational database on an EC2 instance backed by an EBS io1 volume. As the frequency of writes to the database has increased, database performance has declined. Which of the following configuration parameters should you adjust to improve performance?
1. Reduce the frequency of snapshots.
2. Decrease the volume queue length.
3. Increase the number of provisioned IOPS.
4. Increase the disk size.
Which of the following protocols does EFS use?
1. CIFS
2. SMB
3. NetBIOS
4. NFS
5. FSx
On which type of gateway does AWS Storage Gateway allow you to use iSCSI?
1. Volume Gateway
2. File Gateway
3. Tape Gateway
4. Block Gateway
On which type of gateway does AWS Storage Gateway allow you to use NFS?
1. Volume Gateway
2. File Gateway
3. Tape Gateway
4. Block Gateway
Which of the following is required to enable MFA Delete?
1. An EBS volume
2. S3 object versioning
3. A bucket policy
4. A hardware token
You want to create a custom AMI based on an AMI from the AWS Marketplace. How can you do this? (Choose two.)
1. Download the AMI.
2. Launch an instance from the AMI.
3. Copy the AMI.
4. Take a snapshot of the instance.
5. Take a snapshot of the AMI.
Which of the following can launch the SBE EC2 instance types from an AMI?
1. Fargate
2. Snowball Edge
3. ECS
4. There is no such thing as the SBE instance type.
An SSE-C encrypted object named file.txt exists in an S3 bucket on which versioning is enabled. What will happen if you try to delete this object?
1. S3 will create a delete marker.
2. S3 will create a delete marker only if you provide the encryption key.
3. S3 will delete the object.
4. S3 will delete the object only if you provide the encryption key.
5. S3 will neither delete the object nor create a delete market.
What happens when you delete a delete marker from a versioned S3 object?
1. This isn’t possible.
2. It disables versioning.
3. The object is deleted.
4. The object reappears.
Which Glacier retrieval option lets you access data in less than 5 minutes?
1. Defrost
2. Expedited
3. Icepick
4. Emergency
5. Bulk
Where does AWS Storage Gateway permanently store data?
1. NFS vaults
2. EBS
3. Local volumes
4. S3 buckets