NEW QUESTION 1
You are hired as the new head of operations for a SaaS company. Your CTO has asked you to make debugging any part of your entire operation simpler and as fast as possible. She complains that she has no idea what is going on in the complex, service-oriented architecture, because the developers just log to disk, and it's very hard to find errors in logs on so many services. How can you best meet this requirement and satisfy your CTO?

• A. Copy all log files into AWS S3 using a cron job on each instanc
• B. Use an S3 Notification Configuration on the <code>PutBucket</code> event and publish events to AWS Lambd
• C. Use the Lambda to analyze logs as soon as they come in and flag issues.
• D. Begin using CIoudWatch Logs on every servic
• E. Stream all Log Groups into S3 object
• F. Use AWS EMR clusterjobs to perform ad-hoc MapReduce analysis and write new queries when needed.
• G. Copy all log files into AWS S3 using a cron job on each instanc
• H. Use an S3 Notification Configuration on the <code>PutBucket</code> event and publish events to AWS Kinesi
• I. Use Apache Spark on AWS EMR to perform at-scale stream processing queries on the log chunks and flag issues.
• J. Begin using CIoudWatch Logs on every servic
• K. Stream all Log Groups into an AWS Elasticsearch Service Domain running Kibana 4 and perform log analysis on a search cluster.

Answer: D

Explanation:
The Elasticsearch and Kibana 4 combination is called the ELK Stack, and is designed specifically for real-time, ad-hoc log analysis and aggregation. All other answers introduce extra delay or require pre-defined queries.
Amazon Elasticsearch Service is a managed service that makes it easy to deploy, operate, and scale Elasticsearch in the AWS Cloud. Elasticsearch is a popular open-source search and analytics engine for use cases such as log analytics, real-time application monitoring, and click stream analytics. Reference: https://aws.amazon.com/elasticsearch-service/

NEW QUESTION 2
What is web identity federation?

• A. Use of an identity provider like Google or Facebook to become an AWS IAM User.
• B. Use of an identity provider like Google or Facebook to exchange for temporary AWS security credentials.
• C. Use of AWS IAM User tokens to log in as a Google or Facebook user.
• D. Use of AWS STS Tokens to log in as a Google or Facebook use

Answer: B

Explanation:
users of your app can sign in using a well-known identity provider (|dP) -such as Login with Amazon, Facebook, Google, or any other OpenID Connect (OIDC)-compatible IdP, receive an authentication token, and then exchange that token for temporary security credentials in AWS that map to an IAM role with permissions to use the resources in your AWS account.
Reference: http://docs.aws.amazon.com/IANI/latest/UserGuide/id_roIes_providers_oidc.html

NEW QUESTION 3
What is true of the way that encryption works with EBS?

• A. Snapshotting an encrypted volume makes an encrypted snapshot; restoring an encrypted snapshot creates an encrypted volume when specified / requested.
• B. Snapshotting an encrypted volume makes an encrypted snapshot when specified / requested; restoring an encrypted snapshot creates an encrypted volume when specified / requested.
• C. Snapshotting an encrypted volume makes an encrypted snapshot; restoring an encrypted snapshot always creates an encrypted volume.
• D. Snapshotting an encrypted volume makes an encrypted snapshot when specified / requested; restoring an encrypted snapshot always creates an encrypted volume.

Answer: C

Explanation:
Snapshots that are taken from encrypted volumes are automatically encrypted. Volumes that are created from encrypted snapshots are also automatically encrypted. Your encrypted volumes and any associated snapshots always remain protected. For more information, see Amazon EBS Encryption.
Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSEncryption.htmI

NEW QUESTION 4
You have an asynchronous processing application using an Auto Scaling Group and an SQS Queue. The Auto Scaling Group scales according to the depth of the job queue. The completion velocity of the jobs has gone down, the Auto Scaling Group size has maxed out, but the inbound job velocity did not increase. What is a possible issue?

• A. Some of the newjobs coming in are malformed and unprocessable.
• B. The routing tables changed and none of the workers can process events anymore.
• C. Someone changed the IAM Role Policy on the instances in the worker group and broke permissions to access the queue.
• D. The scaling metric is not functioning correctl

Answer: A

Explanation:
The IAM Role must be fine, as if it were broken, NO jobs would be processed since the system would never be able to get any queue messages. The same reasoning applies to the routing table change. The scaling metric is fine, as instance count increased when the queue depth increased due to more messages entering than exiting. Thus, the only reasonable option is that some of the recent messages must be malformed and unprocessable.
Reference:
https://github.com/andrew-templeton/cloudacademy/blob/fca920b45234bbe99cc0e8efb9c65134884dd48 9/questions/null

NEW QUESTION 5
You need to migrate 10 million records in one hour into DynamoDB. All records are 1.5KB in size. The data is evenly distributed across the partition key. How many write capacity units should you provision during this batch load?

• A. 6667
• B. 4166
• C. 5556
• D. 2778

Answer: C

Explanation:
You need 2 units to make a 1.5KB write, since you round up. You need 20 million total units to perform this load. You have 3600 seconds to do so. DMde and round up for 5556.
Reference: http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/HowItWorks.ProvisionedThroughp ut.htmI

NEW QUESTION 6
Which of these is not a Pseudo Parameter in AWS CIoudFormation?

• A. AWS::StackName
• B. AWS::AccountId
• C. AWS::StackArn
• D. AWS::NotificationARNs

Answer: C

Explanation:
This is the complete list of Pseudo Parameters: AWS::Account|d, AWS::NotificationARNs, AWS::NoVaIue, AWS::Region, AWS::StackId, AWS::StackName
Reference:
http://docs.aws.amazon.com/AWSCIoudFormation/latest/UserGuide/pseudo-parameter-reference.html

NEW QUESTION 7
Your application consists of 10% writes and 90% reads. You currently service all requests through a Route53 Alias Record directed towards an AWS ELB, which sits in front of an EC2 Auto Scaling Group. Your system is getting very expensive when there are large traffic spikes during certain news events, during which many more people request to read similar data all at the same time. What is the simplest and cheapest way to reduce costs and scale with spikes like this?

• A. Create an S3 bucket and asynchronously replicate common requests responses into S3 object
• B. When a request comes in for a precomputed response, redirect to AWS S3.
• C. Create another ELB and Auto Scaling Group layer mounted on top of the other system, adding a tier to the syste
• D. Serve most read requests out of the top layer.
• E. Create a CloudFront Distribution and direct Route53 to the Distributio
• F. Use the ELB as an Origin and specify Cache Behaviours to proxy cache requests which can be served late.
• G. Create a Memcached cluster in AWS EIastiCach
• H. Create cache logic to serve requests which can be served late from the in-memory cache for increased performance.

Answer: C

Explanation:
CIoudFront is ideal for scenarios in which entire requests can be served out of a cache and usage patterns involve heavy reads and spikiness in demand.
A cache behavior is the set of rules you configure for a given URL pattern based on file extensions, file names, or any portion of a URL path on your website (e.g., *.jpg). You can configure multiple cache behaviors for your web distribution. Amazon CIoudFront will match incoming viewer requests with your list of URL patterns, and if there is a match, the service will honor the cache behavior you configure for that URL pattern. Each cache behavior can include the following Amazon CIoudFront configuration values: origin server name, viewer connection protocol, minimum expiration period, query string parameters, cookies, and trusted signers for private content.
Reference: https://aws.amazon.com/Cloudfront/dynamic-content/

NEW QUESTION 8
You run operations for a company that processes digital wallet payments at a very high volume. One second of downtime, during which you drop payments or are otherwise unavailable, loses you on average USD 100. You balance the financials of the transaction system once per day. Which database setup is best suited to address this business risk?

• A. A multi-AZ RDS deployment with synchronous replication to multiple standbys and read-replicas for fast failover and ACID properties.
• B. A multi-region, multi-master, active-active RDS configuration using database-level ACID design principles with database trigger writes for replication.
• C. A multi-region, multi-master, active-active DynamoDB configuration using application control-level BASE design principles with change-stream write queue buffers for replication.
• D. A multi-AZ DynamoDB setup with changes streamed to S3 via AWS Kinesis, for highly durable storage and BASE properties.

Answer: C

Explanation:
Only the multi-master, multi-region DynamoDB answer makes sense. IV|u|ti-AZ deployments do not provide sufficient availability when a business loses USD 360,000 per hour of unavailability. As RDS does not natively support multi-region, and ACID does not perform well/at all over large distances between
regions, only the DynamoDB answer works. Reference:
http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Streams.CrossRegionRepI.htmI

NEW QUESTION 9
You are building a mobile app for consumers to post cat pictures online. You will be storing the images in AWS S3. You want to run the system very cheaply and simply. Which one of these options allows you to build a photo sharing application without needing to worry about scaling expensive uploads processes,
authentication/authorization and so forth?

• A. Build the application out using AWS Cognito and web identity federation to allow users to log in using Facebook or Google Account
• B. Once they are logged in, the secret token passed to that user is used to directly access resources on AWS, like AWS S3.
• C. Use JWT or SANIL compliant systems to build authorization policie
• D. Users log in with a username and password, and are given a token they can use indefinitely to make calls against the photo infrastructure.
• E. Use AWS API Gateway with a constantly rotating API Key to allow access from the client-sid
• F. Construct a custom build of the SDK and include S3 access in it.
• G. Create an AWS oAuth Service Domain ad grant public signup and access to the domai
• H. During setup, add at least one major social media site as a trusted Identity Provider for users.

Answer: A

Explanation:
The short answer is that Amazon Cognito is a superset of the functionality provided by web identity federation. It supports the same providers, and you configure your app and authenticate with those providers in the same way. But Amazon Cognito includes a variety of additional features. For example, it enables your users to start using the app as a guest user and later sign in using one of the supported identity providers.
Reference:
https://bIogs.aws.amazon.com/security/post/Tx3SYCORF5EKRCO/How-Does-Amazon-Cognito-Relate-to
-Existing-Web-Identity-Federatio

NEW QUESTION 10
For AWS CIoudFormation, which stack state refuses UpdateStack calls?

• A. <code>UPDATE_ROLLBACK_FAILED</code>
• B. <code>UPDATE_ROLLBACK_COMPLETE</code>
• C. <code>UPDATE_CONIPLETE</code>
• D. <code>CREATE_COMPLETE</code>

Answer: A

Explanation:
When a stack is in the UPDATE_ROLLBACK_FA|LED state, you can continue rolling it back to return it to a working state (to UPDATE_ROLLBACK_COMPLETE). You cannot update a stack that is in the UPDATE_ROLLBACK_FA|LED state. However, if you can continue to roll it back, you can return the stack to its original settings and try to update it again.
Reference:
http://docs.aws.amazon.com/AWSCIoudFormation/latest/UserGuide/using-cfn-updating-stacks-continueu pdateroIIback.htmI

NEW QUESTION 11
Why are more frequent snapshots or EBS Volumes faster?

• A. Blocks in EBS Volumes are allocated lazily, since while logically separated from other EBS Volumes, Volumes often share the same physical hardwar
• B. Snapshotting the first time forces full block range allocation, so the second snapshot doesn't need to perform the allocation phase and is faster.
• C. The snapshots are incremental so that only the blocks on the device that have changed after your last snapshot are saved in the new snapshot.
• D. AWS provisions more disk throughput for burst capacity during snapshots if the drive has been pre-warmed by snapshotting and reading all blocks.
• E. The drive is pre-warmed, so block access is more rapid for volumes when every block on the device has already been read at least one time.

Answer: B

Explanation:
After writing data to an EBS volume, you can periodically create a snapshot of the volume to use as a baseline for new volumes or for data backup. If you make periodic snapshots of a volume, the snapshots are incremental so that only the blocks on the device that have changed after your last snapshot are saved in the new snapshot. Even though snapshots are saved incrementally, the snapshot deletion process is designed so that you need to retain only the most recent snapshot in order to restore the volume.
Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-creating-snapshot.html

NEW QUESTION 12
You are building a deployment system on AWS. You will deploy new code by bootstrapping instances in a private subnet in a VPC at runtime using UserData scripts pointing to an S3 zip file object, where your code is stored. An ELB in a public subnet has network interfaces and connectMty to the instances. Requests from users of the system are routed to the ELB via a Route53 A Record Alias. You do not use any VPC endpoints. Which is a risk of using this approach?

• A. Route53 Alias records do not always update dynamically with ELB network changes after deploys.
• B. If the NAT routing for the private subnet fails, deployments fail.
• C. Kernel changes to the base AMI may render the code inoperable.
• D. The instances cannot be in a private subnet if the ELB is in a public on

Answer: B

Explanation:
Since you are not using VPC endpoints, outbound requests for the code sitting in S3 are routed though the NAT for the VPC's private subnets. If this networking fails, runtime bootstrapping through code
download will fail due to network unavailability and lack of access to the Internet, and thus Amazon S3. Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_NAT_Instance.html

NEW QUESTION 13
You are experiencing performance issues writing to a DynamoDB table. Your system tracks high scores for video games on a marketplace. Your most popular game experiences all of the performance issues. What is the most likely problem?

• A. DynamoDB's vector clock is out of sync, because of the rapid growth in request for the most popular game.
• B. You selected the Game ID or equivalent identifier as the primary partition key for the table.
• C. Users of the most popular video game each perform more read and write requests than average.
• D. You did not provision enough read or write throughput to the tabl

Answer: B

Explanation:
The primary key selection dramatically affects performance consistency when reading or writing to DynamoDB. By selecting a key that is tied to the identity of the game, you forced DynamoDB to create a hotspot in the table partitions, and over-request against the primary key partition for the popular game. When it stores data, DynamoDB dMdes a tabIe's items into multiple partitions, and distributes the data primarily based upon the partition key value. The provisioned throughput associated with a table is also dMded evenly among the partitions, with no sharing of provisioned throughput across partitions. Reference: http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/GuideIinesForTabIes.htmI#GuideIi nesForTabIes.UniformWorkIoad

NEW QUESTION 14
Which of the following tools does not directly support AWS OpsWorks, for monitoring your stacks?

• A. AWS Config
• B. Amazon CIoudWatch Nletrics
• C. AWS CloudTraiI
• D. Amazon CIoudWatch Logs

Answer: A

Explanation:
You can monitor your stacks in the following ways: AWS OpsWorks uses Amazon CIoudWatch to provide thirteen custom metrics with detailed monitoring for each instance in the stack; AWS OpsWorks integrates with AWS CIoudTraiI to log every AWS OpsWorks API call and store the data in an Amazon S3 bucket; You can use Amazon CIoudWatch Logs to monitor your stack's system, application, and custom logs. Reference: http://docs.aws.amazon.com/opsworks/latest/userguide/monitoring.htmI

NEW QUESTION 15
When thinking of DynamoDB, what are true of Local Secondary Key properties?

• A. Either the partition key or the sort key can be different from the table, but not both.
• B. Only the sort key can be different from the table.
• C. The partition key and sort key can be different from the table.
• D. Only the partition key can be different from the tabl

Answer: B

Explanation:
Global secondary index — an index with a partition key and a sort key that can be different from those on the table. A global secondary index is considered "gIobaI" because queries on the index can span all of the data in a table, across all partitions.
Reference: http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Secondarylndexes.htmI

NEW QUESTION 16
What is a circular dependency in AWS CIoudFormation?

• A. When a Template references an earlier version of itself.
• B. When Nested Stacks depend on each other.
• C. When Resources form a DependOn loop.
• D. When a Template references a region, which references the original Templat

Answer: C

Explanation:
To resolve a dependency error, add a DependsOn attribute to resources that depend on other resources in your template. In some cases, you must explicitly declare dependencies so that AWS CIoudFormation can create or delete resources in the correct order. For example, if you create an Elastic IP and a VPC
with an Internet gateway in the same stack, the Elastic IP must depend on the Internet gateway attachment. For additional information, see DependsOn Attribute.
Reference: http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/troubleshooting.htm|#troub|eshootin g-errors-dependence-error

NEW QUESTION 17
Your serverless architecture using AWS API Gateway, AWS Lambda, and AWS DynamoDB experienced a large increase in traffic to a sustained 400 requests per second, and dramatically increased in failure rates. Your requests, during normal operation, last 500 milliseconds on average. Your DynamoDB table did not exceed 50% of provisioned throughput, and Table primary keys are designed correctly. What is the most likely issue?

• A. Your API Gateway deployment is throttling your requests.
• B. Your AWS API Gateway Deployment is bottlenecking on request (de)seriaIization.
• C. You did not request a limit increase on concurrent Lambda function executions.
• D. You used Consistent Read requests on DynamoDB and are experiencing semaphore loc

Answer: C

Explanation:
AWS API Gateway by default throttles at 500 requests per second steady-state, and 1000 requests per second at spike. Lambda, by default, throttles at 100 concurrent requests for safety. At 500 milliseconds (half of a second) per request, you can expect to support 200 requests per second at 100 concurrency. This is less than the 400 requests per second your system now requires. Make a limit increase request via the AWS Support Console.
AWS Lambda: Concurrent requests safety throttle per account -> 100
Reference: http://docs.aws.amazon.com/generaI/latest/gr/aws_service_Iimits.htm|#|imits_|ambda

NEW QUESTION 18
Fill the blanks: helps us track AWS API calls and transitions, helps to understand what resources we have now, and allows auditing credentials and logins.

• A. AWS Config, CIoudTraiI, IAM Credential Reports
• B. CIoudTraiI, IAM Credential Reports, AWS Config
• C. CIoudTraiI, AWS Config, IAM Credential Reports
• D. AWS Config, IAM Credential Reports, CIoudTraiI

Answer: C

Explanation:
You can use AWS CIoudTraiI to get a history of AWS API calls and related events for your account. This includes calls made by using the AWS Management Console, AWS SDKs, command line tools, and higher-level AWS services.
Reference: http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-user-guide.html

NEW QUESTION 19
Which of these techniques enables the fastest possible rollback times in the event of a failed deployment?

• A. Rolling; Immutable
• B. Rolling; Mutable
• C. Canary or A/B
• D. Blue-Green

Answer: D

Explanation:
AWS specifically recommends Blue-Green for super-fast, zero-downtime deploys - and thus rollbacks, which are redeploying old code.
You use various strategies to migrate the traffic from your current application stack (blue) to a new version of the application (green). This is a popular technique for deploying applications with zero downtime. Reference: https://d0.awsstatic.com/whitepapers/overview-of-deployment-options-on-aws.pdf

NEW QUESTION 20
You need to scale an RDS deployment. You are operating at 10% writes and 90% reads, based on your logging. How best can you scale this in a simple way?

• A. Create a second master RDS instance and peer the RDS groups.
• B. Cache all the database responses on the read side with CIoudFront.
• C. Create read replicas for RDS since the load is mostly reads.
• D. Create a Multi-AZ RDS installs and route read traffic to standb

Answer: C

Explanation:
The high-availability feature is not a scaling solution for read-only scenarios; you cannot use a standby replica to serve read traffic. To service read-only traffic, you should use a Read Replica. For more information, see Working with PostgreSQL, MySQL, and NIariaDB Read Replicas.
Reference: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Concepts.NIuItiAZ.htmI

NEW QUESTION 21
You are creating a new API for video game scores. Reads are 100 times more common than writes, and the top 1% of scores are read 100 times more frequently than the rest of the scores. What's the best design for this system, using DynamoDB?

• A. DynamoDB table with 100x higher read than write throughput, with CloudFront caching.
• B. DynamoDB table with roughly equal read and write throughput, with CloudFront caching.
• C. DynamoDB table with 100x higher read than write throughput, with E|astiCache caching.
• D. DynamoDB table with roughly equal read and write throughput, with EIastiCache cachin

Answer: D

Explanation:
Because the 100x read ratio is mostly driven by a small subset, with caching, only a roughly equal number of reads to writes will miss the cache, since the supermajority will hit the top 1% scores. Knowing we need to set the values roughly equal when using caching, we select AWS EIastiCache, because CIoudFront cannot directly cache DynamoDB queries, and EIastiCache is an excellent in-memory cache for database queries, rather than a distributed proxy cache for content delivery.
One solution would be to cache these reads at the application layer. Caching is a technique that is used in many high-throughput applications, offloading read actMty on hot items to the cache rather than to the database. Your application can cache the most popular items in memory, or use a product such as EIastiCache to do the same.
Reference: http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/GuideIinesForTabIes.htmI#GuideIi nesForTabIes.CachePopuIarItem

NEW QUESTION 22
You need to process long-running jobs once and only once. How might you do this?

• A. Use an SNS queue and set the visibility timeout to long enough forjobs to process.
• B. Use an SQS queue and set the reprocessing timeout to long enough forjobs to process.
• C. Use an SQS queue and set the visibility timeout to long enough forjobs to process.
• D. Use an SNS queue and set the reprocessing timeout to long enough forjobs to proces

Answer: C

Explanation:
The message timeout defines how long after a successful receive request SQS waits before allowing jobs to be seen by other components, and proper configuration prevents duplicate processing.
Reference: http://docs.aws.amazon.com/AWSSimpIeQueueService/latest/SQSDeveIoperGuide/MessageLifecycIe.ht ml

NEW QUESTION 23
You need to know when you spend $1000 or more on AWS. What's the easy way for you to see that notification?

• A. AWS CIoudWatch Events tied to API calls, when certain thresholds are exceeded, publish to SNS.
• B. Scrape the billing page periodically and pump into Kinesis.
• C. AWS CIoudWatch Metrics + Billing Alarm + Lambda event subscriptio
• D. When a threshold is exceeded, email the manager.
• E. Scrape the billing page periodically and publish to SN

Answer: C

Explanation:
Even if you're careful to stay within the free tier, it's a good idea to create a billing alarm to notify you if you exceed the limits of the free tier. Billing alarms can help to protect you against unknowingly accruing charges if you inadvertently use a service outside of the free tier or if traffic exceeds your expectations. Reference: http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/free-tier-aIarms.htmI

NEW QUESTION 24
......