NEW QUESTION 1
A user has set the IAM policy where it denies all requests if a request is not from IP 10.10.10.1/32. The other policy says allow all requests between 5 PM to 7 PM. What will happen when a user is requesting access from IP 55.109.10.12/32 at 6 PM?

• A. It will deny access
• B. It is not possible to set a policy based on the time or IP
• C. IAM will throw an error for policy conflict
• D. It will allow access

Answer: A

Explanation: When a request is made, the AWS IAM policy decides whether a given request should be allowed or denied. The evaluation logic follows these rules:
By default, all requests are denied. (In general, requests made using the account credentials for resources in the account are always allowed.)
An explicit allow policy overrides this default.
An explicit deny policy overrides any allows.
In this case since there are explicit deny and explicit allow statements. Thus, the request will be denied since deny overrides allow.
Reference: http://docs.aws.amazon.com/IAM/Iatest/UserGuide/AccessPoIicyLanguage_EvaIuationLogic.htmI

NEW QUESTION 2
A user has configured EBS volume with PIOPS. The user is not experiencing the optimal throughput. Which of the following could not be factor affecting I/O performance of that EBS volume?

• A. EBS bandwidth of dedicated instance exceeding the PIOPS
• B. EBS volume size
• C. EC2 bandwidth
• D. Instance type is not EBS optimized

Answer: B

Explanation: If the user is not experiencing the expected IOPS or throughput that is provisioned, ensure that the EC2 bandwidth is not the limiting factor, the instance is EBS-optimized (or include 10 Gigabit network connectMty) and the instance type EBS dedicated bandwidth exceeds the IOPS more than he has provisioned.
Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-io-characteristics.html

NEW QUESTION 3
You have been asked to design the storage layer for an application. The application requires disk performance of at least 100,000 IOPS. In addition, the storage layer must be able to survive the loss of an indMdual disk, EC2 instance, or Availability Zone without any data loss. The volume you provide must have a capacity of at least 3 TB. Which of the following designs will meet these objectives?

• A. Instantiate a c3.8x|arge instance in us-east-1. Provision 4x1TB EBS volumes, attach them to the instance, and configure them as a single RAID 5 volum
• B. Ensure that EBS snapshots are performed every 15 minutes.
• C. Instantiate a c3.8xIarge instance in us-east-1. Provision 3xITB EBS volumes, attach them to the Instance, and configure them as a single RAID 0 volum
• D. Ensure that EBS snapshots are performed every 15 minutes.
• E. Instantiate an i2.8xIarge instance in us-east-1
• F. Create a RAID 0 volume using the four 800GB SSD ephemeral disks provided with the instanc
• G. Provision 3x1TB EBS volumes, attach them to the instance, and configure them as a second RAID 0 volum
• H. Configure synchronous, block-level replication from the ephemeral-backed volume to the EBS-backed volume.
• I. Instantiate a c3.8xIarge instance in us-east-1. Provision an AWS Storage Gateway and configure it for 3 TB of storage and 100,000 IOP
• J. Attach the volume to the instance.
• K. Instantiate an i2.8xIarge instance in us-east-1
• L. Create a RAID 0 volume using the four 800GB SSD ephemeral disks provided with the instanc
• M. Configure synchronous, blocklevel replication to an identically configured instance in us-east-1b.

Answer: C

NEW QUESTION 4
True or False: Amazon EIastiCache supports the Redis key-value store.

• A. True, EIastiCache supports the Redis key-value store, but with limited functionalities.
• B. False, EIastiCache does not support the Redis key-value store.
• C. True, EIastiCache supports the Redis key-value store.
• D. False, EIastiCache supports the Redis key-value store only if you are in a VPC environmen

Answer: C

Explanation: This is true. EIastiCache supports two open-source in-memory caching engines: 1. Memcached - a widely adopted memory object caching system. EIastiCache is protocol compliant with Memcached, so popular tools that you use today with existing Nlemcached environments will work seamlessly with the service. 2.
Redis - a popular open-source in-memory key-value store that supports data structures such as sorted sets and lists. EIastiCache supports Master / Slave replication and Multi-AZ which can be used to achieve cross AZ redundancy.
Reference: https://aws.amazon.com/eIasticache/

NEW QUESTION 5
You would like to create a mirror image of your production environment in another region for disaster recovery purposes. Which of the following AWS resources do not need to be recreated in the second region? (Choose 2 answers)

• A. Route 53 Record Sets
• B. IAM Roles
• C. Elastic IP Addresses (EIP)
• D. EC2 Key Pairs
• E. Launch configurations
• F. Security Groups

Answer: AC

NEW QUESTION 6
You are looking to migrate your Development (Dev) and Test environments to AWS. You have decided to use separate AWS accounts to host each environment. You plan to link each accounts bill to a Master AWS account using Consolidated Billing. To make sure you Keep within budget you would like to implement a way for administrators in the Master account to have access to stop, delete and/or terminate resources in both the Dev and Test accounts. Identify which option will allow you to achieve this goal.

• A. Create IAM users in the Master account with full Admin permission
• B. Create cross-account roles in the Dev and Test accounts that grant the Master account access to the resources in the account by inheriting permissions from the Master account.
• C. Create IAM users and a cross-account role in the Master account that grants full Admin permissions to the Dev and Test accounts.
• D. Create IAM users in the Master account Create cross-account roles in the Dev and Test accounts that have full Admin permissions and grant the Master account access.
• E. Link the accounts using Consolidated Billin
• F. This will give IAM users in the Master account access to resources in the Dev and Test accounts

Answer: C

NEW QUESTION 7
An organization has developed an application which provides a smarter shopping experience. They need to show a demonstration to various stakeholders who may not be able to access the in premise
application so they decide to host a demo version of the application on AWS. Consequently they will need a fixed elastic IP attached automatically to the instance when it is launched.
In this scenario which of the below mentioned options will not help assign the elastic IP automatically?

• A. Write a script which will fetch the instance metadata on system boot and assign the public IP using that metadata.
• B. Provide an elastic IP in the user data and setup a bootstrapping script which will fetch that elastic IP and assign it to the instance.
• C. Create a controlling application which launches the instance and assigns the elastic IP based on the parameter provided when that instance is booted.
• D. Launch instance with VPC and assign an elastic IP to the primary network interfac

Answer: A

Explanation: EC2 allows the user to launch On-Demand instances. If the organization is using an application temporarily only for demo purposes the best way to assign an elastic IP would be:
Launch an instance with a VPC and assign an EIP to the primary network interface. This way on every instance start it will have the same IP Create a bootstrapping script and provide it some metadata, such as user data which can be used to assign an EIP Create a controller instance which can schedule the start and stop of the instance and provide an EIP as a parameter so that the controller instance can check the instance boot and assign an EIP
The instance metadata gives the current instance data, such as the public/private IP. It can be of no use for assigning an EIP.
Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AESDG-chapter-instancedata.html

NEW QUESTION 8
A benefits enrollment company is hosting a 3-tier web application running in a VPC on AWS which includes a NAT (Network Address Translation) instance in the public Web tier. There is enough provisioned capacity for the expected workload tor the new fiscal year benefit enrollment period plus some extra overhead Enrollment proceeds nicely for two days and then the web tier becomes unresponsive, upon investigation using CIoudWatch and other monitoring tools it is discovered that there is an extremely large and unanticipated amount of inbound traffic coming from a set of 15 specific IP addresses over port 80 from a country where the benefits company has no customers. The web tier instances are so overloaded that benefit enrollment administrators cannot even SSH into them. Which actMty would be useful in defending against this attack?

• A. Create a custom route table associated with the web tier and block the attacking IP addresses from the IGW (Internet Gateway)
• B. Change the EIP (Elastic IP Address) of the NAT instance in the web tier subnet and update the Nlain Route Table with the new EIP
• C. Create 15 Security Group rules to block the attacking IP addresses over port 80
• D. Create an inbound NACL (Network Access control list) associated with the web tier subnet with deny rules to block the attacking IP addresses

Answer: D

NEW QUESTION 9
Refer to the architecture diagram above of a batch processing solution using Simple Queue Service (SQS) to set up a message queue between EC2 instances which are used as batch processors Cloud Watch monitors the number of Job requests (queued messages) and an Auto Scaling group adds or deletes batch sewers automatically based on parameters set in Cloud Watch alarms. You can use this architecture to implement which of the following features in a cost effective and efficient manner?

• A. Reduce the overall lime for executing jobs through parallel processing by allowing a busy EC2 instance that receives a message to pass it to the next instance in a daisy-chain setup.
• B. Implement fault tolerance against EC2 instance failure since messages would remain in SQS and worn can continue with recovery of EC2 instances implement fault tolerance against SQS failure by backing up messages to S3.
• C. Implement message passing between EC2 instances within a batch by exchanging messages throughSQS.
• D. Coordinate number of EC2 instances with number of job requests automatically thus Improving cost effectiveness.
• E. Handle high priority jobs before lower priority jobs by assigning a priority metadata field to SQS messages.

Answer: D

NEW QUESTION 10
One of your AWS Data Pipeline actMties has failed consequently and has entered a hard failure state after retrying thrice. You want to try it again. Is it possible to increase the number of automatic retries to more than thrice?

• A. Yes, you can increase the number of automatic retries to 6.
• B. Yes, you can increase the number of automatic retries to indefinite number.
• C. No, you cannot increase the number of automatic retries.
• D. Yes, you can increase the number of automatic retries to 10.

Answer: D

Explanation: In AWS Data Pipeline, an actMty fails if all of its actMty attempts return with a failed state. By default, an actMty retries three times before entering a hard failure state. You can increase the number of automatic retries to 10. However, the system does not allow indefinite retries.
Reference: https://aws.amazon.com/datapipe|ine/faqs/

NEW QUESTION 11
A company is building a voting system for a popular TV show, viewers win watch the performances then visit the show's website to vote for their favorite performer. It is expected that in a short period of time after the show has finished the site will receive millions of visitors. The visitors will first login to the site using their Amazon.com credentials and then submit their vote. After the voting is completed the page will display the vote totals. The company needs to build the site such that can handle the rapid influx of traffic while maintaining good performance but also wants to keep costs to a minimum. Which of the design patterns below should they use?

• A. Use CIoudFront and an Elastic Load balancer in front of an auto-scaled set of web servers, the web servers will first call the Login With Amazon service to authenticate the user then process the users vote and store the result into a multi-AZ Relational Database Service instance.
• B. Use CIoudFront and the static website hosting feature of S3 with the Javascript SDK to call the Login With Amazon service to authenticate the user, use IAM Roles to gain permissions to a DynamoDB tableto store the users vote.
• C. Use CIoudFront and an Elastic Load Balancer in front of an auto-scaled set of web servers, the web servers will first call the Login with Amazon service to authenticate the user, the web servers will process the users vote and store the result into a DynamoDB table using IAM Roles for EC2 instances to gain permissions to the DynamoDB table.
• D. Use CIoudFront and an Elastic Load Balancer in front of an auto-scaled set of web servers, the web servers will first call the Login With Amazon service to authenticate the user, the web sewers win process the users vote and store the result into an SQS queue using IAM Roles for EC2 Instances to gain permissions to the SQS queu
• E. A set of application sewers will then retrieve the items from the queue and store the result into a DynamoDB table.

Answer: D

NEW QUESTION 12
You want to use Amazon Redshift and you are planning to deploy dw1.8xIarge nodes. What is the minimum amount of nodes that you need to deploy with this kind of configuration?

• A. 1
• B. 4
• C. 3
• D. 2

Answer: D

Explanation: For a single-node configuration in Amazon Redshift, the only option available is the smallest of the two options. The 8XL extra-large nodes are only available in a multi-node configuration
Reference: http://docs.aws.amazon.com/redshift/latest/mgmt/working-with-c|usters.htmI

NEW QUESTION 13
What is the maximum length for an instance profile name in AWS IAM?

• A. 512 characters
• B. 128 characters
• C. 1024 characters
• D. 64 characters

Answer: B

Explanation: The maximum length for an instance profile name is 128 characters.
Reference: http://docs.aws.amazon.com/IAM/latest/UserGuide/LimitationsOnEntities.html

NEW QUESTION 14
You're trying to delete an SSL certificate from the IAM certificate store, and you're getting the message "Certificate: <certificate-id> is being used by CIoudFront." Which of the following statements is probably the reason why you are getting this error?

• A. Before you can delete an SSL certificate you need to set up https on your server.
• B. Before you can delete an SSL certificate, you need to set up the appropriate access level in IAM
• C. Before you can delete an SSL certificate, you need to either rotate SSL certificates or revert from using a custom SSL certificate to using the default CIoudFront certificate.
• D. You can't delete SSL certificates . You need to request it from AW

Answer: C

Explanation: CIoudFront is a web service that speeds up distribution of your static and dynamic web content, for example, .htmI, .css, .php, and image files, to end users.
Every CIoudFront web distribution must be associated either with the default CIoudFront certificate or with a custom SSL certificate. Before you can delete an SSL certificate, you need to either rotate SSL certificates (replace the current custom SSL certificate with another custom SSL certificate) or revert from using a custom SSL certificate to using the default CIoudFront certificate.
Reference: http://docs.aws.amazon.com/AmazonC|oudFront/latest/DeveIoperGuide/Troubleshooting.htmI

NEW QUESTION 15
In Amazon RDS for PostgreSQL, you can provision up to 3TB storage and 30,000 IOPS per database instance. For a workload with 50% writes and 50% reads running on a cr1.8xIarge instance, you can realize over 25,000 IOPS for PostgreSQL. However, by provisioning more than this limit, you may be able to achieve:

• A. higher latency and lower throughput.
• B. lower latency and higher throughput.
• C. higher throughput only.
• D. higher latency onl

Answer: B

Explanation: You can provision up to 3TB storage and 30,000 IOPS per database instance. For a workload with 50% writes and 50% reads running on a cr1.8xIarge instance, you can realize over 25,000 IOPS for PostgreSQL. However, by provisioning more than this limit, you may be able to achieve lower latency and higher throughput. Your actual realized IOPS may vary from the amount you provisioned based on your database workload, instance type, and database engine choice.
Reference: https://aws.amazon.com/rds/postgresq|/

NEW QUESTION 16
An organization has created 5 IAM users. The organization wants to give them the same login ID but different passwords. How can the organization achieve this?

• A. The organization should create each user in a separate region so that they have their own URL to login
• B. The organization should create a separate login ID but give the IAM users the same alias so that each one can login with their alias
• C. It is not possible to have the same login ID for multiple IAM users of the same account
• D. The organization should create various groups and add each user with the same login ID to different group
• E. The user can login with their own group ID

Answer: C

Explanation: AWS Identity and Access Management is a web service which allows organizations to manage users and user permissions for various AWS services. Whenever the organization is creating an IAM user, there should be a unique ID for each user. It is not possible to have the same login ID for multiple users. The names of users, groups, roles, instance profiles must be alphanumeric, including the following common characters: plus (+), equal (=), comma (,), period (.), at (@), and dash (-).
Reference: http://docs.aws.amazon.com/IAM/Iatest/UserGuide/Using_SettingUpUser.htmI

NEW QUESTION 17
You are responsible for a legacy web application whose server environment is approaching end of life You would like to migrate this application to AWS as quickly as possible, since the application environment currently has the following limitations:
The VM's single 10GB VNIDK is almost full; Nle virtual network interface still uses the 10IV|bps driver, which leaves your 100Mbps WAN connection completely underutilized;
It is currently running on a highly customized. Windows VM within a VMware environment; You do not have me installation media;
This is a mission critical application with an RTO (Recovery Time Objective) of 8 hours. RPO (Recovery Point Objective) of 1 hour. How could you best migrate this application to AWS while meeting your business continuity requirements?

• A. Use the EC2 VM Import Connector for vCenter to import the VNI into EC2.
• B. Use Import/Export to import the VNI as an ESS snapshot and attach to EC2.
• C. Use S3 to create a backup of the VM and restore the data into EC2.
• D. Use me ec2-bundle-instance API to Import an Image of the VNI into EC2

Answer: A

NEW QUESTION 18
A company is running a batch analysis every hour on their main transactional DB, running on an RDS MySQL instance, to populate their central Data Warehouse running on Redshift. During the execution of the batch, their transactional applications are very slow. When the batch completes they need to update the top management dashboard with the new data. The dashboard is produced by another system running on-premises that is currently started when a manually-sent email notifies that an update is required. The on-premises system cannot be modified because is managed by another team.
How would you optimize this scenario to solve performance issues and automate the process as much as possible?

• A. Replace RDS with Redshift for the batch analysis and SNS to notify the on-premises system to update the dashboard
• B. Replace RDS with Redshift for the oaten analysis and SQS to send a message to the on-premises system to update the dashboard
• C. Create an RDS Read Replica for the batch analysis and SNS to notify me on-premises system to update the dashboard
• D. Create an RDS Read Replica for the batch analysis and SQS to send a message to the on-premises system to update the dashboard.

Answer: A