Certification : AWS Certified Solutions Architect Associate Practice Exams Set 10

As a Network Architect developing a food ordering application, you need to retrieve the instance ID, public keys, and public IP address of the EC2 server you made for tagging and grouping the attributes into your internal application running on-premises.

Which EC2 feature will help you achieve your requirements?


Options are :

  • Instance user data
  • Resource tags
  • Instance metadata (Correct)
  • Amazon Machine Image

Answer : Instance metadata

You are working for a central bank as the Principal AWS Solutions Architect. Due to compliance requirements and security concerns, you are tasked to implement strict access to the central bank's AWS resources using the AWS Identity and Access Management service. 

Which of the following can you manage in the IAM dashboard? (Choose 2)


Options are :

  • Groups (Correct)
  • Identity providers (Correct)
  • Cost Allocation Reports
  • Security Groups
  • Network Access Control List

Answer : Groups Identity providers

Your fellow AWS Engineer has created a new Standard-class S3 bucket to store financial reports that are not frequently accessed but should be immediately available when an auditor requests for it. To save costs, you changed the storage class of the S3 bucket from Standard to Infrequent Access storage class.   

In Amazon S3 Standard - Infrequent Access storage class, which of the following statements are true? (Choose 2)


Options are :

  • It is designed for data that is accessed less frequently. (Correct)
  • It is the best storage option to store noncritical and reproducible data
  • It is designed for data that requires rapid access when needed. (Correct)
  • It provides high latency and low throughput performance
  • Ideal to use for data archiving.

Answer : It is designed for data that is accessed less frequently. It is designed for data that requires rapid access when needed.

You are instructed by your manager to set up a bastion host in your Amazon VPC and it should only be accessed from the corporate data center via SSH. What is the best way for you to achieve this?


Options are :

  • Create a large EC2 instance with a security group which only allows access on port 22 using your own pre-configured password.
  • Create a large EC2 instance with a security group which only allows access on port 22 via the IP address of the corporate data center. Use a private key (.pem) file to connect to the bastion host.
  • Create a small EC2 instance with a security group which only allows access on port 22 using your own pre-configured password.
  • Create a small EC2 instance and a security group which only allows access on port 22 via the IP address of the corporate data center. Use a private key (.pem) file to connect to the bastion host. (Correct)

Answer : Create a small EC2 instance and a security group which only allows access on port 22 via the IP address of the corporate data center. Use a private key (.pem) file to connect to the bastion host.

You are building a cloud infrastructure where you have EC2 instances that require access to various AWS services such as S3 and Redshift. You will also need to provision access to system administrators so they can deploy and test their changes.

Which configuration should be used to ensure that the access to your resources are secured and not compromised? (Choose 2)


Options are :

  • Enable Multi-Factor Authentication. (Correct)
  • Assign an IAM role to the Amazon EC2 instance. (Correct)
  • Store the AWS Access Keys in the EC2 instance.
  • Assign an IAM user for each Amazon EC2 Instance.
  • Store the AWS Access Keys in ACM.

Answer : Enable Multi-Factor Authentication. Assign an IAM role to the Amazon EC2 instance.

You want to establish an SSH connection to a Linux instance hosted in your VPC via the Internet. Which of the following is not required in order for this to work?


Options are :

  • Secondary Private IP Address (Correct)
  • Public IP Address or Elastic IP
  • Internet Gateway
  • Network access control and security group rules which allow the relevant traffic to flow to and from your EC2 instance.

Answer : Secondary Private IP Address

You are working as a Cloud Consultant for a government agency with a mandate of improving traffic planning, maintenance of roadways and preventing accidents. There is a need to manage traffic infrastructure in real time, alert traffic engineers and emergency response teams when problems are detected, and automatically change traffic signals to get emergency personnel to accident scenes faster by using sensors and smart devices.   

Which AWS service will allow the developers of the agency to connect the said devices to your cloud-based applications?


Options are :

  • CloudFormation
  • Elastic Beanstalk
  • AWS IoT Core (Correct)
  • Container service

Answer : AWS IoT Core

You need to back up your mySQL database hosted on a Reserved EC2 instance. It is using EBS volumes that are configured in a RAID array. 

What steps will you take to minimize the time during which the database cannot be written to and to ensure a consistent backup?


Options are :

  • 1. Detach EBS volumes from the EC2 instance. 2. Start EBS snapshot of volumes. 3. Re-attach the EBS volumes.
  • 1. Stop all applications from writing to the RAID array. 2. Flush all caches to the disk. 3. Confirm that the associated EC2 instance is no longer writing to the RAID array by taking actions such as freezing the file system, unmounting the RAID array, or even shutting down the EC2 instance. 4. After taking steps to halt all disk-related activity to the RAID array, take a snapshot of each EBS volume in the array. (Correct)
  • 1. Stop all I/O activity in the volumes. 2. Create an image of the EC2 Instance. 3. Resume all I/O activity in the volume.
  • 1. Stop all I/O activity in the volumes. 2. Start EBS snapshot of volumes. 3. While the snapshot is in progress, resume all I/O activity.

Answer : 1. Stop all applications from writing to the RAID array. 2. Flush all caches to the disk. 3. Confirm that the associated EC2 instance is no longer writing to the RAID array by taking actions such as freezing the file system, unmounting the RAID array, or even shutting down the EC2 instance. 4. After taking steps to halt all disk-related activity to the RAID array, take a snapshot of each EBS volume in the array.

You are developing a meal planning application that provides meal recommendations for the week as well as the food consumption of your users. Your application resides on an EC2 instance which requires access to various AWS services for its day-to-day operations.   

Which of the following is the best way to allow your EC2 instance to access your S3 bucket and other AWS services?


Options are :

  • Create a role in IAM and assign it to the EC2 instance. (Correct)
  • Store the API credentials in the EC2 instance.
  • Add the API Credentials in the Security Group and assign it to the EC2 instance.
  • Store the API credentials in a bastion host.

Answer : Create a role in IAM and assign it to the EC2 instance.

Your company just recently adopted a hybrid architecture that integrates their on-premises data center to their AWS cloud. You are assigned to configure the VPC as well as to implement the required IAM users, IAM roles, IAM groups and IAM policies.

In this scenario, what is a best practice when creating IAM policies?


Options are :

  • Use the principle of least privilege which means granting only the permissions required to perform a task. (Correct)
  • Grant all permissions to any EC2 user.
  • Use the principle of least privilege which means granting only the least number of people with full root access.
  • Determine what users need to do and then craft policies for them that let the users perform those tasks including additional administrative operations.

Answer : Use the principle of least privilege which means granting only the permissions required to perform a task.

You are working as a Solutions Architect for a start-up company that has a not-for-profit crowdfunding platform hosted in AWS. Their platform allows people around the globe to raise money for social enterprise projects including challenging circumstances like accidents and illnesses. Since the system handles financial transactions, you have to ensure that your cloud architecture is secure.

Which of the following AWS services encrypts data at rest by default? (Choose 2)


Options are :

  • AWS Storage Gateway (Correct)
  • Amazon RDS
  • Amazon ECS
  • Amazon Glacier (Correct)
  • AWS Lambda

Answer : AWS Storage Gateway Amazon Glacier

You run a website which accepts high-quality photos and turns them into a downloadable video montage. The website offers a free account and a premium account that guarantees faster processing. All requests by both free and premium members go through a single SQS queue and then processed by a group of EC2 instances which generate the videos. You need to ensure that the premium users who paid for the service have higher priority than your free members.   

How do you re-design your architecture to address this requirement?


Options are :

  • For the requests made by premium members, set a higher priority in the SQS queue so it will be processed first compared to the requests made by free members.
  • Create an SQS queue for free members and another one for premium members. Configure your EC2 instances to consume messages from the premium queue first and if it is empty, poll from the free members' SQS queue. (Correct)
  • Use Amazon Kinesis to process the photos and generate the video montage in real time.
  • Use Amazon S3 to store and process the photos and then generate the video montage afterwards.

Answer : Create an SQS queue for free members and another one for premium members. Configure your EC2 instances to consume messages from the premium queue first and if it is empty, poll from the free members' SQS queue.

In Elastic Load Balancing, there are various security features that you can use such as Server Order Preference, Predefined Security Policy, Perfect Forward Secrecy and many others. Perfect Forward Secrecy is a feature that provides additional safeguards against the eavesdropping of encrypted data through the use of a unique random session key. This prevents the decoding of captured data, even if the secret long-term key is compromised.   

Perfect Forward Secrecy is used to offer SSL/TLS cipher suites for which two AWS services?


Options are :

  • EC2 and S3
  • CloudTrail and CloudWatch
  • CloudFront and Elastic Load Balancing (Correct)
  • Trusted Advisor and GovCloud

Answer : CloudFront and Elastic Load Balancing

One member of your DevOps team consulted you about a problem in connecting to one of the EC2 instances of your VPC over the Internet. Your environment is set up with four EC2 instances that all belong to a public subnet. The EC2 instances also belong to the same security group. Everything works well as expected except for one of the EC2 instances which is not able to send nor receive traffic over the Internet like the other three instances.

What could be the possible reason for this issue?


Options are :

  • The route table is not properly configured to allow traffic to and from the Internet through the Internet gateway.
  • The EC2 instance is running in an Availability Zone that is not connected to an Internet gateway.
  • The EC2 instance does not have a private IP address associated with it.
  • The EC2 instance does not have a public IP address associated with it. (Correct)

Answer : The EC2 instance does not have a public IP address associated with it.

You have a data analytics application that updates a real-time, foreign exchange dashboard and another separate application that archives data to Amazon Redshift. Both applications are configured to consume data from the same stream concurrently and independently by using Amazon Kinesis Data Streams. However, you noticed that there are a lot of occurrences where a shard iterator expires unexpectedly. Upon checking, you found out that the DynamoDB table used by Kinesis does not have enough capacity to store the lease data.   

Which of the following is the most suitable solution to rectify this issue?


Options are :

  • Increase the write capacity assigned to the shard table. (Correct)
  • Upgrade the storage capacity of the DynamoDB table.
  • Enable In-Memory Acceleration with DynamoDB Accelerator (DAX).
  • Use Amazon Kinesis Data Analytics to properly support the data analytics application instead of Kinesis Data Stream.

Answer : Increase the write capacity assigned to the shard table.

You have two On-Demand EC2 instances inside your Virtual Private Cloud in the same Availability Zone but are deployed to different subnets. One EC2 instance is running a database and the other EC2 instance a web application that connects with the database. You want to ensure that these two instances can communicate with each other for your system to work properly.

What are the things you have to check so that these EC2 instances can communicate inside the VPC? (Choose 2)


Options are :

  • Check the Network ACL if it allows communication between the two subnets. (Correct)
  • Check if both instances are the same instance class.
  • Check if the default route is set to a NAT instance or Internet Gateway (IGW) for them to communicate.
  • Check if all security groups are set to allow the application host to communicate to the database on the right port and protocol. (Correct)
  • Ensure that the EC2 instances are in the same Placement Group.

Answer : Check the Network ACL if it allows communication between the two subnets. Check if all security groups are set to allow the application host to communicate to the database on the right port and protocol.

You developed a web application and deployed it on a fleet of EC2 instances, which is using Amazon SQS. The requests are saved as messages in the SQS queue which is configured with the maximum message retention period.  However, after thirteen days of operation, the web application suddenly crashed and there are 10,000 unprocessed messages that are still waiting in the queue. Since you developed the application, you can easily resolve the issue but you need to send a communication to the users on the issue. 

What information will you provide and what will happen to the unprocessed messages?


Options are :

  • Tell the users that unfortunately, they have to resubmit all the requests again.
  • Tell the users that the application will be operational shortly however, requests sent over three days ago will need to be resubmitted.
  • Tell the users that the application will be operational shortly and all received requests will be processed after the web application is restarted. (Correct)
  • Tell the users that unfortunately, they have to resubmit all of the requests since the queue would not be able to process the 10,000 messages together.

Answer : Tell the users that the application will be operational shortly and all received requests will be processed after the web application is restarted.

You have started your new role as a Solutions Architect for a media company. They host large volumes of data for their operations which are about 250 TB in size on their internal servers. They have decided to store this data on S3 because of its durability and redundancy. The company currently has a 100 Mbps dedicated line connecting their head office to the Internet.

What is the fastest way to import all this data to Amazon S3?


Options are :

  • Upload it directly to S3
  • Use AWS Direct connect and transfer the data over to S3.
  • Upload the files using AWS Data pipeline.
  • Use AWS Snowball to upload the files. (Correct)

Answer : Use AWS Snowball to upload the files.

You are working as a Solutions Architect for a leading commercial bank which has recently adopted a hybrid cloud architecture. You have to ensure that the required data security is in place on all of their AWS resources to meet the strict financial regulatory requirements.   

In the AWS Shared Responsibility Model, which security aspects are the responsibilities of the customer? (Choose 2)


Options are :

  • Managing the underlying network infrastructure
  • Physical security of hardware
  • OS Patching of an EC2 instance (Correct)
  • IAM Policies and Credentials Management (Correct)
  • Virtualization infrastructure

Answer : OS Patching of an EC2 instance IAM Policies and Credentials Management

A corporate and investment bank has recently decided to adopt a hybrid cloud architecture for their Trade Finance web application which uses an Oracle database with Oracle Real Application Clusters (RAC) configuration. Since Oracle RAC is not supported in RDS, they decided to launch their database in a large On-Demand EC2 instance instead, with multiple EBS Volumes attached. As a Solutions Architect, you are responsible to ensure the security, availability, scalability, and disaster recovery of the whole architecture.

In this scenario, which of the following will enable you to take backups of your EBS volumes that are being used by the Oracle database?


Options are :

  • EBS-backed EC2 instances.
  • Use Disk Mirroring, which is also known as RAID 1, that replicates data to two or more disks/EBS Volumes.
  • Launch the EBS Volumes to a Placement Group which will automatically back up your data.
  • Create snapshots of the EBS Volumes. (Correct)

Answer : Create snapshots of the EBS Volumes.

You are working as a Solutions Architect for an investment bank and your Chief Technical Officer intends to migrate all of your applications to AWS. You are looking for block storage to store all of your data and have decided to go with EBS volumes. Your boss is worried that EBS volumes are not appropriate for your workloads due to compliance requirements, downtime scenarios, and IOPS performance.   

Which of the following are valid points in proving that EBS is the best service to use for your migration? (Select all that applies)


Options are :

  • When you create an EBS volume in an Availability Zone, it is automatically replicated on a separate AWS region to prevent data loss due to a failure of any single hardware component.
  • EBS volumes can be attached to any EC2 Instance in any Availability Zone.
  • An EBS volume is off-instance storage that can persist independently from the life of an instance. (Correct)
  • EBS volumes support live configuration changes while in production which means that you can modify the volume type, volume size, and IOPS capacity without service interruptions. (Correct)
  • Amazon EBS provides the ability to create snapshots (backups) of any EBS volume and write a copy of the data in the volume to Amazon RDS, where it is stored redundantly in multiple Availability Zones

Answer : An EBS volume is off-instance storage that can persist independently from the life of an instance. EBS volumes support live configuration changes while in production which means that you can modify the volume type, volume size, and IOPS capacity without service interruptions.

Your company has a top priority requirement to monitor a few database metrics and then afterwards, send email notifications to the Operations team in case there is an issue. Which AWS services can accomplish this requirement? (Choose 2)


Options are :

  • Amazon Simple Email Service
  • Amazon CloudWatch (Correct)
  • Amazon Simple Queue Service (SQS)
  • Amazon Route 53
  • Amazon Simple Notification Service (SNS) (Correct)

Answer : Amazon CloudWatch Amazon Simple Notification Service (SNS)

You are a Solutions Architect of a multi-national gaming company which develops video games for PS4, Xbox One and Nintendo Switch consoles, plus a number of mobile games for Android and iOS. Due to the wide range of their products and services, you proposed that they use API Gateway.   

What are the key features of API Gateway that you can tell your client? (Choose 2)


Options are :

  • It automatically provides a query language for your APIs similar to GraphQL.
  • You can run your APIs with quantum computer servers.
  • You can run your APIs without any servers. (Correct)
  • Provides durable data storage
  • You pay only for the API calls you receive and the amount of data transferred out. (Correct)

Answer : You can run your APIs without any servers. You pay only for the API calls you receive and the amount of data transferred out.

A web application, which is used by your clients around the world, is hosted in an Auto Scaling group of EC2 instances behind a Classic Load Balancer. You need to secure your application by allowing multiple domains to serve SSL traffic over the same IP address.

Which of the following should you do to meet the above requirement?


Options are :

  • Use Server Name Indication (SNI) on your Classic Load Balancer by adding multiple SSL certificates to allow multiple domains to serve SSL traffic.
  • Generate an SSL certificate with AWS Certificate Manager and create a CloudFront web distribution. Associate the certificate with your web distribution and enable the support for Server Name Indication (SNI). (Correct)
  • Use an Elastic IP and upload multiple 3rd party certificates in your Classic Load Balancer using the AWS Certificate Manager.
  • It is not possible to allow multiple domains to serve SSL traffic over the same IP address in AWS

Answer : Generate an SSL certificate with AWS Certificate Manager and create a CloudFront web distribution. Associate the certificate with your web distribution and enable the support for Server Name Indication (SNI).

You have a static corporate website hosted in a standard S3 bucket and a new web domain name which was registered using Route 53. You are instructed by your manager to integrate these two services in order to successfully launch their corporate website.

What are the prerequisites when routing traffic using Amazon Route 53 to a website that is hosted in an Amazon S3 Bucket? (Choose 2)


Options are :

  • The S3 bucket name must be the same as the domain name (Correct)
  • A registered domain name (Correct)
  • The record set must be of type "MX"
  • The S3 bucket must be in the same region as the hosted zone
  • The Cross-Origin Resource Sharing (CORS) option should be enabled in the S3 bucket

Answer : The S3 bucket name must be the same as the domain name A registered domain name

A software company has resources hosted in AWS and on-premises servers. You have been requested to create a decoupled architecture for applications which make use of both resources.

Which of the following options are valid? (Choose 2)


Options are :

  • Use SWF to utilize both on-premises servers and EC2 instances for your decoupled application (Correct)
  • Use RDS to utilize both on-premises servers and EC2 instances for your decoupled application
  • Use SQS to utilize both on-premises servers and EC2 instances for your decoupled application (Correct)
  • Use Amazon Simple Decoupling Service to utilize both on-premises servers and EC2 instances for your decoupled application
  • Use DynamoDB to utilize both on-premises servers and EC2 instances for your decoupled application

Answer : Use SWF to utilize both on-premises servers and EC2 instances for your decoupled application Use SQS to utilize both on-premises servers and EC2 instances for your decoupled application

You are an AWS Network Engineer working for a utilities provider where you are managing a monolithic application with EC2 instance using a Windows AMI. You want to implement a cost-effective and highly available architecture for your application where you have an exact replica of the Windows server that is in a running state. If the primary instance terminates, you can attach the ENI to the standby secondary instance which allows the traffic flow to resume within a few seconds.

When it comes to the ENI attachment to an EC2 instance, what does 'warm attach' refer to?


Options are :

  • Attaching an ENI to an instance when it is stopped. (Correct)
  • Attaching an ENI to an instance during the launch process.
  • Attaching an ENI to an instance when it is running.
  • Attaching an ENI to an instance when it is idle.

Answer : Attaching an ENI to an instance when it is stopped.

You have built a web application that checks for new items in an S3 bucket once every hour. If new items exist, a message is added to an SQS queue. You have a fleet of EC2 instances which retrieve messages from the SQS queue, process the file, and finally, send you and the user an email confirmation that the item has been successfully processed. Your officemate uploaded one test file to the S3 bucket and after a couple of hours, you noticed that you and your officemate have 50 emails from your application with the same message.

Which of the following is most likely the root cause why the application has sent you and the user multiple emails?


Options are :

  • The sqsSendEmailMessage attribute of the SQS queue is configured to 50.
  • There is a bug in the application.
  • By default, SQS automatically deletes the messages that were processed by the consumers. It might be possible that your officemate has submitted the request 50 times which is why you received a lot of emails.
  • Your application does not issue a delete command to the SQS queue after processing the message, which is why this message went back to the queue and was processed multiple times. (Correct)

Answer : Your application does not issue a delete command to the SQS queue after processing the message, which is why this message went back to the queue and was processed multiple times.

You are working for a litigation firm as the Data Engineer for their case history application. You need to keep track of all the cases your firm has handled. The static assets like .jpg, .png, and .pdf files are stored in S3 for cost efficiency and high durability. As these files are critical to your business, you want to keep track of what's happening in your S3 bucket. You found out that S3 has an event notification whenever a delete or write operation happens within the S3 bucket.   

What are the possible Event Notification destinations available for S3 buckets? (Choose 2)


Options are :

  • Kinesis
  • SES
  • SQS (Correct)
  • Lambda function (Correct)
  • SWF

Answer : SQS Lambda function

You have a new, dynamic web app written in MEAN stack that is going to be launched in the next month. There is a probability that the traffic will be quite high in the first couple of weeks. In the event of a load failure, how can you set up DNS failover to a static website?


Options are :

  • Duplicate the exact application architecture in another region and configure DNS weight-based routing.
  • Enable failover to an application hosted in an on-premises data center.
  • Use Route 53 with the failover option to a static S3 website bucket or CloudFront distribution. (Correct)
  • Add more servers in case the application fails.

Answer : Use Route 53 with the failover option to a static S3 website bucket or CloudFront distribution.