Development
You would like to migrate your website to AWS and use CloudFront to provide the best performance. Your users will need to complete a form on the website in order to subscribe to a mailing list and comment on blog posts. Which of the following allowed HTTP methods should you configure in your CloudFront distribution settings?
A. GET, HEAD, OPTIONS
B. GET, HEAD, OPTIONS, PUT, POST, PATCH, DELETE
C. GET, HEAD, OPTIONS, POST
D. GET, HEAD
Correct Answer: B
Explanation: This combination of HTTP methods will enable your users to interact with the website and send, modify, insert, and delete data.
A company is using AWS Organizations to manage its multiple AWS accounts which is being used by its various departments. To avoid security issues, it is of utmost importance to test the impact of service control policies (SCPs) on your IAM policies and resource policies before applying them.
Which of the following services can you use to test and troubleshoot IAM and resource-based policies?
A. Systems Manager
B. AWS Config
C. IAM Policy Simulator
D. Amazon Inspector
Correct Answer: C
Explanation: The IAM policy simulator evaluates the policies that you choose and determines the effective permissions for each of the actions that you specify. The simulator uses the same policy evaluation engine that is used during real requests to AWS services.
Which of the following approaches allows you to re-use pieces of CloudFormation code in multiple templates, for common use cases like provisioning a load balancer or web server?
A. Share the code using an EBS volume
B. Copy and paste the code into the template each time you need to use it
C. Store the code you want to re-use in an AMI and reference the AMI from within your CloudFormation template
D. Use a CloudFormation nested stack
Correct Answer: D
Explanation: Nested stacks are stacks created as part of other stacks. As your infrastructure grows, common patterns can emerge in which you declare the same components in multiple templates. You can separate out these common components and create dedicated templates for them. Then use the resource in your template to reference other templates, creating nested stacks. For example, assume that you have a load balancer configuration that you use for most of your stacks. Instead of copying and pasting the same configurations into your templates, you can create a dedicated template for the load balancer. Then, you just use the resource to reference that template from within other templates.
You see a "timed out" error when using the AWS CLI to list all the files in an S3 bucket containing thousands of files. What could be the reason for this?
A. Your network connection is too slow.
B. You have not installed the AWS CLI correctly.
C. Too many results are being returned which is causing the command to time out.
D. You don't have the correct permission to run the command.
Correct Answer: C
Explanation: Using the AWS CLI to list all the files in an S3 bucket containing thousands of files can cause your API call to exceed the maximum allowed time for the AWS CLI, and generate a "timed out" error. To avoid this, you can use the --page-size option to specify that the AWS CLI request a smaller number of items from each call to the AWS service.
You are hosting a website in an Amazon S3 bucket. Which feature defines a way for client web applications that are loaded in one domain to interact with resources in a different domain?
A. Bucket Policy
B. IAM Role
C. Bucket ACL
D. CORS
Correct Answer: D
Explanation: Cross-origin resource sharing (CORS) defines a way for client web applications that are loaded in one domain to interact with resources in a different domain. With CORS support, you can build rich client-side web applications with Amazon S3 and selectively allow cross-origin access to your Amazon S3 resources. Reference: Configuring and using cross-origin resource sharing (CORS)
A company is developing a serverless website that consists of images, videos, HTML pages and JavaScript files. There is also a requirement to serve the files with lowest possible latency to its global users.
Which combination of services should be used in this scenario? (Select TWO.)
A. Amazon Elastic File System
B. Amazon CloudFront
C. Amazon S3
D. Amazon Glacier
E. Amazon EC2
Correct Answer: B, C
Explanation: You can configure your application to deliver static content and decrease the end-user latency using Amazon S3 and Amazon CloudFront. High-resolution images, videos, and other static files can be stored in Amazon S3. CloudFront speeds up content delivery by leveraging its global network of data centers, known as edge locations, to reduce delivery time by caching your content close to your end-users.
CloudFront fetches your content from an origin, such as an Amazon S3 bucket, an Amazon EC2 instance, an Amazon Elastic Load Balancing load balancer, or your own web server, when it’s not already in an edge location. CloudFront can be used to deliver your entire website or application, including dynamic, static, streaming, and interactive content. You can set your Amazon S3 bucket as the origin of your CloudFront web distribution.
A developer is building the cloud architecture of an application which will be hosted in a large EC2 instance. The application will process the data and it will upload results to an S3 bucket.
Which of the following is the SAFEST way to implement this architecture?
A. Install the AWS CLI then use it to upload the results to S3.
B. Use an IAM Role to grant the application the necessary permissions to upload data to S3.
C. Store the access keys in the instance then use the AWS SDK to upload the results to S3.
D. Use an IAM Inline Policy to grant the application the necessary permissions to upload data to S3.
Correct Answer: B
Explanation: You should use an IAM role to manage temporary credentials for applications that run on an EC2 instance. When you use a role, you don’t have to distribute long-term credentials (such as a username and password or access keys) to an EC2 instance. Instead, the role supplies temporary permissions that applications can use when they make calls to other AWS resources. When you launch an EC2 instance, you specify an IAM role to associate with the instance. Applications that run on the instance can then use the role-supplied temporary credentials to sign API requests.
When deploying application code to Lambda, the AppSpec file can be written in which language?
a. JavaScript
b. Python
c. XML
d. YAML
Correct Answer: D
Explanation: The application specification file (AppSpec file) is a YAML-formatted or JSON-formatted file used by CodeDeploy to manage a deployment.
You have launched a new web application on AWS using API Gateway, Lambda, and S3. Someone posts a thread on Reddit about your application and it goes viral. You start receiving 10,000 requests every second, and you notice that most types of requests are similar. Because of this, your web application begins to struggle. What can you do to optimize your application performance?
A. Enable API Gateway caching to cache frequent requests.
B. Change your Route 53 alias record to point to AWS Neptune. Configure Neptune to filter your API requests to genuine requests only.
C. Enable API Gateway Accelerator.
D. Migrate your API Gateway to a Network Load Balancer and enable session stickiness for all sessions.
Correct Answer: A
Explanation: Since these requests are similar, you can enable API caching in Amazon API Gateway to cache your endpoint's responses. With caching, you can reduce the number of calls made to your endpoint and also improve the latency of requests to your API.
You work for a media production company that streams popular TV shows to millions of users. They are migrating their web application from an in house solution to AWS. They will have a fleet of over 10,000 web servers to meet the demand and will need a reliable layer 4 load balancing solution capable of handling millions of requests per second. What AWS load balancing solution would best suit their needs?
A. Elastic Load Balancer.
B. Network Load Balancer.
C. AWS Direct Connect.
D. Application Load Balancer.
Correct Answer: B
Explanation: Network Load Balancer is best suited for load balancing of Transmission Control Protocol (TCP), User Datagram Protocol (UDP) and Transport Layer Security (TLS) traffic where extreme performance is required. Operating at the connection level (Layer 4), Network Load Balancer routes traffic to targets within Amazon Virtual Private Cloud (Amazon VPC) and is capable of handling millions of requests per second while maintaining ultra-low latencies.
Which of the following statements regarding Amazon Simple Notification Service (SNS) is false?
A. Amazon SNS, messages can be delivered to multiple subscribers simultaneously.
B. Amazon SNS automatically scales to accommodate the number of subscribers and messages.
C. Amazon SNS uses a push-based delivery system.
D. Amazon SNS supports both publish/subscribe and long-polling messaging patterns.
Correct Answer: D
Explanation: Amazon Simple Notification Service (SNS) uses a publisher/subscriber (pub/sub) messaging model.
A developer is using API Gateway Lambda Authorizer to provide authentication for every API request and control access to your API. The requirement is to implement an authentication strategy which is similar to OAuth or SAML.
Which of the following is the MOST suitable method that the developer should use in this scenario?
A. Cross-Account Lambda Authorizer
B. Request Parameter-based Authorization
C. AWS STS-based Authentication
D. Token-based Authorization
Correct Answer: D
Explanation:
A Lambda authorizer is an API Gateway feature that uses a Lambda function to control access to your API. When a client makes a request to one of your API’s methods, API Gateway calls your Lambda authorizer, which takes the caller’s identity as input and returns an IAM policy as output.
There are two types of Lambda authorizers:
– A token-based Lambda authorizer (also called a TOKEN authorizer) receives the caller’s identity in a bearer token, such as a JSON Web Token (JWT) or an OAuth token.
– A request parameter-based Lambda authorizer (also called a REQUEST authorizer) receives the caller’s identity in a combination of headers, query string parameters, stageVariables, and $context variables.
A developer is instructed to set up a new serverless architecture composed of AWS Lambda, API Gateway, and DynamoDB in a single stack. The new architecture should allow the developer to locally build, test, and debug serverless applications.
Which of the following should the developer use to satisfy the above requirement?
A. AWS Serverless Application Model (AWS SAM)
B. AWS CloudFormation
C. AWS Systems Manager
D. AWS Elastic Beanstalk
Correct Answer: A
Explanation: The AWS Serverless Application Model (AWS SAM) is an open-source framework that you can use to build serverless applications on AWS. It consists of the AWS SAM template specification that you use to define your serverless applications and the AWS SAM command line interface (AWS SAM CLI) that you use to build, test, and deploy your serverless applications.
Because AWS SAM is an extension of AWS CloudFormation, you get the reliable deployment capabilities of AWS CloudFormation. You can define resources by using AWS CloudFormation in your AWS SAM template. Also, you can use the full suite of resources, intrinsic functions, and other template features that are available in AWS CloudFormation.
You are developing a new application using serverless infrastructure and are using services such as S3, DynamoDB, Lambda, API Gateway, CloudFront, CloudFormation and Polly. You deploy your application to production and your end users begin complaining about receiving a HTTP 429 error. What could be the cause of the error?
A. Your CloudFormation stack is not valid and is failing to deploy properly, which is causing a HTTP 429 error.
B. You enabled API throttling for a rate limit of 1000 requests per second while in development and now that you have deployed to production your API Gateway is being throttled.
C. You have an S3 bucket policy that is preventing Lambda from being able to write files to your bucket, generating a HTTP 429 error.
D. Your Lambda function does not have sufficient permissions to read to DynamoDB and this is generating a HTTP 429 error.
Correct Answer: B
Explanation: When request submissions exceed the steady-state request rate and burst limits, API Gateway fails the limit-exceeding requests and returns 429 Too Many Requests error responses to the client. Upon catching such exceptions, the client can resubmit the failed requests in a way that is rate limiting, while complying with the API Gateway throttling limits.
You would like to create a new AMI that is based on an existing AWS AMI, with the addition of the latest security patches. Which AWS service can be used to create a new AMI based on an existing AWS AMI?
A. CloudShell
B. AWS SAM
C. CloudFormation
D. Image Builder
Correct Answer: D
Explanation: Image Builder is an AWS service that can be used to create a new AMI based on an existing AWS AMI.
In DynamoDB, a scan operation is used to:
A. Return the entire contents of a table filtered on the Primary Key attribute
B. Find items in a table based on the Sort Key attribute
C. Return all data attributes for every item in the table or index
D. Find items in a table based on the Primary Key values
Correct Answer: C
Explanation: A Scan operation in Amazon DynamoDB reads every item in a table or a secondary index. By default, a Scan operation returns all of the data attributes for every item in the table or index. You can use the ProjectionExpression parameter so that Scan only returns some of the attributes, rather than all of them. Working with Scans in DynamoDB (https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Scan.html).
A new CIO joins your company and implements a new company policy that all EC2 EBS backed instances must have encryption at rest. What is the quickest and easiest way to apply this policy to your existing EC2 EBS backed instances?
A. Create an encrypted snapshot of the EC2 volume using the encrypt-on-the-fly option. Create an AMI of the copied snapshot and then redeploy the EC2 instance using the encrypted AMI. Delete the old EC2 instance.
B. Create a snapshot of the EC2 volume. Then create a copy of the snapshot, checking the box to enable encryption. Create an AMI of the copied snapshot and then redeploy the EC2 instance using the encrypted AMI. Delete the old EC2 instance.
C. In the AWS console, click on the EC2 instances, click actions and click encrypt EBS volumes.
D. Create an encrypted AMI of the EC2 volume using Windows BitLocker.
Correct Answer: B
Explanation: Although there is no direct way to encrypt an existing unencrypted volume or snapshot, you can encrypt them by creating either a volume or a snapshot.
Which AWS CloudFormation section specifies one or more macros that AWS CloudFormation uses to process your templates, and is required for AWS SAM template files?
A. Transform
B. Files
C. Inputs
D. Resources
Correct Answer: A
Explanation: The Transform section specifies one or more macros that AWS CloudFormation uses to process your template. The Transform section builds on the simple, declarative language of AWS CloudFormation with a powerful macro system. The declaration Transform: AWS::Serverless-2016-10-31 is required for AWS SAM template files.
A leading commercial bank has an online banking portal that is hosted in an Auto Scaling group of EC2 instances with an Application Load Balancer in front to distribute the incoming traffic. The application has been instrumented, and the X-Ray daemon has been installed in all instances to allow debugging and troubleshooting using AWS X-Ray.
In this architecture, from which source will AWS X-Ray fetch the client IP address?
A. From the X-Forwarded-For header of the request.
B. From the ipAddress query parameter of the request if it exists.
C. From the X-Forwarded-Host header of the request.
D. From the source IP of the IP packet.
Correct Answer: A
Explanation: AWS X-Ray receives data from services as segments. X-Ray then groups segments that have a common request into traces. X-Ray processes the traces to generate a service graph that provides a visual representation of your application.
A developer runs a shell script that uses the aws s3 cp CLI to upload a large file to an S3 bucket. The S3 bucket is configured with Server-side encryption with AWS Key Management Service (SSE-KMS). An Access Denied error always shows up whenever the developer uploads a file with a size of 100 GB or more. However, whenever he uploads a smaller file, the request succeeds.
Which of the following are possible reasons why this issue is happening? (Select TWO.)
A. The AWS CLI S3 commands perform a multipart upload when the file is large.
B. The developer does not have the kms:Encrypt permission.
C. The developer's IAM permission has an attached inline policy that restricts him from uploading a file to S3 with a size of 100 GB or more.
D. The developer does not have the kms:Decrypt permission.
E. The maximum size that can be encrypted in KMS is only 100 GB.
Correct Answer: A, D
Explanation:
If you are getting an Access Denied error when trying to upload a large file to your S3 bucket with an upload request that includes an AWS KMS key, then you have to confirm that you have permission to perform kms:Decrypt actions on the AWS KMS key that you’re using to encrypt the object.
To perform a multipart upload with encryption using an AWS KMS key, the requester must have permission to the kms:Decrypt and kms:GenerateDataKey* actions on the key. These permissions are required because Amazon S3 must decrypt and read data from the encrypted file parts before it completes the multipart upload.
You are using an AWS Lambda function to process records in an Amazon Kinesis Data Streams stream which has 100 active shards. The Lambda function takes an average of 10 seconds to process the data and the stream is receiving 50 new items per second.
Which of the following statements are TRUE regarding this scenario?
A. The Kinesis shards must be merged to increase the data capacity of the stream as well as the concurrency execution of the Lambda function.
B. There will be at most 100 Lambda function invocations running concurrently.
C. The Lambda function has 500 concurrent executions.
D. The Lambda function will throttle the incoming requests due to the excessive number of Kinesis shards.
Correct Answer: B
Explanation:
Concurrent executions refers to the number of executions of your function code that are happening at any given time. You can estimate the concurrent execution count, but the it will differ depending on whether or not your Lambda function is processing events from a poll-based event source.
For Lambda functions that process Kinesis or DynamoDB streams, the number of shards is the unit of concurrency. If your stream has 100 active shards, there will be at most 100 Lambda function invocations running concurrently. This is because Lambda processes each shard’s events in sequence.
A cryptocurrency exchange portal has a key management service hosted in their on-premises data center, which stores encryption keys and uses an RSA asymmetric encryption algorithm. The company has recently implemented a hybrid cloud architecture in AWS and you were assigned to migrate the exchange portal to their cloud infrastructure. For security compliance, the keys should be stored in dedicated, third-party validated hardware security modules under your exclusive control.
Which of the following is the BEST solution that you should implement to meet the above requirement?
A. Import the encryption keys from your on-premises key management service to AWS CloudHSM.
B. Develop a custom key management service using the AWS Encryption SDK.
C. Use AWS KMS to store and manage the encryption keys.
D. Import the encryption keys from your on-premises key management service to AWS Secrets Manager as KMS Keys.
Correct Answer: A
Explanation: AWS CloudHSM provides hardware security modules in AWS Cloud. A hardware security module (HSM) is a computing device that processes cryptographic operations and provides secure storage for cryptographic keys.
You should consider using AWS CloudHSM instead of AWS KMS if you require:
– Keys stored in dedicated, third-party validated hardware security modules under your exclusive control.
– FIPS 140-2 compliance.
– Integration with applications using PKCS#11, Java JCE, or Microsoft CNG interfaces.
– High-performance in-VPC cryptographic acceleration (bulk crypto).
A company is heavily using a range of AWS services to host their enterprise applications. Currently, their deployment process still has a lot of manual steps which is why they plan to automate their software delivery process using continuous integration and delivery (CI/CD) pipelines in AWS. They will use CodePipeline to orchestrate each step of their release process and CodeDeploy for deploying applications to various compute platforms in AWS. In this architecture, which of the following are valid considerations when using CodeDeploy? (Select TWO.)
A. CodeDeploy can deploy applications to EC2, AWS Lambda, and Amazon ECS only.
B. You have to install and use the CodeDeploy agent installed on your EC2 instances and ECS cluster.
C. CodeDeploy can deploy applications to both your EC2 instances as well as your on-premises servers.
D. The CodeDeploy agent communicates using HTTP over port 80.
E. AWS Lambda compute platform deployments cannot use an in-place deployment type.
Correct Answer: C, E
Explanation: Only deployments that use the EC2/On-Premises compute platform can use in-place deployments. AWS Lambda compute platform deployments cannot use an in-place deployment type.
The CodeDeploy agent is a software package that, when installed and configured on an instance, makes it possible for that instance to be used in CodeDeploy deployments. The CodeDeploy agent communicates outbound using HTTPS over port 443.
It is also important to note that the CodeDeploy agent is required only if you deploy to an EC2/On-Premises compute platform. The agent is not required for deployments that use the Amazon ECS or AWS Lambda compute platform.
Therefore, the valid considerations in CodeDeploy in this scenario are:
– AWS Lambda compute platform deployments cannot use an in-place deployment type.
– CodeDeploy can deploy applications to both your EC2 instances as well as your on-premises servers.
An API gateway with a Lambda proxy integration takes a long time to complete its processing. There were also occurrences where some requests timed out. You want to monitor the responsiveness of your API calls as well as the underlying Lambda function.
Which of the following CloudWatch metrics should you use to troubleshoot this issue? (Select TWO.)
A. Latency
B. IntegrationLatency
C. Count
D. CacheMissCount
E. CacheHitCount
Correct Answer: A, B
Explanation: You can monitor API execution using CloudWatch, which collects and processes raw data from API Gateway into readable, near-real-time metrics. These statistics are recorded for a period of two weeks so that you can access historical information and gain a better perspective on how your web application or service is performing. By default, API Gateway metric data is automatically sent to CloudWatch in one-minute periods.
The metrics reported by API Gateway provide information that you can analyze in different ways. The list below shows some common uses for the metrics. These are suggestions to get you started, not a comprehensive list.
– Monitor the IntegrationLatency metrics to measure the responsiveness of the backend.
– Monitor the Latency metrics to measure the overall responsiveness of your API calls.
– Monitor the CacheHitCount and CacheMissCount metrics to optimize cache capacities to achieve a desired performance.
An EBS-backed EC2 instance has been recently reported to contain a malware that could spread to your other instances. To fix this security vulnerability, you will need to attach its root EBS volume to a new EC2 instance which hosts a security program that can scan viruses, worms, Trojan horses, or spyware. What steps would you take to detach the root volume from the compromised EC2 instance?
A. Unmount the volume from the OS and then detach.
B. Unmount the volume, stop the instance, and then detach.
C. Stop the instance then detach the volume.
D. Detach the volume from the AWS Console. AWS takes care of unmounting the volume for you.
Correct Answer: C
Explanation: You can detach an Amazon EBS volume from an instance explicitly or by terminating the instance. However, if the instance is running, you must first unmount the volume from the instance.
If an EBS volume is the root device of an instance, you must stop the instance before you can detach the volume.