clf-c02 4
clf-c02 4
clf-c02 4
https://www.2passeasy.com/dumps/CLF-C02/
NEW QUESTION 1
- (Topic 3)
A developer has been hired by a large company and needs AWS credentials. Which are security best practices that should be followed? (Select TWO.)
A. Grant the developer access to only the AWS resources needed to perform the job.
B. Share the AWS account root user credentials with the developer.
C. Add the developer to the administrator's group in AWS IAM.
D. Configure a password policy that ensures the developer's password cannot be changed.
E. Ensure the account password policy requires a minimum length.
Answer: AE
Explanation:
The security best practices that should be followed are A and E.
* A. Grant the developer access to only the AWS resources needed to perform the job. This is an example of the principle of least privilege, which means giving
the minimum permissions necessary to achieve a task. This reduces the risk of unauthorized access, data leakage, or accidental damage to AWS resources. You
can use AWS Identity and Access Management (IAM) to create users, groups, roles, and policies that grant fine- grained access to AWS resources12.
* E. Ensure the account password policy requires a minimum length. This is a basic security measure that helps prevent brute-force attacks or guessing of
passwords. A longer password is harder to crack than a shorter one. You can use IAM to configure a password policy that enforces a minimum password length,
as well as other requirements such as complexity, expiration, and history34.
* B. Share the AWS account root user credentials with the developer. This is a bad practice that should be avoided. The root user has full access to all AWS
resources and services, and can perform sensitive actions such as changing billing information, closing the account, or deleting all resources. Sharing the root user
credentials exposes your account to potential compromise or misuse. You should never share your root user credentials with anyone, and use them only for
account administration tasks5 .
* C. Add the developer to the administrator’s group in IAM. This is also a bad practice that should be avoided. The administrator’s group has full access to all
AWS resources and services, which is more than what a developer needs to perform their job. Adding the developer to the administrator’s group violates the
principle of least privilege and increases the risk of unauthorized access, data leakage, or accidental damage to AWS resources. You should create a custom
group for the developer that grants only the necessary permissions for their role12.
* D. Configure a password policy that ensures the developer’s password cannot be changed. This is another bad practice that should be avoided. Preventing the
developer from changing their password reduces their ability to protect their credentials and comply with security policies. For example, if the developer’s
password is compromised, they cannot change it to prevent further unauthorized access. Or if the company requires periodic password rotation, they cannot
update their password to meet this requirement. You should allow the developer to change their password as needed, and enforce a password policy that sets
reasonable rules for password management34.
NEW QUESTION 2
- (Topic 3)
A company has all of its servers in the us-east-1 Region. The company is considering the deployment of additional servers different Region.
Which AWS tool should the company use to find pricing information for other Regions?
A. Cost Explorer
B. AWS Budgets
C. AWS Purchase Order Management
D. AWS Pricing Calculator
Answer: D
Explanation:
AWS Pricing Calculator lets customers explore AWS services, and create an estimate for the cost of their use cases on AWS. AWS Pricing Calculator can also
compare the costs of different AWS Regions and configurations. Cost Explorer is a tool that enables customers to visualize, understand, and manage their AWS
costs and usage over time.
AWS Budgets gives customers the ability to set custom budgets that alert them when their costs or usage exceed (or are forecasted to exceed) their budgeted
amount. AWS Purchase Order Management is a feature that allows customers to pay for their AWS invoices using purchase orders.
NEW QUESTION 3
- (Topic 3)
A company is migrating to the AWS Cloud to meet storage needs. The company wants to optimize costs based on the amount of storage that the company uses.
Which AWS offering or benefit will meet these requirements MOST cost-effectively?
A. Pay-as-you-go pricing
B. Savings Plans
C. AWS Free Tier
D. Volume-based discounts
Answer: D
Explanation:
Volume-based discounts are an AWS offering or benefit that can help the company optimize costs based on the amount of storage that the company uses.
Volume- based discounts are discounts that AWS provides for some storage services, such as Amazon S3 and Amazon EBS, when the company stores a large
amount of data. The more data the company stores, the lower the price per GB. For example, Amazon S3 offers six storage classes, each with a different price per
GB. The price per GB decreases as the amount of data stored in each storage class increases
NEW QUESTION 4
- (Topic 3)
A company wants to make an upfront commitment for continued use of its production Amazon EC2 instances in exchange for a reduced overall cost.
Which pricing options meet these requirements with the LOWEST cost? (Select TWO.)
A. Spot Instances
B. On-Demand Instances
C. Reserved Instances
D. Savings Plans
E. Dedicated Hosts
Answer: CD
Explanation:
Reserved Instances (RIs) are a pricing model that allows you to reserve EC2 instances for a specified period of time (one or three years) and receive a significant
discount compared to On-Demand pricing. RIs are suitable for workloads that have predictable usage patterns and require a long-term commitment. You can
choose between three payment options: All Upfront, Partial Upfront, or No Upfront. The more you pay upfront, the greater the discount1.
Savings Plans are a flexible pricing model that can help you reduce your EC2 costs by up to 72% compared to On-Demand pricing, in exchange for a commitment
to a consistent amount of usage (measured in $/hour) for a one or three year term. Savings Plans apply to usage across EC2, AWS Lambda, and AWS Fargate.
You can choose between two types of Savings Plans: Compute Savings Plans and EC2 Instance Savings Plans. Compute Savings Plans offer the most flexibility
and apply to any instance family, size, OS, tenancy, or region. EC2 Instance Savings Plans offer the highest discount and apply to a specific instance family within
a region2.
Spot Instances are a pricing model that allows you to bid for unused EC2 capacity in the AWS cloud and are available at a discount of up to 90% compared to On-
Demand pricing. Spot Instances are suitable for fault-tolerant or stateless workloads that can run on heterogeneous hardware and have flexible start and end
times. However, Spot Instances are not guaranteed and can be interrupted by AWS at any time if the demand for capacity increases or your bid price is lower than
the current Spot price3.
On-Demand Instances are a pricing model that allows you to pay for compute capacity by the hour or second with no long-term commitments. On-Demand
Instances are suitable for short-term, spiky, or unpredictable workloads that cannot be interrupted, or for applications that are being developed or tested on EC2 for
the first time. However, On-Demand Instances are the most expensive option among the four pricing models4.
Dedicated Hosts are physical EC2 servers fully dedicated for your use. Dedicated Hosts can help you reduce costs by allowing you to use your existing server-
bound software licenses, such as Windows Server, SQL Server, and SUSE Linux Enterprise Server. Dedicated Hosts can be purchased On-Demand or as part of
Savings Plans. Dedicated Hosts are suitable for workloads that need to run on dedicated physical servers or have strict licensing requirements. However,
Dedicated Hosts are not the lowest cost option among the four pricing models.
NEW QUESTION 5
- (Topic 3)
Which AWS service is a cloud security posture management (CSPM) service that aggregates alerts from various AWS services and partner products in a
standardized format?
Answer: A
Explanation:
AWS Security Hub is a cloud security posture management (CSPM) service that performs security best practice checks, aggregates alerts, and enables
automated remediation. Security Hub collects findings from the security services enabled across your AWS accounts, such as intrusion detection findings from
Amazon GuardDuty, vulnerability scans from Amazon Inspector, and sensitive data identification findings from Amazon Macie. Security Hub also collects findings
from partner security products using a standardized AWS Security Finding Format, eliminating the need for time-consuming data parsing and normalization efforts.
Customers can designate an administrator account that can access all findings across their accounts. References: AWS Security Hub Overview, AWS Security
Hub FAQs
NEW QUESTION 6
- (Topic 3)
Which option is a customer responsibility under the AWS shared responsibility model?
Answer: B
Explanation:
The option that is a customer responsibility under the AWS shared responsibility model is B. Application data security.
According to the AWS shared responsibility model, AWS is responsible for the security of the cloud, while the customer is responsible for the security in the cloud.
This means that AWS manages the security of the underlying infrastructure, such as the hardware, software, networking, and facilities that run the AWS services,
while the customer manages the security of their applications, data, and resources that they use on top of AWS12. Application data security is one of the customer
responsibilities under the AWS shared responsibility model. This means that the customer is responsible for protecting their application data from unauthorized
access, modification, deletion, or leakage. The customer can use various AWS services and features to help with application data security, such as encryption, key
management, access control, logging, and auditing12. Maintenance of underlying hardware of Amazon EC2 instances is not a customer responsibility under the
AWS shared responsibility model. This is part of the AWS responsibility to secure the cloud. AWS manages the physical servers that host the Amazon EC2
instances and ensures that they are updated, patched, and replaced as needed13.
Physical security of data centers is not a customer responsibility under the AWS shared responsibility model. This is also part of the AWS responsibility to secure
the cloud. AWS operates and controls the facilities where the AWS services are hosted and ensures that they are protected from unauthorized access,
environmental hazards, fire, and theft14. Maintenance of VPC components is not a customer responsibility under the AWS shared responsibility model. This is a
shared responsibility between AWS and the customer. AWS provides the VPC service and ensures that it is secure and reliable, while the customer configures and
manages their own VPCs and related components, such as subnets, route tables, security groups, network ACLs, gateways, and endpoints15.
References:
1: Shared Responsibility Model - Amazon Web Services (AWS) 2: AWS Cloud Computing - W3Schools 3: [Amazon EC2 FAQs - Amazon Web Services] 4: [AWS
Security - Amazon Web Services] 5: [Amazon Virtual Private Cloud (VPC) - Amazon Web Services]
NEW QUESTION 7
- (Topic 3)
Which of the following services can be used to block network traffic to an instance? (Select TWO.)
A. Security groups
B. Amazon Virtual Private Cloud (Amazon VPC) flow logs
C. Network ACLs
D. Amazon CloudWatch
E. AWS CloudTrail
Answer: AC
Explanation:
Security groups and network ACLs are two AWS services that can be used to block network traffic to an instance. Security groups are virtual firewalls that control
the inbound and outbound traffic for your instances at the instance level. You can specify which protocols, ports, and source or destination IP addresses are
allowed or denied for each instance. Security groups are stateful, which means that they automatically allow return traffic for any allowed inbound or outbound
traffic123. Network ACLs are virtual firewalls that control the inbound and outbound traffic for your subnets at the subnet level. You can create rules to allow or
deny traffic based on protocols, ports, and source or destination IP addresses. Network ACLs are stateless, which means that you have to explicitly allow return
traffic for any allowed inbound or outbound traffic456. References: 1: Security groups for your VPC - Amazon Virtual Private Cloud, 2: Security Groups for Your
VPC - Amazon Elastic Compute Cloud, 3: AWS Security Groups: Everything You Need to
Know, 4: Network ACLs - Amazon Virtual Private Cloud, 5: Control traffic to subnets using network ACLs - Amazon Virtual Private Cloud, 6: AWS Network ACLs:
Everything You
Need to Know
NEW QUESTION 8
- (Topic 3)
A company wants to migrate its on_premises workloads to the AWS Cloud. The company wants to separate workloads for chargeback to different departments.
Which AWS services or features will meet these requirements? (Select TWO.)
A. Placement groups
B. Consolidated billing
C. Edge locations
D. AWS Config
E. Multiple AWS accounts
Answer: BE
Explanation:
Consolidated billing is a feature of AWS Organizations that enables customers to consolidate billing and payment for multiple AWS accounts. With consolidated
billing, customers can group multiple AWS accounts under one payer account, making it easier to manage billing and track costs across multiple accounts.
Consolidated billing also offers benefits such as volume discounts, Reserved Instance discounts, and Savings Plans discounts. Consolidated billing is offered at no
additional cost.
Multiple AWS accounts is a feature of AWS Organizations that enables customers to create and manage multiple AWS accounts from a central location. With
multiple AWS accounts, customers can isolate workloads for different departments, projects, or environments, and apply granular access controls and policies to
each account. Multiple AWS accounts also helps customers improve security, compliance, and governance of their AWS resources56. References: 5:
Consolidated billing for AWS Organizations - AWS
Billing, 6: Understanding Consolidated Bills - AWS Billing, 7: AWS Consolidated Billing: Tutorial & Best Practices, 8: Simplifying Your Bills With Consolidated Billing
on AWS - Aimably, 9: AWS Consolidated Billing - W3Schools
NEW QUESTION 9
- (Topic 3)
A company that has multiple business units wants to centrally manage and govern its AWS Cloud environments. The company wants to automate the creation of
AWS accounts, apply service control policies (SCPs), and simplify billing processes.
Which AWS service or tool should the company use to meet these requirements?
A. AWS Organizations
B. Cost Explorer
C. AWS Budgets
D. AWS Trusted Advisor
Answer: A
Explanation:
AWS Organizations is an AWS service that enables you to centrally manage and govern your AWS Cloud environments across multiple business units. AWS
Organizations allows you to create an organization that consists of AWS accounts that you create or invite to join. You can group your accounts into organizational
units (OUs) and apply service control policies (SCPs) to them. SCPs are a type of policy that specify the maximum permissions for the accounts in your
organization, and can help you enforce compliance and security requirements. AWS Organizations also simplifies billing processes by enabling you to consolidate
and pay for all member accounts with a single payment method. You can also use AWS Organizations to automate the creation of AWS accounts by using APIs or
AWS CloudFormation templates. References: What is AWS Organizations?, Policy-Based Management - AWS Organizations
NEW QUESTION 10
- (Topic 3)
A company wants to ensure that all of its Amazon EC2 instances have compliant operating system patches.
Which AWS service will meet these requirements?
Answer: D
Explanation:
AWS Systems Manager gives you visibility and control of your infrastructure on AWS. Systems Manager provides a unified user interface so you can view
operational data from multiple AWS services and allows you to automate operational tasks across your AWS resources. You can use Systems Manager to apply
OS patches, create system images, configure Windows and Linux operating systems, and execute PowerShell commands5. Systems Manager can help you
ensure that all of your Amazon EC2 instances have compliant operating system patches by using the Patch Manager feature.
NEW QUESTION 10
- (Topic 3)
A company needs to engage third-party consultants to help maintain and support its AWS environment and the company's business needs.
Which AWS service or resource will meet these requirements?
A. AWS Support
B. AWS Organizations
C. AWS Service Catalog
D. AWS Partner Network (APN)
Answer: D
Explanation:
The AWS service or resource that will meet these requirements is D. AWS Partner Network (APN).
AWS Partner Network (APN) is a global community of consulting and technology partners that offer a wide range of services and solutions for AWS customers.
APN partners can help customers design, architect, build, migrate, and manage their workloads and applications on AWS. APN partners have access to various
resources, training, tools, and support to enhance their AWS expertise and deliver value to customers12.
AWS Support is a service that provides technical assistance and guidance for AWS customers. AWS Support offers different plans with varying levels of response
time, access channels, and features. AWS Support does not directly engage third-party consultants, but rather connects customers with AWS experts and
resources3.
AWS Organizations is a service that allows customers to manage multiple AWS accounts within a single organization. AWS Organizations enables customers to
create groups of accounts, apply policies, automate account creation, and consolidate billing. AWS Organizations does not directly engage third-party consultants,
but rather helps customers simplify and optimize their AWS account management4.
AWS Service Catalog is a service that allows customers to create and manage catalogs of IT services that are approved for use on AWS. AWS Service Catalog
enables customers to control the configuration, deployment, and governance of their IT services. AWS Service Catalog does not directly engage third-party
consultants, but rather helps customers standardize and streamline their IT service delivery5.
References:
1: AWS Partner Network (APN) - Amazon Web Services (AWS) 2: Find an APN Partner - Amazon Web Services (AWS) 3: AWS Support – Amazon Web Services
4: AWS Organizations – Amazon Web Services 5: AWS Service Catalog – Amazon Web Services
NEW QUESTION 15
- (Topic 3)
What is a benefit of using AWS serverless computing?
Answer: D
Explanation:
AWS serverless computing is a way of building and running applications without thinking about servers. AWS manages the infrastructure for you, so you don’t
have to provision, scale, patch, or monitor servers. You only pay for the compute time you consume, and you can focus on your application logic instead of
managing servers12. References: Serverless Computing – Amazon Web Services, AWS Serverless Computing, Benefits, Architecture and Use-cases -
XenonStack
NEW QUESTION 20
- (Topic 3)
A company is planning to migrate to the AWS Cloud and wants to become more responsive to customer inquiries and feedback. The company wants to focus on
organizational transformation.
A company wants to give its customers the ability to view specific data that is hosted in Amazon S3 buckets. The company wants to keep control over the full
datasets that the company shares with the customers.
Which S3 feature will meet these requirements?
A. S3 Storage Lens
B. S3 Cross-Region Replication (CRR)
C. S3 Versioning
D. S3 Access Points
Answer: D
Explanation:
S3 Access Points are a feature of Amazon S3 that allows you to easily manage access to specific data that is hosted in S3 buckets. S3 Access Points are unique
hostnames that customers can use to access data in S3 buckets. You can create multiple access points for a single bucket, each with its own name and
permissions. You can use S3 Access Points to provide different levels of access to different groups of customers, such as read-only or write-only access. You can
also use S3 Access Points to enforce encryption or logging requirements for specific data. S3 Access Points help you keep control over the full datasets that you
share with your customers, while simplifying the access management and improving the performance and scalability of your applications.
NEW QUESTION 25
- (Topic 3)
A cloud practitioner needs to obtain AWS compliance reports before migrating an environment to the AWS Cloud How can these reports be generated?
Answer: B
Explanation:
AWS Artifact is a service that provides on-demand access to security and compliance reports from AWS and Independent Software Vendors (ISVs) who sell their
products on AWS Marketplace. You can use AWS Artifact to download auditor-issued reports, certifications, accreditations, and other third-party attestations of
AWS compliance with various standards and regulations, such as PCI-DSS, HIPAA, FedRAMP, GDPR, and more1234. You can also use AWS Artifact to review,
accept, and manage your agreements with AWS and apply them to current and future accounts within your organization2. References: 1: Cloud Compliance -
Amazon Web Services
(AWS), 2: Security Compliance Management - AWS Artifact - AWS, 3: AWS Compliance Contact Us - Amazon Web Services, 4: AWS SECURITY AND
COMPLIANCE QUICK REFERENCE GUIDE
NEW QUESTION 26
- (Topic 3)
A company needs to migrate a PostgreSQL database from on-premises to Amazon RDS. Which AWS service or tool should the company use to meet this
requirement?
Answer: C
Explanation:
AWS Database Migration Service (AWS DMS) is a managed and automated service that helps you migrate your databases from your on-premises or cloud
environment to AWS, either as a one-time migration or as a continuous replication. AWS DMS supports migration between 20-plus database and analytics
engines, such as PostgreSQL, Oracle, MySQL, SQL Server, MongoDB, Amazon Aurora, Amazon RDS, Amazon Redshift, and Amazon S3. AWS DMS also
provides schema conversion and validation tools, as well as monitoring and security features. AWS DMS is a cost-effective and reliable solution for database
migration, as you only pay for the compute resources and additional log storage used during the migration process, and you can minimize the downtime and data
loss with
Multi-AZ and ongoing replication12
To migrate a PostgreSQL database from on-premises to Amazon RDS using AWS DMS, you need to perform the following steps:
? Create an AWS DMS replication instance in the same AWS Region as your target Amazon RDS PostgreSQL DB instance. The replication instance is a server
that runs the AWS DMS replication software and connects to your source and target endpoints. You can choose the instance type, storage, and network settings
based on your migration requirements3
? Create a source endpoint that points to your on-premises PostgreSQL database.
You need to provide the connection details, such as the server name, port, database name, user name, and password. You also need to specify the engine name
as postgres and the SSL mode as required4
? Create a target endpoint that points to your Amazon RDS PostgreSQL DB instance. You need to provide the connection details, such as the server name, port,
database name, user name, and password. You also need to specify the engine name as postgres and the SSL mode as verify-full.
? Create a migration task that defines the migration settings and options, such as the replication instance, the source and target endpoints, the migration type (full
load, full load and change data capture, or change data capture only), the table mappings, the task settings, and the task monitoring role. You can also use the
AWS Schema Conversion Tool (AWS SCT) to convert your source schema to the target schema and apply it to the target endpoint before or after creating the
migration task.
? Start the migration task and monitor its progress and status using the AWS DMS console, the AWS CLI, or the AWS DMS API. You can also use AWS
CloudFormation to automate the creation and execution of the migration task.
The other options are not suitable for migrating a PostgreSQL database from on-premises to Amazon RDS. Cloud Adoption Readiness Tool is a tool that helps you
assess your readiness for cloud adoption based on six dimensions: business, people, process, platform, operations, and security. It does not perform any
database migration tasks. AWS Migration Hub is a service that helps you track and manage the progress of your application migrations across multiple AWS and
partner services, such as AWS DMS, AWS Application Migration Service, AWS Server Migration Service, and CloudEndure Migration. It does not perform any
database migration tasks itself, but rather integrates with other migration services. AWS Application Migration Service is a service that helps you migrate your
applications from your on-premises or cloud environment to AWS without making any changes to the applications, their architecture, or the migrated servers. It
does not support database migration, but rather replicates your servers as Amazon Machine Images (AMIs) and launches them as EC2 instances on AWS.
References: AWS Database Migration Service, What is AWS Database Migration Service?, Working with an AWS DMS replication instance, Creating source and
target endpoints for PostgreSQL, [Creating a target endpoint for Amazon RDS for PostgreSQL], [Creating a migration task for AWS DMS], [AWS Schema
Conversion Tool], [Starting a migration task for AWS DMS], [AWS CloudFormation], [Cloud Adoption Readiness Tool], [AWS Migration Hub], [AWS Application
Migration Service]
NEW QUESTION 29
- (Topic 3)
Which AWS service or feature offers security for a VPC by acting as a firewall to control traffic in and out of subnets?
Answer: C
Explanation:
A network access control list (network ACL) is a feature that acts as a firewall for controlling traffic in and out of one or more subnets in a virtual private cloud
(VPC). AWS Security Hub is a service that provides a comprehensive view of the security posture of AWS accounts and resources. Security groups are features
that act as firewalls for controlling traffic at the instance level. AWS WAF is a web application firewall that helps protect web applications from common web
exploits.
NEW QUESTION 34
- (Topic 3)
A company has a MySQL database running on a single Amazon EC2 instance. The company now requires higher availability in the event of an outage.
Which set of tasks would meet this requirement?
Answer: C
Explanation:
The set of tasks that would meet the requirement of having higher availability for a MySQL database running on a single Amazon EC2 instance is to migrate to
Amazon RDS and enable Multi-AZ. Amazon RDS is a fully managed relational database service that supports MySQL and other popular database engines. By
enabling Multi-AZ, users can have a primary database in one Availability Zone and a synchronous standby replica in another Availability Zone. In case of a
planned or unplanned outage of the primary database, Amazon RDS automatically fails over to the standby replica with minimal disruption3. Adding an Application
Load Balancer in front of the EC2 instance, configuring EC2 Auto Recovery to move the instance to another Availability Zone, or enabling termination protection for
the EC2 instance would not provide higher availability for the database, as they do not address the single point of failure or data replication issues.
NEW QUESTION 35
- (Topic 3)
A company has deployed an application in the AWS Cloud. The company wants to ensure that the application is highly resilient.
Which component of AWS infrastructure can the company use to meet this requirement?
Answer: D
Explanation:
Availability Zones are components of AWS infrastructure that can help the company ensure that the application is highly resilient. Availability Zones are multiple,
isolated locations within each AWS Region. Each Availability Zone has independent power, cooling, and physical security, and is connected to the other Availability
Zones in the same Region via low-latency, high-throughput, and highly redundant networking. Availability Zones allow you to operate production applications and
databases that are more highly available, fault tolerant, and scalable than would be possible from a single data center.
NEW QUESTION 36
- (Topic 3)
A company needs to deploy applications in the AWS Cloud as quickly as possible. The company also needs to minimize the complexity that is related to the
management of AWS resources.
Which AWS service should the company use to meet these requirements?
A. AWS config
B. AWS Elastic Beanstalk
C. Amazon EC2
D. Amazon Personalize
Answer: B
Explanation:
AWS Elastic Beanstalk is the AWS service that allows customers to deploy applications in the AWS Cloud as quickly as possible. AWS Elastic Beanstalk
automatically handles the deployment, from capacity provisioning, load balancing, and auto-scaling to application health monitoring. Customers can upload their
code and Elastic Beanstalk will take care of the rest1. AWS Elastic Beanstalk also minimizes the complexity that is related to the management of AWS resources.
Customers can retain full control of the underlying AWS resources powering their applications and adjust the settings to suit their needs1. Customers can also use
the AWS Management Console, the AWS Command Line Interface (AWS CLI), or APIs to manage their applications1.
AWS Config is the AWS service that enables customers to assess, audit, and evaluate the configurations of their AWS resources. AWS Config continuously
monitors and records the configuration changes of the resources and evaluates them against desired configurations or best practices2. AWS Config does not help
customers deploy applications in the AWS Cloud as quickly as possible or minimize the complexity that is related to the management of AWS resources.
Amazon EC2 is the AWS service that provides secure, resizable compute capacity in the cloud. Customers can launch virtual servers called instances and choose
from various configurations of CPU, memory, storage, and networking resources3. Amazon EC2 does not automatically handle the deployment or management of
AWS resources for customers. Customers have to manually provision, configure, monitor, and scale their instances and other related resources.
Amazon Personalize is the AWS service that enables customers to create personalized recommendations for their users based on their behavior and preferences.
Amazon Personalize uses machine learning to analyze data and deliver real-time recommendations4. Amazon Personalize does not help customers deploy
applications in the AWS Cloud as quickly as possible or minimize the complexity that is related to the management of AWS resources.
NEW QUESTION 39
- (Topic 3)
A company is storing sensitive customer data in an Amazon S3 bucket. The company wants to protect the data from accidental deletion or overwriting.
Which S3 feature should the company use to meet these requirements?
A. S3 Lifecycle rules
B. S3 Versioning
C. S3 bucket policies
D. S3 server-side encryption
Answer: B
Explanation:
S3 Versioning is a feature that allows you to keep multiple versions of an object in the same bucket. You can use S3 Versioning to protect your data from
accidental deletion or overwriting by enabling it on a bucket or a specific object. S3 Versioning also allows you to restore previous versions of an object if needed.
S3 Lifecycle rules are used to automate the transition of objects between storage classes or to expire objects after a certain period of time. S3 bucket policies are
used to control access to the objects in a
bucket. S3 server-side encryption is used to encrypt the data at rest in S3. References: S3 Versioning, S3 Lifecycle rules, S3 bucket policies, S3 server-side
encryption
NEW QUESTION 41
- (Topic 3)
Which cloud computing advantage is a company applying when it uses AWS Regions to increase application availability to users in different countries?
A. Pay-as-you-go pricing
B. Capacity forecasting
C. Economies of scale
D. Global reach
Answer: D
Explanation:
Global reach is a cloud computing advantage that a company can apply when it uses AWS Regions to increase application availability to users in different
countries. Global reach refers to the ability to deploy applications and services in multiple geographic locations around the world, and to serve customers with low
latency and high performance. AWS has the largest and most reliable global infrastructure of any cloud provider, with 25 Regions and 81 Availability Zones across
the Americas, Europe, Asia Pacific, Africa, and the Middle East123. By using AWS Regions, a company can choose the best location for its application based on
customer proximity, compliance requirements, and disaster recovery strategies23. References: 1: AWS Global Infrastructure - Amazon Web Services (AWS), 2:
Regions and Availability Zones - Amazon Elastic Compute Cloud, 3: AWS Infrastructure: Regions and Availability Zones Explained
NEW QUESTION 45
- (Topic 3)
A company needs to store infrequently used data for data archives and long-term backups.
A company needs a history report about how its Amazon EC2 instances were modified last month.
Which AWS service can be used to meet this requirement?
Answer: B
Explanation:
AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. AWS Config continuously monitors and
records
your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. AWS Config can also track
changes to your EC2 instances over time and provide a history report of the modifications. AWS Service Catalog, Amazon CloudWatch, and AWS Artifact are not
the best services to meet this requirement. AWS Service Catalog is a service that allows you to create and manage catalogs of IT services that are approved for
use on AWS. Amazon CloudWatch is a service that monitors your AWS resources and applications and provides metrics, alarms, dashboards, and logs. AWS
Artifact is a service that provides on-demand access to AWS security and compliance reports and online agreements
NEW QUESTION 46
- (Topic 3)
Which AWS service provides the ability to manage infrastructure as code?
A. AWS CodePipeline
B. AWS CodeDeploy
C. AWS Direct Connect
D. AWS CloudFormation
Answer: D
Explanation:
The AWS service that provides the ability to manage infrastructure as code is AWS CloudFormation. Infrastructure as code is a process of defining and
provisioning AWS resources using code or templates, rather than manual actions or scripts. AWS CloudFormation allows you to create and update stacks of AWS
resources based on predefined templates that describe the desired state and configuration of the resources. AWS CloudFormation automates and simplifies the
deployment and management of AWS resources, and ensures consistency and repeatability across different environments and regions. AWS CloudFormation also
supports rollback, change sets, drift detection, and nested stacks features that help you to monitor and control the changes to your infrastructure1.
NEW QUESTION 47
- (Topic 3)
A company wants to integrate natural language processing (NLP) into business intelligence (Bl) dashboards. The company wants to ask questions and receive
answers with relevant visualizations.
Which AWS service or tool will meet these requirements?
A. Amazon Macie
B. Amazon Rekognition
C. Amazon QuickSight Q
D. Amazon Lex
Answer: C
Explanation:
Amazon QuickSight Q is a natural language query feature that allows users to ask questions about their data and receive answers in the form of relevant
visualizations1. Amazon Macie is a data security and data privacy service that uses machine learning and pattern matching to discover and protect sensitive data
in AWS2. Amazon Rekognition is a computer vision service that can analyze images and videos for faces, objects, scenes, text, and more3. Amazon Lex is a
service for building conversational interfaces using voice and text4.
NEW QUESTION 51
- (Topic 3)
Which AWS service can identify when an Amazon EC2 instance was terminated?
Answer: B
Explanation:
AWS CloudTrail is the AWS service that can identify when an Amazon EC2 instance was terminated. AWS CloudTrail is a service that records API calls and
events for AWS accounts and resources. AWS CloudTrail can capture the TerminateInstances event, which is triggered when an EC2 instance is terminated by a
user or an AWS service. The event contains information such as the instance ID, the user identity, the source IP address, the time, and the reason for the
termination12. Customers can use the CloudTrail console, the AWS CLI, or the AWS SDKs to view and search for the TerminateInstances events in their event
history or in their S3 buckets where they store their CloudTrail logs13.
NEW QUESTION 53
- (Topic 3)
Which AWS service provides encryption at rest for Amazon RDS and for Amazon Elastic Block Store (Amazon EBS) volumes?
A. AWS Lambda
B. AWS Key Management Service (AWS KMS)
C. AWSWAF
D. Amazon Rekognition
Answer: B
Explanation:
AWS Key Management Service (AWS KMS) is a managed service that enables you to easily encrypt your data. AWS KMS provides you with centralized control of
the encryption keys used to protect your data. You can use AWS KMS to encrypt data in Amazon RDS and Amazon EBS volumes12
NEW QUESTION 58
- (Topic 3)
Which AWS services or features give users the ability to create a network connection between two VPCs? (Select TWO.)
A. VPC endpoints
B. Amazon Route 53
C. VPC peering
D. AWS Direct Connect
E. AWS Transit Gateway
Answer: CE
Explanation:
VPC peering and AWS Transit Gateway are two AWS services or features that give users the ability to create a network connection between two VPCs. VPC
peering is a networking connection between two VPCs that enables you to route traffic between them privately. You can create a VPC peering connection between
your own VPCs, with a VPC in another AWS account, or with a VPC in a different AWS Region. Traffic between peered VPCs never traverses the public internet.
VPC peering does not support transitive peering relationships, which means that if VPC A is peered with VPC B, and VPC B is peered with VPC C, then VPC A
and VPC C are not automatically peered789. AWS Transit Gateway is a networking service that acts as a regional router for your VPCs and on- premises
networks. You can attach up to 5,000 VPCs and VPN connections to a single transit gateway and route traffic between them. AWS Transit Gateway simplifies the
management and scalability of your network architecture, as you only need to create and manage a single connection from the central transit gateway to each
connected network. AWS Transit Gateway supports transitive routing, which means that any network that is attached to the transit gateway can communicate with
any other network that is attached to the same transit gateway . References: 7: VPC peering - Amazon Virtual Private Cloud, 8: Connect VPCs using VPC peering
- Amazon Virtual Private Cloud, 9: Amazon VPC-to-Amazon VPC connectivity options - Amazon Virtual Private Cloud, : [AWS Transit Gateway - Amazon Web
Services], : [Connect VPCs using AWS Transit Gateway - Amazon Virtual Private Cloud], : [AWS Transit Gateway: Simplify Your Network Architecture]
NEW QUESTION 60
- (Topic 3)
A company wants to migrate its high-performance computing (HPC) application to Amazon EC2 instances. The application has multiple components. The
application must have fault tolerance and must have the ability to fail over automatically.
Which AWS infrastructure solution will meet these requirements with the LEAST latency between components?
Answer: C
Explanation:
Using EC2 instances in multiple Availability Zones is an AWS infrastructure solution that meets the requirements of migrating a high performance computing
(HPC) application to AWS with fault tolerance and failover capabilities, and with the least latency between components. An Availability Zone is a physically isolated
location within an AWS Region that has its own power, cooling, and network connectivity. EC2 instances within the same Region can communicate with each other
using low-latency private IP addresses. By using EC2 instances in multiple Availability Zones, the company can achieve fault tolerance and failover for their HPC
application, because they can distribute the workload and data across different locations that are independent of each other. If one Availability Zone becomes
unavailable or impaired, the company can redirect the traffic and data to another Availability Zone without affecting the performance and availability of the
application5
NEW QUESTION 65
- (Topic 3)
An IT engineer needs to access AWS services from an on-premises application. Which credentials or keys does the application need for authentication?
Answer: B
Explanation:
IAM access keys are long-term credentials that consist of an access key ID and a secret access key. You use access keys to sign programmatic requests that you
make to AWS. If you need to access AWS services from an on-premises application, you can use IAM access keys to authenticate your requests. AWS account
user name and password are used to sign in to the AWS Management Console. Amazon EC2 key pairs are used to connect to your EC2 instances using SSH.
AWS Key Management Service (AWS KMS) keys are used to encrypt and decrypt your data using the AWS Encryption SDK or the AWS CLI.
NEW QUESTION 70
- (Topic 3)
Which AWS service or feature enables users to encrypt data at rest in Amazon S3?
A. IAM policies
B. Server-side encryption
C. Amazon GuardDuty
D. Client-side encryption
Answer: B
Explanation:
Server-side encryption is an encryption option that Amazon S3 provides to encrypt data at rest in Amazon S3. With server-side encryption, Amazon S3 encrypts
an object before saving it to disk in its data centers and decrypts it when you download the objects. You have three server-side encryption options to choose from:
SSE-S3, SSE-C, and SSE-KMS. SSE-S3 uses keys that are managed by Amazon S3. SSE-C allows you to manage your own encryption keys. SSE-KMS uses
keys that are managed by AWS Key Management Service (AWS KMS)5.
NEW QUESTION 71
- (Topic 3)
A company's application has high customer usage during certain times of the day. The company wants to reduce the number of Amazon EC2 instances that run
when application usage is low.
Which AWS service or instance purchasing option should the company use to meet this requirement?
Answer: D
Explanation:
Amazon EC2 Auto Scaling is an AWS service that can help users reduce the number of Amazon EC2 instances that run when application usage is low. Amazon
EC2 Auto Scaling allows users to create scaling policies that automatically adjust the number of EC2 instances based on the demand or a schedule. EC2 Instance
Savings Plans, Spot Instances, and Reserved Instances are instance purchasing options that can help users save money on EC2 usage, but they do not
automatically scale the number of instances according to the application usage .
NEW QUESTION 74
- (Topic 3)
A developer wants to deploy an application quickly on AWS without manually creating the required resources. Which AWS service will meet these requirements?
A. Amazon EC2
B. AWS Elastic Beanstalk
C. AWS CodeBuild
D. Amazon Personalize
Answer: B
Explanation:
AWS Elastic Beanstalk is a service that allows you to deploy and manage applications on AWS without manually creating and configuring the required resources,
such as EC2 instances, load balancers, security groups, databases, and more. AWS Elastic Beanstalk automatically handles the provisioning, scaling, load
balancing, health monitoring, and updating of your application, while giving you full control over the underlying AWS resources if needed. AWS Elastic Beanstalk
supports a variety of platforms and languages, such as Java, .NET, PHP, Node.js, Python, Ruby, Go, and Docker. You can use the AWS Management Console,
the AWS CLI, the AWS SDKs, or the AWS Elastic Beanstalk API to create and manage your applications. You can also use AWS CodeStar, AWS CodeCommit,
AWS CodeBuild, AWS CodeDeploy, and AWS CodePipeline to integrate AWS Elastic Beanstalk with your development and deployment workflows12
NEW QUESTION 77
- (Topic 3)
A company wants to run its workload on Amazon EC2 instances for more than 1 year. This workload will run continuously.
Which option offers a discounted hourly rate compared to the hourly rate of On-Demand Instances?
Answer: C
Explanation:
EC2 Instance Savings Plans are a flexible pricing model that offer discounted hourly rates on Amazon EC2 instance usage for a 1 or 3 year term. EC2 Instance
Savings Plans provide savings up to 72% off On-Demand rates, in exchange for a commitment to a specific instance family in a chosen AWS Region (for example,
M5 in Virginia). These plans automatically apply to usage regardless of size (for example, m5.xlarge, m5.2xlarge, etc.), OS (for example, Windows, Linux, etc.),
and tenancy (Host, Dedicated, Default) within the specified family in a Region. With an EC2 Instance Savings Plan, you can change your instance size within the
instance family (for example, from c5.xlarge to c5.2xlarge) or the operating system (for example, from Windows to Linux), or move from Dedicated tenancy to
Default and continue to receive the discounted rate provided by your EC2 Instance Savings Plan4567. References: 4: Compute Savings Plans – Amazon Web
Services, 5: What are Savings Plans? - Savings Plans, 6: How To Cut Your AWS Bill With Savings Plans (and avoid some common …, 7: AWS Savings Plans vs
Reserved Instances
- GorillaStack
NEW QUESTION 81
- (Topic 3)
A company wants to monitor its workload performance. The company wants to ensure that the cloud services are delivered at a level that meets its business
needs.
Which AWS Cloud Adoption Framework (AWS CAF) perspective will meet these requirements?
A. Business
B. Governance
C. Platform
D. Operations
Answer: D
Explanation:
The Operations perspective helps you monitor and manage your cloud workloads to ensure that they are delivered at a level that meets your business needs.
Common stakeholders include chief operations officer (COO), cloud director, cloud operations manager, and cloud operations engineers1. The Operations
perspective covers capabilities such as workload health monitoring, incident management, change management, release management, configuration
management, and disaster recovery2. The Business perspective helps ensure that your cloud investments accelerate your digital transformation ambitions and
business outcomes. Common stakeholders include chief executive officer (CEO), chief financial officer (CFO), chief information officer (CIO), and chief technology
officer (CTO). The Business perspective covers capabilities such as business case development, value realization, portfolio management, and stakeholder
management3.
The Governance perspective helps you orchestrate your cloud initiatives while maximizing organizational benefits and minimizing transformation-related risks.
Common stakeholders include chief transformation officer, CIO, CTO, CFO, chief data officer (CDO), and chief risk officer (CRO). The Governance perspective
covers capabilities such as governance framework, budget and cost management, compliance management, and data governance4.
The Platform perspective helps you build an enterprise-grade, scalable, hybrid cloud platform, modernize existing workloads, and implement new cloud-native
solutions. Common stakeholders include CTO, technology leaders, architects, and engineers. The Platform perspective covers capabilities such as platform design
and implementation, workload migration and modernization, cloud-native development, and DevOps5. References:
? AWS Cloud Adoption Framework: Operations Perspective
? AWS Cloud Adoption Framework - Operations Perspective
? AWS Cloud Adoption Framework: Business Perspective
? AWS Cloud Adoption Framework: Governance Perspective
? AWS Cloud Adoption Framework: Platform Perspective
NEW QUESTION 85
- (Topic 3)
A company needs to implement identity management for a fleet of mobile apps that are running in the AWS Cloud.
Which AWS service will meet this requirement?
A. Amazon Cognito
B. AWS Security Hub
C. AWS Shield
D. AWS WAF
Answer: A
Explanation:
Amazon Cognito is a service that provides identity management for mobile and web applications, allowing users to sign up, sign in, and access AWS resources
with different identity providers. AWS Security Hub is a service that provides a comprehensive view of the security posture of AWS accounts and resources. AWS
Shield is a service that provides protection against distributed denial of service (DDoS) attacks. AWS WAF is a web application firewall that helps protect web
applications from common web exploits.
NEW QUESTION 86
- (Topic 3)
Which AWS service provides a single location to track the progress of application migrations?
Answer: D
Explanation:
AWS Migration Hub is a service that provides a single location to track the progress of application migrations across multiple AWS and partner solutions. It allows
you to choose the AWS and partner migration tools that best fit your needs, while providing visibility into the status of migrations across your portfolio of
applications1. AWS Migration Hub supports migration status updates from the following tools: AWS Application Migration Service, AWS Database Migration
Service, CloudEndure Migration, Server Migration Service, and Migrate for Compute Engine1.
The other options are not correct for the following reasons:
? AWS Application Discovery Service is a service that helps you plan your migration projects by automatically identifying servers, applications, and dependencies
in your on-premises data centers2. It does not track the progress of application migrations, but rather provides information to help you plan and scope your
migrations.
? AWS Application Migration Service is a service that helps you migrate and modernize applications from any source infrastructure to AWS with minimal downtime
and disruption3. It is one of the migration tools that can send status updates to AWS Migration Hub, but it is not the service that provides a single location to track
the progress of application migrations.
? AWS Service Catalog is a service that allows you to create and manage catalogs of IT services that are approved for use on AWS4. It does not track the
progress of application migrations, but rather helps you manage the provisioning and governance of your IT services.
References:
? 1: What Is AWS Migration Hub? - AWS Migration Hub
? 2: What Is AWS Application Discovery Service? - AWS Application Discovery Service
? 3: App Migration Tool - AWS Application Migration Service - AWS
? 4: What Is AWS Service Catalog? - AWS Service Catalog
NEW QUESTION 87
- (Topic 3)
A company wants to query its server logs to gain insights about its customers' experiences. Which AWS service will store this data MOST cost-effectively?
A. Amazon Aurora
B. Amazon Elastic File System (Amazon EFS)
C. Amazon Elastic Block Store (Amazon EBS)
D. Amazon S3
Answer: D
Explanation:
Amazon S3 is an AWS service that provides scalable, durable, and cost- effective object storage in the cloud. Amazon S3 can store any amount and type of data,
such as server logs, and offers various storage classes with different performance and pricing characteristics. Amazon S3 is the most cost-effective option for
storing server logs, as it offers low-cost storage classes, such as S3 Standard-Infrequent Access (S3 Standard-IA) and S3 Intelligent-Tiering, that are suitable for
infrequently accessed or changing access patterns data. Amazon S3 also integrates with other AWS services, such as Amazon Athena and Amazon OpenSearch
Service, that can query the server logs directly from S3 without requiring any additional data loading or transformation. References: Amazon S3, Amazon S3
Storage Classes, Querying Data in Amazon S3
NEW QUESTION 90
- (Topic 3)
A company wants to generate a list of IAM users. The company also wants to view the status of various credentials that are associated with the users, such as
password, access keys: and multi-factor authentication (MFA) devices
Which AWS service or feature will meet these requirements?
Answer: A
Explanation:
An IAM credential report is a feature of AWS Identity and Access Management (IAM) that allows you to view and download a report that lists all IAM users in your
account and the status of their various credentials, such as passwords, access keys, and MFA devices. You can use this report to audit the security status of your
IAM users and ensure that they follow the best practices for credential
management1. References: 1: AWS Documentation - IAM User Guide - Getting credential reports for your AWS account
NEW QUESTION 94
- (Topic 3)
A company wants to integrate natural language processing (NLP) into business intelligence (Bl) dashboards. The company wants to ask questions and receive
answers with relevant visualizations.
Which AWS service or tool will meet these requirements?
A. Amazon Macie
B. Amazon Rekognition
C. Amazon QuickSight Q
D. Amazon Lex
Answer: C
Explanation:
Amazon QuickSight Q is a natural language query feature that lets you ask questions about your data using everyday language and get answers in seconds. You
can type questions such as “What are the total sales by region?” or “How did marketing campaign A perform?” and get answers in the form of relevant
visualizations, such as charts or tables. You can also use Q to drill down into details, filter data, or perform calculations. Q uses machine learning to understand
your data and your intent, and provides suggestions and feedback to help you refine your questions.
NEW QUESTION 99
- (Topic 3)
A company is moving to the AWS Cloud to reduce operational overhead for its application infrastructure.
Which IT operation will the company still be responsible for after the migration to AWS?
Answer: D
Explanation:
AWS Elastic Beanstalk, Amazon Aurora, and AWS Auto Scaling are managed services that reduce the operational overhead for the customers. AWS is
responsible for security patching, backups, and termination of these services. However, the customers are still responsible for configuring IAM access controls to
manage the permissions and policies for their AWS resources. This is part of the AWS shared responsibility model, which defines the security and compliance
responsibilities of AWS and the customers. You can learn more about the AWS shared responsibility model from this whitepaper or this digital course.
Answer: B
Explanation:
Changing AWS Support plans is a task that must be performed by using the AWS account root user credentials. The root user is the email address that you used
to sign up for AWS. It has complete access to all AWS services and resources in the account. You should use the root user only to perform a few account and
service management tasks, such as changing AWS Support plans, closing the account, or changing the account name or email address. Making changes to AWS
production resources, accessing AWS Cost and Usage Reports, and granting auditors access to an AWS account for a compliance audit are tasks that can be
performed by using IAM users or roles, which are entities that you create in AWS to delegate permissions to access AWS services and resources.
Answer: B
Explanation:
The AWS service or resource that will meet the requirement of verifying if multi-factor authentication (MFA) is enabled for all users within its AWS accounts is IAM
credential reports. IAM credential reports are downloadable reports that list all the users in an AWS account and the status of their various credentials, including
passwords, access keys, and MFA devices. Users can use IAM credential reports to audit the security status of their AWS accounts and identify any issues or
risks4. AWS Cost and Usage Report, AWS Artifact, and Amazon CloudFront reports are other AWS services or resources that provide different types of
information, such as billing, compliance, and content delivery, but they do not show the MFA status of the users.
A. AWS Artifact
B. Amazon CloudWatch
C. AWS Config
D. AWS Audit Manager
Answer: A
Explanation:
AWS Artifact is a self-service portal that provides on-demand access to AWS security and compliance reports and select online agreements. You can use AWS
Artifact to download AWS service audit reports, such as ISO, PCI, and SOC, and to accept and manage agreements with AWS, such as the Business Associate
Addendum (BAA).
Answer: B
Explanation:
Refining operation procedures frequently is one of the design principles of the operational excellence pillar of the AWS Well-Architected Framework. It means that
you should review and validate your processes regularly to ensure they are effective and that staff are familiar with them. Performing operations as code, making
frequent, small, reversible changes, and structuring the company to support business outcomes are design principles of other pillars of the AWS Well-Architected
Framework.
Answer: B
Explanation:
AWS Business Support is the most cost-effective AWS Support plan that provides chat access to a cloud support engineer 24/7. AWS Business Support also
offers phone and email support, as well as a response time of less than one hour for urgent issues. AWS Business Support does not include access to
infrastructure event management, which is a feature of AWS Enterprise Support. AWS Enterprise Support is more expensive and provides additional benefits,
such as a technical account manager, a support concierge, and a response time of less than 15 minutes for critical issues. AWS Developer Support and AWS
Basic Support do not provide chat access to a cloud support engineer. AWS Developer Support provides email support and a response time of less than 12 hours
for general guidance issues. AWS Basic Support provides customer service and account support, as well as access to forums and documentation1
A. Data architecture
B. Event management
C. Cloud fluency
D. Strategic partnership
Answer: C
Explanation:
Cloud fluency is a capability that belongs to the people perspective of the AWS Cloud Adoption Framework (AWS CAF). Cloud fluency is the ability of the
workforce to understand the benefits, challenges, and best practices of cloud computing, and to apply them to their roles and responsibilities. Cloud fluency helps
the organization to adopt a cloud mindset, culture, and skills, and to leverage the full potential of the cloud. Cloud fluency can be achieved through various
methods, such as training, certification, mentoring, coaching, and hands-on experience. Cloud fluency is one of the four capabilities of the people perspective,
along with culture, organizational structure, and leadership. The other three capabilities belong to different perspectives of the AWS CAF. Data architecture is a
capability of the platform perspective, which helps you design and implement data solutions that meet your business and technical requirements. Event
management is a capability of the operations perspective, which helps you monitor and respond to events that affect the availability, performance, and security of
your cloud resources. Strategic partnership is a capability of the business perspective, which helps you establish and maintain relationships with external
stakeholders, such as customers, partners, suppliers,
and regulators, to create value and achieve your business goals. References: AWS Cloud Adoption Framework: People Perspective, AWS CAF - Cloud Adoption
Framework - W3Schools
Answer: D
Explanation:
One of the benefits of cloud computing is that it enables customers to increase speed and agility in developing, testing, and launching applications. Cloud
computing provides on-demand access to a variety of IT resources, such as compute, storage, networking, databases, and analytics, without requiring upfront
investments or long-term commitments. Customers can provision and release resources in minutes, scale up and down as needed, and experiment with new
technologies and features. This allows customers to accelerate their innovation cycles, deliver faster time-to-market, and respond to changing customer needs and
demands
A. Open an AWS Support ticket to request that the AWS technical account manager (TAM) respond and help the auditor.
B. Open an AWS Support ticket to request that the auditor receive approval to conduct an onsite assessment of the AWS data centers in which the company
operates.
C. Explain to the auditor that AWS does not need to be audited because the company's application is hosted in multiple Availability Zones.
D. Use AWS Artifact to download the applicable report for AWS security control
E. Provide the report to the auditor.
Answer: D
Explanation:
AWS Artifact is your go-to, central resource for compliance-related information that matters to you. It provides on-demand access to AWS’ security and
compliance reports and select online agreements. Reports available in AWS Artifact include our Service Organization Control (SOC) reports, Payment Card
Industry (PCI) reports, and certifications from accreditation bodies across geographies and compliance verticals that validate the implementation and operating
effectiveness of AWS security controls. Agreements available in AWS Artifact include the Business Associate Addendum (BAA) and the Nondisclosure Agreement
(NDA). You can use AWS Artifact to download the applicable report for AWS security controls and provide it to the auditor.
Answer: C
Explanation:
Design for failure is one of the best practices of the AWS Well-Architected Framework. It means that the architecture should be resilient and fault-tolerant, and
able to handle failures without impacting the availability and performance of the applications. By using Amazon EC2 Auto Scaling groups, the ecommerce
company can design for failure by automatically scaling the number of EC2 instances up or down based on demand or health status. Amazon EC2 Auto Scaling
groups can also distribute the EC2 instances across multiple Availability Zones, which are isolated locations within an AWS Region that have independent power,
cooling, and network connectivity. This way, the company can ensure that their web servers can handle traffic spikes, recover from failures, and provide a
consistent user experience
A. AWS Organizations
B. IAM user
C. AWS IAM Identity Center (AWS Single Sign-On)
D. AWS Control Tower
Answer: C
Explanation:
AWS IAM Identity Center (AWS Single Sign-On) is a cloud-based service that makes it easy to centrally manage single sign-on (SSO) access to multiple AWS
accounts and business applications. You can use AWS SSO to enable your users to sign in to the AWS Management Console or the AWS Command Line
Interface (AWS CLI) with their existing corporate credentials2. You can also manage SSO access and user permissions across all your AWS accounts in AWS
Organizations3. References: AWS Single Sign-On - AWS Documentation, AWS Organizations - AWS Documentation
Answer: BD
Explanation:
These are two of the general AWS Cloud design principles described in the AWS Well-Architected Framework. Testing systems at production scale means using
tools such as AWS CloudFormation, AWS CodeDeploy, and AWS X-Ray to simulate real-world scenarios and measure the performance, scalability, and
availability of the system. Driving architecture design based on data means using tools such as Amazon CloudWatch, AWS CloudTrail, and AWS Config to collect
and analyze metrics, logs, and events about the system and use the insights to optimize the system’s design and operation. You can learn more about the AWS
Well-Architected Framework from this whitepaper or [this digital course].
Answer: AC
Explanation:
Agility in AWS Cloud computing means the ability to rapidly provision and deprovision AWS resources as needed, and the ability to experiment quickly with new
ideas and solutions. Agility helps businesses to respond to changing customer demands, market opportunities, and competitive threats, and to innovate faster and
cheaper. Agility also reduces the risk of failure, as businesses can test and validate their assumptions before committing to large-scale deployments. Some of the
benefits of agility in AWS Cloud computing are:
? The speed at which AWS resources are implemented: AWS provides a variety of services and tools that allow you to create, configure, and launch AWS
resources in minutes, using the AWS Management Console, the AWS Command Line Interface (AWS CLI), the AWS Software Development Kits (AWS SDKs), or
the AWS CloudFormation templates. You can also use the AWS Cloud Development Kit (AWS CDK) to define your AWS resources as code using familiar
programming languages, and synthesize them into AWS CloudFormation templates. You can also use the AWS Service Catalog to create and manage
standardized portfolios of AWS resources that meet your organizational policies and best practices. AWS also offers on-demand, pay-as-you-go pricing models, so
you only pay for the resources you use, and you can scale them up or down as your needs change12345
? The ability to experiment quickly: AWS enables you to experiment quickly with new ideas and solutions, without having to invest in upfront capital or long-term
commitments. You can use AWS to create and test multiple prototypes, hypotheses, and minimum viable products (MVPs) in parallel, and measure their
performance and feedback. You can also use AWS to leverage existing services and solutions, such as AWS Marketplace, AWS Solutions, and AWS Quick Starts,
that can help you accelerate your innovation process. AWS also supports a culture of experimentation and learning, by providing tools and resources for
continuous integration and delivery (CI/CD), testing, monitoring, and analytics.
References: Six advantages of cloud computing - Overview of Amazon Web Services, AWS Cloud Development Kit (AWS CDK), AWS Service Catalog, AWS
Pricing, AWS CloudFormation, [Experimentation and Testing - AWS Well-Architected Framework], [AWS Marketplace], [AWS Solutions], [AWS Quick Starts],
[AWS Developer Tools]
A. Benefits management
B. Risk management
C. Application portfolio management
D. Cloud financial management
Answer: A
Explanation:
The correct answer is A. Benefits management.
Benefits management is the AWS CAF governance perspective capability that helps you define and track business outcomes as part of your cloud transformation
journey. Benefits management helps you align your cloud initiatives with your business objectives, measure the value and impact of your cloud investments, and
communicate the benefits of cloud adoption to your stakeholders12.
Risk management is the AWS CAF governance perspective capability that helps you identify and mitigate the potential risks associated with cloud adoption, such
as security, compliance, legal, and operational risks12.
Application portfolio management is the AWS CAF governance perspective capability that helps you assess and optimize your existing application portfolio for
cloud migration or modernization. Application portfolio management helps you categorize your applications based on their business value and technical fit,
prioritize them for cloud adoption, and select the best migration or modernization strategy for each application12.
Cloud financial management is the AWS CAF governance perspective capability that helps you manage and optimize the costs and value of your cloud resources.
Cloud financial management helps you plan and budget for cloud adoption, track and allocate cloud costs, implement cost optimization strategies, and report on
cloud financial performance12. References:
1: AWS Cloud Adoption Framework: Governance Perspective 2: All you need to know about AWS Cloud Adoption Framework — Governance Perspective
A. AWS Lambda
B. AWS Batch
C. AWS Application Composer
D. AWS App Runner
Answer: C
Explanation:
AWS Application Composer is a service that allows users to visually design and build serverless applications. Users can drag and drop components, such as
AWS Lambda functions, Amazon API Gateway endpoints, Amazon DynamoDB tables, and Amazon S3 buckets, to create a serverless application architecture.
Users can also configure the properties, permissions, and dependencies of each component, and deploy the application to their AWS account with a few clicks.
AWS Application Composer simplifies the design and configuration of serverless applications, and reduces the need to write code or use AWS CloudFormation
templates. References: AWS Application Composer, AWS releases Application Composer to make serverless ‘easier’ but initial scope is limited
Answer: A
Explanation:
Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers data, videos, applications, and APIs to customers globally with low
latency, high transfer speeds, all within a developer-friendly environment. It works seamlessly with services including AWS Shield for DDoS mitigation, Amazon S3,
Elastic Load Balancing or Amazon EC2 as origins for your applications, and Lambda@Edge to run custom code closer to customers’ users and to customize the
user experience. By using CloudFront, you can cache your content at the edge locations that are closest to your end users, reducing the network latency and
improving the performance of your application. CloudFront also offers a pay-as-you-go pricing model, so you only pay for the data transfer and requests that you
use.
Answer: A
Explanation:
This is the AWS service or resource that will meet the requirements of distributing traffic between the Amazon EC2 instances that host the website. Application
Load Balancer is a type of Elastic Load Balancing that distributes incoming application traffic across multiple targets, such as Amazon EC2 instances, containers,
IP addresses, and Lambda functions. Application Load Balancer operates at the application layer (layer 7) of the OSI model and supports advanced features such
as path-based routing, host-based routing, health checks, and SSL termination. You can learn more about Application Load Balancer from [this webpage] or [this
digital course].
Answer: C
Explanation:
AWS IAM Access Analyzer is a service that helps you identify the resources in your organization and accounts, such as Amazon S3 buckets or IAM roles, that are
shared with an external entity. This lets you identify unintended access to your resources and data, which is a security risk. IAM Access Analyzer uses logic-based
reasoning to analyze the resource-based policies in your AWS environment. For each instance of a resource shared outside of your account, IAM Access Analyzer
generates a finding. Findings include information about the access and the external principal granted to it345. References: 3: Using AWS Identity and Access
Management Access Analyzer, 4: IAM Access Analyzer - Amazon Web Services (AWS), 5: Welcome - IAM Access Analyzer
Answer: D
Explanation:
AWS Marketplace is an online store that helps customers find, buy, and immediately start using the software and services that run on AWS. Customers can
choose from a wide range of software products in popular categories such as security, networking, storage, machine learning, business intelligence, database, and
DevOps. Customers can also use AWS Marketplace to purchase software as a service (SaaS) solutions that are integrated with AWS. Customers can benefit from
simplified procurement, billing, and deployment processes, as well as flexible pricing options and free trials. Customers can also leverage AWS Marketplace to
discover and subscribe to solutions offered by AWS Partners, such as the security software vendor mentioned in the question. References: AWS Marketplace,
[AWS Marketplace: Software as a Service (SaaS)], [AWS Cloud Practitioner Essentials: Module 6 - AWS Pricing, Billing, and Support]
A. Amazon Personalize
B. Amazon SageMaker
C. Amazon Pinpoint
D. Amazon Comprehend
Answer: A
Explanation:
The AWS service that meets the requirement of providing a managed machine learning (ML) service that can recommend products based on a customer’s
previous behaviors is Amazon Personalize. Amazon Personalize is a fully managed service that enables developers to create personalized recommendations for
customers using their own data. Amazon Personalize can automatically process and examine the data, identify what is meaningful, select the right algorithms, and
train and optimize a personalized recommendation model2. Amazon SageMaker, Amazon Pinpoint, and Amazon Comprehend are other AWS services related to
machine learning, but they do not provide the specific functionality of product recommendation.
A. Security
B. Reliability
C. Cost optimization
D. Sustainability
Answer: C
Explanation:
Cost optimization is one of the five pillars of the AWS Well-Architected Framework. It focuses on avoiding unnecessary costs, understanding and controlling where
money is being spent, selecting the most appropriate and right number of resource types, analyzing spend over time, and scaling to meet business needs without
overspending.
Answer: C
Explanation:
Amazon RDS for MySQL is a fully managed, open-source cloud database service that allows you to easily operate and scale your relational database of choice,
including MySQL. With Amazon RDS for MySQL, you don’t have to worry about the hardware, resiliency, and replication of your database, as Amazon RDS
handles these tasks for you. Amazon RDS for MySQL also provides features such as automated backups, multi-AZ deployments, read replicas, encryption,
monitoring, and more. Amazon RDS for MySQL is compatible with the MySQL Community Edition versions 5.7 and 8.0, which means that you can use the same
code, applications, and tools that you already use with MySQL4567. References: 4: Hosted MySQL - Amazon RDS for MySQL - AWS, 5: Amazon RDS for MySQL
- Amazon Relational Database Service, 6: Amazon RDS for MySQL —, 7: Managed SQL Database - Amazon Relational Database Service (RDS) - AWS
A. Amazon Neptune
B. Amazon Timestream
C. Amazon Forecast
D. Amazon DocumentDB (with MongoDB compatibility)
Answer: B
Explanation:
Amazon Timestream is a fast, scalable, and serverless time-series database service for IoT and other operational applications that makes it easy to store and
analyze trillions of events per day up to 1,000 times faster and at as little as 1/10th the cost of relational databases1. Amazon Timestream saves you time and cost
in managing the lifecycle of time series data, and its purpose-built query engine lets you access and analyze recent and historical data together with a single
query1. Amazon Timestream has built-in time series analytics functions, helping you identify trends and patterns in near real time1. The other options are not
suitable for storing and analyzing trillions of events per day. Amazon Neptune is a graph database service that supports highly connected data sets. Amazon
Forecast is a machine learning service that generates accurate forecasts based on historical data. Amazon DocumentDB (with MongoDB compatibility) is a
document database service that supports MongoDB workloads.
References:
? 1: Time Series Database – Amazon Timestream – Amazon Web Services
Answer: AC
Explanation:
AWS Identity and Access Management (IAM) is a service that enables you to manage access to AWS services and resources securely. You can use IAM to
perform the following actions:
? Control access to AWS service APIs and to other specific resources: You can create users, groups, roles, and policies that define who can access which AWS
resources and how. You can also use IAM to grant temporary access to users or applications that need to perform certain tasks on your behalf3
? Protect the AWS environment using multi-factor authentication (MFA): You can enable MFA for your IAM users and root user to add an extra layer of security to
your AWS account. MFA requires users to provide a unique authentication code from an approved device or SMS text message, in addition to their user name and
password, when they sign in to AWS4
A. Organizational alignment
B. Portfolio management
C. Organization design
D. Risk management
E. Modern application development
Answer: AC
Explanation:
The AWS Cloud Adoption Framework (AWS CAF) people perspective capabilities are the organizational skills and processes that enable effective cloud adoption.
According to the AWS CAF people perspective whitepaper1, there are seven capabilities in this perspective, two of which are:
? Organizational alignment: This capability helps you align your organizational structure, roles, and responsibilities to support your cloud transformation goals and
objectives. It involves assessing your current and desired state of alignment, identifying gaps and misalignments, and designing and implementing changes to
optimize your cloud performance1.
? Organization design: This capability helps you design and evolve your organization to enable agility, innovation, and collaboration in the cloud. It involves
defining your cloud operating model, identifying the skills and competencies needed for cloud roles, and creating career paths and development plans for your
cloud workforce1.
The other options are not capabilities in the AWS CAF people perspective. Portfolio management, risk management, and modern application development are
capabilities in the AWS CAF business perspective, governance perspective, and platform perspective respectively2.
References:
? 1: AWS Cloud Adoption Framework: People Perspective - AWS Cloud Adoption Framework: People Perspective
? 2: AWS Cloud Adoption Framework - AWS Cloud Adoption Framework
Answer: B
Explanation:
The AWS account root user is the email address that you used to sign up for AWS. The root user has complete access to all AWS services and resources in the
account. You should use the root user only to perform a few account and service management tasks. One of these tasks is changing AWS Support plans, which
requires root user credentials. For other tasks, you should create an IAM user or role with the appropriate permissions and use that instead of the root user.
A. AWS CLI
B. AWS Developer Center
C. AWS Cloud Development Kit (AWS CDK)
D. AWS CodeStar
Answer: C
Explanation:
AWS Cloud Development Kit (AWS CDK) is a software development framework that allows you to define cloud resources as code using familiar programming
languages, such as TypeScript, Python, Java, .NET, and Go (in Developer Preview). You can use AWS CDK to model your application resources using high-level
constructs that provide sensible defaults and best practices, or use low-level constructs that provide full access to the underlying AWS CloudFormation resources.
AWS CDK synthesizes your code into AWS CloudFormation templates that you can deploy using the AWS CDK CLI or the AWS Management Console. AWS CDK
also integrates with other AWS services, such as AWS CodeCommit, AWS CodeBuild, AWS CodePipeline, AWS Lambda, Amazon EC2, Amazon S3, and more,
to help you automate your development and deployment processes. AWS CDK is an open-source framework that you can extend and contribute to. References:
Cloud Development Framework - AWS Cloud Development Kit -
AWS, AWS Cloud Development Kit Documentation, AWS Cloud Development Kit - Wikipedia, AWS CDK Intro Workshop | AWS CDK Workshop
Answer: C
Explanation:
The solution that achieves the goal of having Amazon EC2 instances share the same geographic area but use multiple independent underlying power sources is
to use EC2 instances in multiple Availability Zones in the same AWS Region. An Availability Zone is a physically isolated location within an AWS Region that has
its own power, cooling, and network connectivity. An AWS Region is a geographical area that consists of two or more Availability Zones. By using multiple
Availability Zones, users can increase the fault tolerance and resilience of their applications, as well as reduce latency for end users3.
Using EC2 instances in a single Availability Zone, multiple AWS Regions, or the same edge location and the same AWS Region would not meet the requirement of
having multiple independent power sources.
Answer: D
Explanation:
Migration Evaluator is an AWS service that provides a customized assessment of your current on-premises environment and helps you build a data-driven
business case for migration to AWS. Migration Evaluator collects and analyzes data from your on-premises servers, such as CPU, memory, disk, network, and
utilization metrics, and compares them with the most cost-effective AWS alternatives. Migration Evaluator also helps you understand your existing software
licenses and running costs, and provides recommendations for Bring Your Own License (BYOL) and License Included (LI) options in AWS. Migration Evaluator
generates a detailed report that shows your projected running costs in the AWS Cloud, along with potential savings and benefits. You can use this report to
support your decision-making and planning for cloud migration. References: Cloud Business Case & Migration Plan - Amazon Migration Evaluator - AWS, Getting
started with Migration Evaluator
A. Amazon EC2
B. Amazon RDS
C. Amazon SageMaker
D. Amazon Redshift
E. Amazon DynamoDB
Answer: AC
Explanation:
The AWS services that are supported by Savings Plans are:
? Amazon EC2: Amazon EC2 is a service that provides scalable computing capacity in the AWS cloud. You can use Amazon EC2 to launch virtual servers,
configure security and networking, and manage storage. Amazon EC2 is eligible for both Compute Savings Plans and EC2 Instance Savings Plans12.
? Amazon SageMaker: Amazon SageMaker is a service that helps you build and deploy machine learning models. You can use Amazon SageMaker to access
Jupyter notebooks, use common machine learning algorithms, train and tune models, and deploy them to a hosted environment. Amazon SageMaker is eligible for
SageMaker Savings Plans13.
The other options are not supported by Savings Plans. Amazon RDS, Amazon Redshift, and Amazon DynamoDB are database services that are eligible for
Reserved Instances, but not Savings Plans4.
A. Amazon Athena
B. Amazon Redshift
C. Amazon S3 Select
D. Amazon Kinesis Data Streams
Answer: B
Explanation:
Amazon Redshift is a fully managed, petabyte-scale data warehouse service in the cloud. You can start with just a few hundred gigabytes of data and scale to a
petabyte or more. This enables you to use your data to acquire new insights for your business and customers. Amazon Redshift is a relational database
management system (RDBMS), so it is compatible with other RDBMS applications. You can use standard SQL to query the data.
A. Observability
B. Incident and problem management
C. Incident response
D. Infrastructure protection
E. Availability and continuity
Answer: CD
Explanation:
The AWS Cloud Adoption Framework (AWS CAF) security perspective helps users achieve the confidentiality, integrity, and availability of their data and cloud
workloads. It comprises nine capabilities that are grouped into three categories: preventive, detective, and responsive. Incident response and infrastructure
protection are two of the capabilities in the responsive and preventive categories, respectively. Incident response helps users prepare for and respond to security
incidents in a timely and effective manner, using tools and processes that leverage AWS features and services. Infrastructure protection helps users implement
security controls and mechanisms to protect their cloud resources, such as network, compute, storage, and database, from unauthorized access or malicious
attacks. References: Security perspective: compliance and assurance, AWS Cloud Adoption Framework
A. Amazon Kendra
B. Amazon Rekognition
C. Amazon Polly
D. Amazon Lex
Answer: A
Explanation:
Amazon Kendra is a highly accurate and easy to use intelligent search service powered by machine learning. It enables users to easily find the content they are
looking for, even when it is scattered across multiple locations and content repositories within their organization. Amazon Kendra supports natural language
queries, and can search for text in documents stored in Amazon S3, as well as other sources such as SharePoint, OneDrive, Salesforce, ServiceNow, and more1.
Amazon Rekognition is a computer vision service that makes it easy to add image and video analysis to applications. It can detect objects, faces, text, scenes,
activities, and emotions in images and videos. However, it is not designed for searching for text in documents stored in Amazon S32.
Amazon Polly is a text-to-speech service that turns text into lifelike speech. It can create audio versions of books, articles, podcasts, and more. However, it is not
designed for searching for text in documents stored in Amazon S33.
Amazon Lex is a service for building conversational interfaces using voice and text. It can create chatbots that can interact with users using natural language.
However, it is not designed for searching for text in documents stored in Amazon S34.
References:
? Amazon Kendra – Intelligent Search Service Powered by Machine Learning
? Amazon Rekognition – Video and Image - AWS
? Amazon Polly – Text-to-Speech Service - AWS
? Amazon Lex – Build Conversation Bots - AWS
Answer: D
Explanation:
AWS Security Token Service (AWS STS) is a service that provides temporary security credentials to users or applications that need to access AWS resources.
The temporary credentials have a limited lifetime and can be configured to last from a few minutes to several hours. The credentials are not stored with the user or
application, but are generated dynamically and provided on request. The credentials work almost identically to long-term access key credentials, but have the
advantage of not requiring distribution, rotation, or revocation1.
AWS Key Management Service (AWS KMS) is a service that provides encryption and decryption services for data and keys. It does not provide temporary security
credentials2. AWS CloudHSM is a service that provides hardware security modules (HSMs) for cryptographic operations and key management. It does not provide
temporary security credentials3.
Amazon Cognito is a service that provides user authentication and authorization for web and mobile applications. It can also provide temporary security credentials
for authenticated users, but not for applications4.
A. On-Demand Instances
B. Savings Plans
C. Spot Instances
D. Reserved Instances
Answer: A
Explanation:
On-Demand Instances are the default pricing model for Amazon EC2 instances. They allow users to pay for compute capacity by the second, with no long-term
commitments or upfront payments. They are suitable for applications with short-term, irregular, or unpredictable workloads that cannot be interrupted3. Savings
Plans are a pricing model that offer significant savings on Amazon EC2 and AWS Fargate usage, in exchange for a commitment to a consistent amount of usage
(measured in $/hour) for a 1- year or 3-year term. Spot Instances are a pricing model that offer spare Amazon EC2 compute capacity at up to 90% discount
compared to On-Demand prices, but they can be interrupted by AWS with a two-minute notice when the demand exceeds the supply. Reserved Instances are a
pricing model that offer up to 75% discount compared to On- Demand prices, in exchange for a commitment to use a specific instance type and size in a specific
region for a 1-year or 3-year term.
Answer: B
Explanation:
One of the benefits of operating in the AWS Cloud is the ability to expand compute, storage, and memory when needed, which enables users to scale their
applications and resources up or down based on demand. This also helps users optimize their costs and performance. The ability to migrate on-premises network
devices to the AWS Cloud, the ability to host custom hardware in the AWS Cloud, and the ability to customize the underlying hypervisor layer for Amazon EC2 are
not benefits of operating in the AWS Cloud, as they are either not possible or not recommended by AWS .
Answer: B
Explanation:
According to the AWS shared responsibility model, AWS is responsible for the security of the cloud, which includes the virtualization layer down to the physical
security of the facilities in which AWS services operate1. The customer is responsible for the security in the cloud, which includes the configuration and
management of the AWS resources and applications that they use1.
Answer: C
Explanation:
AWS IAM Access Analyzer is an AWS service that helps customers identify and review the resources in their AWS account that are shared with an external entity,
such as another AWS account, a root user, an organization, or a public entity. AWS IAM Access Analyzer uses automated reasoning, a form of mathematical logic
and inference, to analyze the resource-based policies in the account and generate comprehensive findings that show the access level, the source of the access,
the affected resource, and the condition under which the access applies. Customers can use AWS IAM Access Analyzer to audit their shared resources, validate
their access policies, and monitor any changes to the resource sharing status. References: AWS IAM Access Analyzer, Identify and review resources shared with
external entities, How AWS IAM Access Analyzer works
Answer: B
Explanation:
The trade of infrastructure expenses for operating expenses is one of the benefits of the AWS Cloud. By moving to the AWS Cloud, the company can avoid the
upfront costs of purchasing and maintaining on-premises infrastructure, such as servers, storage, network, and software. Instead, the company can pay only for
the AWS resources and services that they use, as they use them. This reduces the risk and complexity of planning and managing IT infrastructure, and allows the
company to focus on innovation and growth. Increased speed to market, massive economies of scale, and the ability to go
global in minutes are also benefits of the AWS Cloud, but they are not the best ones to describe this scenario. Increased speed to market means that the company
can launch new products and services faster by using AWS services and tools. Massive economies of scale means that the company can benefit from the lower
costs and higher performance that AWS achieves by operating at a large scale. The ability to go global in minutes means that the company can deploy their
applications and data in multiple regions and availability zones around the world to reach their customers faster and improve performance and reliability5
Answer: C
Explanation:
AWS Shield is a managed DDoS protection service that safeguards applications running on AWS from distributed denial of service (DDoS) attacks. DDoS attacks
are malicious attempts to disrupt the normal functioning of a website or application by overwhelming it with a large volume of traffic from multiple sources. AWS
Shield provides two tiers of protection: Standard and Advanced. AWS Shield Standard is automatically enabled for all AWS customers at no additional cost. It
protects your AWS resources, such as Amazon CloudFront, AWS Global Accelerator, and Amazon Route 53, from the most common and frequently occurring
network and transport layer DDoS attacks. AWS Shield Advanced is an optional paid service that provides additional protection for your AWS resources and
applications, such as Amazon Elastic Compute Cloud (Amazon EC2), Elastic Load Balancing (ELB), Amazon Simple Storage Service (Amazon S3), Amazon
Relational Database Service (Amazon RDS), and AWS Elastic Beanstalk. AWS Shield Advanced offers enhanced detection and mitigation capabilities, 24/7
access to the AWS DDoS Response Team (DRT), real-time visibility and reporting, and cost protection against DDoS-related spikes in your AWS bill12
References: AWS Shield, What is a DDOS Attack & How to Protect Your Site Against One
Answer: C
Explanation:
AWS has the ability to achieve lower pay-as-you-go pricing by aggregating usage across hundreds of thousands of users. This means that AWS can leverage its
massive scale and purchasing power to reduce the costs of infrastructure, hardware, software, and operations. These savings are then passed on to the
customers, who only pay for the resources they use. You can learn more about the AWS pricing model from [this webpage] or [this digital course].
Answer: A
Explanation:
AWS Software Development Kit (SDK) is a set of platform-specific building tools for developers. It allows developers to access AWS services from application
code using familiar programming languages. It provides pre-built components and libraries that can be incorporated into applications, as well as tools to debug,
monitor, and optimize performance2. References: What is SDK? - SDK Explained - AWS
Answer: AC
Explanation:
Realigning teams to focus on products and value streams, and using agile methods to rapidly iterate and evolve are tasks that the company should perform to
meet the requirements of becoming more responsive to customer inquiries and feedback, according to the AWS Cloud Adoption Framework (AWS CAF). AWS
CAF organizes guidance into six areas of focus, called perspectives: business, people, governance, platform, security, and operations. Each perspective is divided
into capabilities, which describe the skills and processes to execute the transition effectively. The people perspective helps you prepare your organization for cloud
adoption, and includes capabilities such as organizational change management, staff skills and readiness, and organizational alignment. The business perspective
helps you align IT strategy with business strategy, and includes capabilities such as business case development, value proposition, and product ownership.
Creating new value propositions with new products and services is a task that belongs to the business perspective, but it is not directly related to the requirement
of becoming more responsive to customer inquiries and feedback. Using a new data and analytics platform to create actionable insights is a task that belongs to
the platform perspective, which helps you design, implement, and optimize the architecture of the AWS environment. However, it is also not directly related to the
requirement of becoming more responsive to customer inquiries and feedback. Migrating and modernizing legacy infrastructure is a task that belongs to the
operations perspective, which helps you enable, run, use, operate, and recover IT workloads to the level agreed upon with your business stakeholders. However, it
is also not directly related to the requirement of becoming more responsive to customer inquiries and feedback.
Answer: B
Explanation:
Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization. SCPs offer central control over the
maximum available permissions for all accounts in your organization, allowing you to ensure your accounts stay within your organization’s access control
guidelines2. SCPs are available only in an organization that has all features enabled2.
A. Amazon GuardDuty
B. Amazon Inspector
C. Amazon Detective
D. Amazon Cognito
Answer: B
Explanation:
Amazon Inspector is the AWS service that can be used to perform vulnerability scans on AWS EC2 instances for software vulnerabilities automatically in a
periodic fashion. Amazon Inspector automatically discovers EC2 instances and scans them for software vulnerabilities and unintended network exposure. Amazon
Inspector uses AWS Systems Manager (SSM) and the SSM Agent to collect information about the software application inventory of the EC2 instances. This data is
then scanned by Amazon Inspector for software vulnerabilities12. Amazon Inspector also integrates with other AWS services, such as Amazon EventBridge and
AWS Security Hub, to automate discovery, expedite vulnerability routing, and shorten mean time to remediate (MTTR) vulnerabilities2.
Answer: CD
Explanation:
The AWS account root user is the identity that has complete access to all AWS services and resources in the account. It is accessed by signing in with the email
address and password that were used to create the account1. The root user should be protected and used only for a few account and service management tasks
that require it1. Therefore, the following actions are best practices for an AWS account root user:
? Enable multi-factor authentication (MFA) on the root user. MFA is a security feature that requires users to provide two or more pieces of information to
authenticate themselves, such as a password and a code from a device. MFA adds an extra layer of protection for the root user credentials, which can access
sensitive information and perform critical operations in the account2.
? Create an IAM user with administrator privileges for daily administrative tasks, instead of using the root user. IAM is a service that helps customers manage
access to AWS resources for users and groups. Customers can create IAM users and assign them permissions to perform specific tasks on specific
resources. Customers can also create IAM roles and policies to delegate access to other AWS services or external entities3. By creating an IAM user with
administrator privileges, customers can avoid using the root user for everyday tasks and reduce the risk of accidental or malicious changes to the account1.
A. Pay-as-you-go pricing
B. Savings Plans
C. AWS Free Tier
D. Volume discounts
Answer: B
Explanation:
Savings Plans are an AWS pricing model or offering that can meet the requirements of seeking cost savings in exchange for a commitment to use a specific
amount of an AWS service or category of AWS services for 1 year or 3 years. Savings Plans are flexible plans that offer significant discounts on AWS compute
usage, such as EC2, Lambda, and Fargate. The company can choose from two types of Savings Plans: Compute Savings Plans and EC2 Instance Savings Plans.
Compute Savings Plans provide the most flexibility and apply to any eligible compute usage, regardless of instance family, size, region, operating system, or
tenancy. EC2 Instance Savings Plans provide more savings and apply to a specific instance family within a region. The company can select the amount of
compute usage per hour (e.g., $10/hour) that they want to commit to for the duration of the plan (1 year or 3 years). The company will pay the discounted Savings
Plan rate for the amount of usage that matches their commitment, and the regular on-demand rate for any usage beyond that
A. Amazon Connect
B. Amazon Route 53
C. AWS Direct Connect
D. VPC peering
Answer: C
Explanation:
AWS Direct Connect is a cloud service solution that makes it easy to establish a dedicated network connection from your premises to AWS. Using AWS Direct
Connect, you can establish private connectivity between AWS and your datacenter, office, or colocation environment, which in many cases can reduce your
network costs, increase bandwidth throughput, and provide a more consistent network experience than internet- based connections12. References: 1: Dedicated
Network Connection - AWS Direct Connect - AWS, 2: What is AWS Direct Connect? - AWS Direct Connect
A. High availability
B. Performance efficiency
C. Cost optimization
D. Going global in minutes
E. Continuous development
Answer: BC
Explanation:
The AWS Well-Architected Framework is a set of six pillars and lenses that help cloud architects design and run workloads in the cloud. The six pillars are:
operational excellence, security, reliability, performance efficiency, cost optimization, and sustainability. Each pillar has a set of design principles and best practices
that guide the architectural decisions. High availability is not a separate pillar, but a quality that can be achieved by applying the principles of the reliability pillar.
Going global in minutes and continuous development are not pillars of the framework, but possible benefits of using AWS services and following the framework’s
recommendations. References: AWS Well-Architected - Build secure, efficient cloud applications, AWS Well-Architected Framework, The 6 Pillars of the AWS Well-
Architected Framework
A. AWSAppSync
B. AWS CodePipeline
C. AWS Cloud9
D. AWS CodeCommit
Answer: B
Explanation:
AWS CodePipeline is a continuous delivery and deployment service that automates the release process of software applications across different stages, such as
source code, build, test, and deploy2. AWSAppSync, AWS Cloud9, and AWS CodeCommit are other AWS services related to application development, but they
do not provide continuous delivery and deployment solutions34 .
A. Amazon Aurora
B. Amazon FSx
C. Amazon DynamoDB
D. Amazon Neptune
Answer: D
Explanation:
Amazon Neptune is a fully managed graph database service on AWS. A graph database is a type of database that stores and queries data as a network of nodes
and edges, representing entities and relationships. Graph databases are useful for applications that deal with highly connected data, such as social networks,
recommendation engines, fraud detection, and knowledge graphs45. Amazon Neptune is a fast, reliable, and scalable graph database service that supports two
popular graph models: property graphs and RDF. Amazon Neptune also supports two open standards for querying graphs: Apache TinkerPop Gremlin and
SPARQL. Amazon Neptune handles the heavy lifting of managing the database, such as provisioning, patching, backup, recovery, encryption, and replication456.
References: 4: Managed Graph Database - Amazon Neptune - AWS, 5: Amazon Neptune – A Fully Managed Graph Database
Service, 6: Working with AWS Neptune. Neptune is a fully-managed graph … - Medium
A. Amazon Redshift
B. AWS Glue
C. Amazon Athena
D. Amazon Kinesis Data Streams
Answer: C
Explanation:
Amazon Athena is a serverless interactive query service that makes it easy to analyze data in Amazon S3 using standard SQL. Athena is ideal for quick, ad-hoc
querying but it can also handle complex analysis, including large joins, window functions, and arrays. Athena scales automatically—executing queries in parallel—so
results are fast, even with large datasets and complex queries. Amazon Redshift is a fully managed, petabyte-scale data warehouse service that can run complex
analytic queries against structured and semi-structured data using standard SQL. However, it is not a serverless service and requires provisioning and managing
clusters of nodes. AWS Glue is a fully managed extract, transform, and load (ETL) service that makes it easy to prepare and load your data for analytics. However,
it is not a query service and does not support standard SQL. Amazon Kinesis Data Streams is a service that enables you to build custom applications that process
or analyze streaming data for specialized needs. However, it is not a query service and does not support standard SQL.
A. Network ACLs
B. Security groups
C. AWS Trusted Advisor
D. AWS WAF
Answer: B
Explanation:
Security groups are the AWS service or feature that can be used to apply security rules to specific Amazon EC2 instances. Security groups are virtual firewalls
that control the inbound and outbound traffic for one or more instances. Customers can create security groups and add rules that reflect the role of the instance
that is associated with the security group. For example, a web server instance needs security group rules that allow inbound HTTP and HTTPS access, while a
database instance needs rules that allow access for the type of database12. Security groups are stateful, meaning that the responses to allowed inbound traffic are
also allowed, regardless of the outbound rules1. Customers can assign multiple security groups to an instance, and the rules from each security group are
effectively aggregated to create one set of rules1.
Network ACLs are another AWS service or feature that can be used to control the traffic for a subnet. Network ACLs are stateless, meaning that they do not track
the traffic that they allow. Therefore, customers must add rules for both inbound and outbound traffic3. Network ACLs are applied at the subnet level, not at the
instance level.
AWS Trusted Advisor is an AWS service that provides best practice recommendations for security, performance, cost optimization, and fault tolerance. AWS
Trusted Advisor does not apply security rules to specific Amazon EC2 instances, but it can help customers identify security gaps and improve their security
posture4.
AWS WAF is an AWS service that helps protect web applications from common web exploits, such as SQL injection, cross-site scripting, and bot attacks. AWS
WAF does not apply security rules to specific Amazon EC2 instances, but it can be integrated with other AWS services, such as Amazon CloudFront, Amazon API
Gateway, and Application Load Balancer.
Visit Our Site to Purchase the Full Set of Actual CLF-C02 Exam Questions With Answers.
We Also Provide Practice Exam Software That Simulates Real Exam Environment And Has Many Self-Assessment Features. Order the CLF-
C02 Product From:
https://www.2passeasy.com/dumps/CLF-C02/
* CLF-C02 Most Realistic Questions that Guarantee you a Pass on Your FirstTry
* CLF-C02 Practice Test Questions in Multiple Choice Formats and Updatesfor 1 Year