2017 Exam Questions: AWS SysOps AssociateAller directement à la fin des métadonnées

Créé par Ray Choi, dernière modification le nov. 08, 2017

Aller au début des métadonnéesYour System Status check has failed. What should you do to troubleshoot the issue?

Stop and restart the instance

By default, EC2 monitoring carried out by CloudWatch monitors: CPU, Disk, Network, and Status Checks.Your instance Status Check shows a failure, and you are unable to connect to your instance. What should you do?

Restart the instance

You can have only 1 Internet Gateway per VPCQ: A customer has an online store that uses cookie-based sessions to track logged-in customers. It is deployed on AWS using ELB and Autoscaling. When the load increases, Autoscaling automatically launches new web servesr, but the load on the web servesr does not decrease. This causes the customers a poor experience. What coudl be causing this?

One answer: The ELB is continuing to send requests with previously established sessions (maybe Sticky Sessions is set for 20 min instead of 60 seconds)

You are a SysOps engineer at a start up that is growing quite quickly. The start up has a fleet of EC2 instances inside an autoscaling group that scales based on CPU Utilization. You notice that CPU Utilization is not a good metric, and that the main bottle neck is the maxed-out number of connections between the ELB and an EC2 instance. You want to adjust your Autoscaling configuration to address this bottleneck. Which two of the following ELB metrics should you consider?

SurgeQueueLength & SpilloverCount (relates to Load Balancers) SurgeQueueLength - the total number of requests that are pending routing. SpilloverCount - the total number of requests that were rejected because the surge

queue is full.

Q: A customer has an online store that uses cookie-based sessions to track logged-in customers. It is deployed on AWS using ELB and Autoscaling. When the load increases, Autoscaling automatically launches new web servesr, but the load on the web servesr does not decrease. This causes the customers a poor experience. What coudl be causing this?

One answer: The ELB is continuing to send requests with previously established sessions (maybe Sticky Sessions is set for 20 min instead of 60 seconds)

Which of the following are use cases for Read Replicas?

Business reporting or data warehousing scenarios; you may want business reporting queries to run against a read replica, rather than your primary DB Instance.

Serving read traffic while the source DB instance is unavailable. If your source DB Instance cannot take I/O requests (e.g. due to I/O suspension for backups or scheduled maintenance), you can direct read traffic to your read replicas.

Scaling beyond the compute or I/O capacity of a single DB Instance for read-heavy database workloads. This excess read traffic can be directed to one or more read replicas.

Which of the following is NOT a use case for Read Replicas?

Providing greater redundancy via automatic failovers.

Which of the following is part of the failover process for a Multi-Availability Zone RDS instance?

The DNS record for the RDS endpoint is changed from primary to standby.

Your website is evenly distributed across 10 EC2 instances in 5 AWS regions. How could you configure your site to maintain high-availability with minimum downtime if one of the 5 regions was to lose network connectivity for an extended period of time?

Create a Route 53 Latency-based Routing Record Set that resolves to Elastic Load Balancers in each region and has the Evaluate Target Health flag set to "True".

Explanation: If you are designing to check for loss of contact with the instances you need to use "Evaluate Target Health" to confirm connectivity. The Latency policy will eventually detect the unavailability, however it is not a real time test.

You have been tasked with identifying an appropriate storage solution for a 300 GB MongoDB database that requires random I/O reads of greater than 110,000 4kB IOPS. Which of the following EC2 options will meet this requirement?

Answer: I2 series with scheduled backup. Explanation: When designing to meet a performance target, start by selecting an

instance type that is intended for that workload. In this case, the I2 is purpose built for high performance random IO NoSQL DBs. However, you may need to provide persistent storage or replicas behind the instance stores. Backup or DRDB will provide this. EBS RAID 10 would be very expensive, as the additional disk fault tolerance is redundant with EBS storage.

Given the following IAM policy: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*" ], "Resource": "*" }, { "Effect": "Allow", "Action": "s3:PutObject", "Resource": "arn:aws:s3:::corporate_bucket/*" } ] } , what does the IAM policy allow? (Pick 3 correct answers.) (Choose 3)

The user is allowed to read objects from all S3 buckets owned by the account. The user is allowed to write objects into the bucket named "corporate_bucket". The user is allowed to read objects from the bucket named "corporate_bucket".

You are hosting a company website on some EC2 servers in your VPC. Users of the website must login to the site which then authenitcates against the company's Active Dir servers which are based onsite at the company's HQ. Your VPC is connected to your company HQ via a secure IPSEC VPN. Once logged in, the user can only have access to their own S3 bucket. How do you set this up?

Employee enters their username and password The app calls an Identity Broker. The broker captures the username and password.

The Identity Broker uses the organization's LDAP dir to validate the employee's identity

The Identity Broker calls the new GetFederationToken function using IAM credentials. The call must include an IAM policy and a duration (1 to 36 hrs) along with a policy that specifies the permissions to be granted to the temporary security credentials.

The Security Token Service confirms that the policy of the IAM user making the call to GetFederationToken gives permission to create new tokens and then returns four values to the app

Access Key, Secret Access Key, Token, Duration (token's lifetime) The Identity Broker returns the temporary security credentials to the reporting app The data storage app uses the temporary security credentials (including the token)

to make rquests to Amazon S3 Amazon S3 uses IAM to verify that the credentials allow the requested operation on

the given S3 bucket and key IAM provides S3 with the go-ahead to perform the requested operation

STS Summary Steps for Scenario 1

Develop an Identity Broker to communicate with LDAP and AWS STS Identity Broker always authenticates with LDAP first, then with AWS STS App then gets temporary access to AWS resources

STS Summary Steps for Scenario 2

Develop an Identity Broker to communicate with LDAP and AWS STS Identity Broker always authenticates with LDAP first, gets an IAM Role associated

with a user (comes from Active Directory - is the user a Power User) App then authenticates with STS and assumes that IAM Role App uses that IAM role to interact with S3

Your org is preparing for a security assessment. What 2 config management practices should be implemented prior to the assessment? 

Audit whether or not reote administrative access is performed securely Verify that all S3 bucket policies and ACLs correctly implement your security policies False answers: Trusted Advisor handles IAM and cannot disable anything for EC2; no

way to determining unnecessary users and services on Amazon published AMIs

Instance 'A' and instance 'B' are running in two different subnets 'A' and 'B' of a VPC. Instance 'A' is not able to ping instance 'B'. Which of the following is a possible reason for this failure?

The Network ACL on subnet B does not allow outbound ICMP traffic; and the security group attached to instance B does not allow inbound ICMP traffic.

Your web site is evenly distributed across 10 EC2 instances in 5 regions. How could you configure your site to maintain site availability with minimum downtime if one of the 5 regions was to lose network connectivity for an extended period of time?

Create a Route 53 Latency Based Routing Record Set that resolves to Elastic Load Balancers in each region and has the Evaluate Target Health flag set to true.

Your company has moved to AWS so it can use "scripted infrastructure". You would like to apply version control to your infrastructure, so that you can roll back infrastructure to a previous stable version if needed. You would also like to to quickly

deploy testing and staging environments in multiple regions. What services should you use to achieve this?

CloudFormation, plus a version control system such as GitHub.

Which of the following SSL protocols is supported by Elastic Load Balancers?

TLS 1.0 TLS 1.1 TLS 1.2 (NOT SSL 1.0)

Your design team is about to implement an urgently needed collection and analysis solution. The data you will collect from an array of 50,000 anonymous data collectors will be summarized each day but rarely used again. The data will be pulled from collectors approximately once an hour. The Dev responsible for the DynamoDB design is concerned about how to design the Partition and Local keys to ensure efficient use of the DynamoDB tables. What advice would you provide. (Choose 2)

Insert a calculated hash in front of the Date/Time value in the partition key to force DynamoDB to hop from partition to to partition.

Create a new table each day, and reconfigure the old table for infrequent use after the summation is complete.

You have created a new VPC with the CIDR block of 10.0.0.0/16. You create 2 subnets: 10.0.1.0/24 and 10.0.2.0/24. 10.0.1.0 will be a public subnet, and 10.0.2.0 will be a private subnet. You deploy a NAT instance with the name i-7c1507ab into 10.0.1.0 and assign it a public IP address. You disable your source/destination checks on the NAT. You now need to update your route table to complete the setup. Which of the following is the correct route table listing?

Destination: 0.0.0.0/0 Target:i-7c1507ab

You are designing a network with a bastion host (jump box) for security. Your network admins will SSH in to the bastion host and then on to other EC2 instances in a private subnet. You need your bastion host to be highly available. How should you build this environment?

Create 2 EC2 instances in different subnets. Create a DNS entry in Route53 which uses Round Robin DNS and points to each instance. Tell your SysAdmins to connect using the new DNS entry.

A member of the Operations team has done some analysis and discovered that up to 70% of all SQS messages fail to process correctly when 1st de-queued. Which of the following parameters will you suggest she change?

DelaySeconds (gives more time for processing) Amazon SQS message timers allow you to specify an initial invisibility period for a

message that you add to a queue. For example, if you send a message with the DelaySeconds parameter set to 45, the message isn't visible to consumers for the first 45 seconds during which the message stays in the queue. The default value for DelaySeconds is 0.

A member of the Operations team has done some analysis and discovered that at certain times of the day your '$/message processed' cost jumps enormously. Which of the following parameters would you suggest she change?

WaitTimeSeconds (more wait time to save money on unnecessary processing) When it comes to SQS, we have 2 kind of polling: Long-polling and Short-polling. The

update "WaitTimeSecond" means we set a value of that parameter to 20 to make SQS to wait until a message is available in the queue before sending a repsonse, it helps reduce cost because it reduces false empty responses.

You can enable long polling using the AWS Management Console by setting a Receive Message Wait Time to a value greater than 0.

You have an EC2 instance which reports back to CloudWatch every minute its CPU utilization. If the CPU utilization is too high, a CloudWatch alarm will trigger an SNS notification to your sysadmins. Tonight, you plan on running some routine tests which will cause CPU utilization to spike and you need to disable the CloudWatch alarm. How should you do this?

By running the 'mon-disable-alarm-actions' command from the AWS CLI.

You have created a new decoupled application using SQS and EC2. Essentially, a user uploads an image to your Web Tier and this image is stored in S3. A message is then stored on SQS, and the Application tier processes these messages and applies a watermark to the uploaded image. Unfortunately, your application tier goes down for 3 days over a long weekend. When you get back in the office, you resolve the issue and the application tier becomes live again. What will happen to the SQS messages in the Queue? Will these be lost?

No. As the default SQS message retention period is 4 days, the messages will have remained in the queue.

You have created a new VPC with the CIDR block of 10.0.0.0/16. You create a new internet gateway called IGW-55573321 and attach it to your VPC. You now need to create a route out to the newly attached internet gateway. Which of the following is the correct route table listing?

Destination:0.0.0.0/0 Target: IGW-55573321

You are a SysOps Administrator for an events company that is launching a new TV show tomorrow. You are expecting that traffic to your website tomorrow will be huge. You have created an autoscaling group and have a combination of Reserved and On-demand instances ready. You are about to contact AWS support to ask them to prewarm your ELB in order to meet this demand. Typically, AWS requires 3 pieces of information. Which of the following is information that AWS requires?

The start and end dates of your expected surge in traffic. The expected request rate per second. The total size of the typical request/response that you will be handling. (NOT - The traffic type HTTP or HTTPS).

Which of the following AWS services have automated backups included as a standard part of the service?

RDS Redshift ElastiCache (Redis Only) (NOT EC2)

Which of the following are use cases for read replicas?

Serving read traffic while the source DB instance is unavailable. If your source DB Instance cannot take I/O requests (e.g. due to I/O suspension for backups or scheduled maintenance), you can direct read traffic to your read replicas.

Scaling beyond the compute or I/O capacity of a single DB Instance for read-heavy database workloads. This excess read traffic can be directed to one or more read replicas.

Business reporting or data warehousing scenarios; you may want business reporting queries to run against a read replica, rather than your primary DB Instance.

(NOT Providing greater redundancy via automatic failovers.)

By default, you have OS-level access to Opsworks instances.Your EBS Volume status check shows a status of "impaired". What does this mean?

The volume is stalled or unavailable 

In VPC, instance retains private UP.CloudWatch monitors the following:

CPU Utilisation of an Amazon EC2 instance Disk usage activity of an EBS volume attached to an Amazon EC2 instance Disk usage activity of the ephemeral volumes of an Amazon EC2 instance NOT - Disk full percentage of an Elastic Block Store Volume (a custom metric is

required)

By default, EC2 monitoring carried out by CloudWatch monitors CPU, Disk, and Network & Status Checks.Elastic Map Reduce allows you to access the underlying operating systems of the EMR nodes.Per the AWS Acceptable Use Policy, penetration testing of EC2 instances ________.

May be performed by the customer against their own instances with prior authorization from AWS.

You can have read replicas of read replicas.You are running your production database in MySQL on an independent EBS volume and you are fast approaching an average IOPS of 3000. You have decided to migrate your database to an EBS volume with provisioned IOPS. Your key users only use the database between 9 am - 6 pm, so you can afford to have some down time out of hours, but not during the working day. Which is the best option below to achieve this migration.

Choose a suitable time window for your downtime. Stop the MySQL service. Take a snapshot of the EBS volume where the MySQL database is running. Detach and then delete the old database volume. Restore the snapshot to a new volume running on provisioned IOPS.

You have created a new Auto Scaling group and you discover that your instances are not launching in to it. Which of the following is a possible reason that this might be happening?

The associated Key Pair does not exist. The Auto Scaling config is not working correctly.

The security group does not exist. NOT - The instance type specified is not supported for Auto Scaling.

What is evaluated by a System Status Check?

The host

Which of the following pairs of actions can best be used to restrict access to data in S3?

Setting an S3 bucket policy; setting an S3 ACL on the bucket or the object.

You are using ElastiCache to cache your web application. The caching seems be running more and more slowly, and you want to diagnose the cause of this issue. If you are using Memcached as your caching engine, what parameter should be adjusted if you find that the overhead pool is less than 50MB?

Memcached_Connections_Overhead

You have have designed a CloudFormation script to automatically deploy a database server running on EC2 with an attached database volume. This CloudFormation script will run automatically when a predefined event takes place. The database volume must have provisioned IOPS, and cannot have any kind of performance degradation after being deployed. What should you do to achieve this?

Test the CloudFormation script several times, and load-test it to a value matching the anticipated maximum peak load.

What are the two types of Elastic Load Balancer (Classic) sticky sessions?

Duration-based session stickiness and application-controlled session stickiness.

Given the following IAM policy: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:Get*", "s3:List*" ], "Resource": "*" }, { "Effect": "Allow", "Action": "s3:PutObject", "Resource": "arn:aws:s3:::corporate_bucket/*" } ] } , what does the IAM policy allow? (Pick 3 correct answers.) (Choose 3)

The user is allowed to write objects into the bucket named "corporate_bucket". The user is allowed to read objects from the bucket named "corporate_bucket". The user is allowed to read objects from all S3 buckets owned by the account.

You are about to initiate a load test on your website to ensure it can keep up with seasonal demands. Your website is behind an elastic load balancer and will receive a burst of traffic totalling of millions of requests. What should you do to prepare for this?

Contact Amazon and warn them of the test. Ask them to pre-warm the elastic load balancer.

General Purpose Instance Types

T2 instances - intended for workloads that do not use the full CPU often or consistently (baseline is 20% of CPU core); burstable performance, EBS-only storage

M3 instances - provide a balance of compute, memory, and network resources, SSD storage (Instance store)

M4 instances - provide a balance of compute, memory, and network resources; support Enhanced Networking, EBS-optimized

Current Generation instances and HVM virtualization (not PV - paravirtual) is recommended for performance reasonsWhat might be the cause of an EC2 instance not launching in an auto-scaling group?

The Availability zone is no longer supported Invalid EBS device mapping The key pair associated with EC2 instance does not exist

Your applications in AWS need to authenticate against LDAP credentials that are in your on-premises data center. You need low latency between the AWS app authenticating and your credentials. How can you achieve this?

If you don’t already have a secure tunnel, create a VPN between your on-premises data center and AWS. You can then spin up a secondary LDAP server that replicates from the on-premises LDAP server.

You patch the operating system on an EC2 instance and issue a reboot command from inside the instance’s OS. After disconnecting from the instance and waiting several minutes, you notice that you still cannot successfully ping the instance’s public IP address. What is the most likely reason for this?

Changes made during OS patching caused a problem with the instance’s NIC driver.

In order for reserved instances to reduce the cost of running instances, those instances must match the exact specifications of the reserved instance including: Region, Availability Zone, and instance type.

Explanation: AWS announced late in 2016 that you could now apply a reserved instance to a region in order to get cost benefits across all AZs. Before this announcement, that was not the case. Because they do not update certification exams with every new feature announcement, and the SysOps course is training for the exam, we need to keep the question the way it is until they update it. With that being said, this is no longer true for "Availability Zone."You manage EC2 instances in two different VPCs and you would like instances in both VPCs to be able to easily communicate with each other. You are considering using VPC peering. Will this work? (Choose Two)

Yes, as long as the VPC’s are in the same region. Yes, as long as the VPCs’ CIDR blocks don’t overlap.

When managing our VPC in an AWS region, we want to give other teams access to create their own instances and modify the security groups inside subnets dedicated to their teams. We have to make sure the development team can NOT do anything in their subnets that could allow their instances to impact production instances in the production subnets. What can we do to separate out our VPC so that instances that the dev team can access can never interfere or interact with the ones within our production?

We can create NACLs that restrict which subnets can talk to each other

You have an Elastic Load Balancer with an Auto Scaling group for your application. You also have 4 running instances and you have Auto Scaling enabled. Some of those instances are running in one Availability Zone, and others are in a different Availability Zone. Some instances within one of the zones are not available to the ELB. What could be the cause?

The ELB isn’t configured for that Availability Zone

A colleague noticed that CloudWatch was reporting that there has not been any connections to one of your MySQL databases for several months. You decided to terminate the database. Two months after the database was terminated, you get a phone call from a very upset user who needs information from that database to run end-of-year reports. You are hopeful that you can restore the database to full functionality from a snapshot, but your database administrator is not quite as confident. Why?

The MySQL database was not using a transactional database engine such as InnoDB and may not restore properly.

You are running a legacy application that has a hardcoded IP address in your application. How might you apply high availability to the instance running that application?

Assign an elastic IP address to the EC2 instance, have a backup instance running. In the event of failure, move the Elastic IP from the primary instance to the backup instance.

In your infrastructure, you are running a corporate application using a T2.Small instance. You are also using a NAT instance so that your private instances can reach out to the internet without being publicly available. What is one thing that we should do to speed up bandwidth and performance?

Increase your T2.Small instance to a M3.Small or M3.Medium Explanation: Instance size has a direct influence on the amount of data your instance

can send and receive. If your AWS environment has many instances using NAT availability, a network bottleneck could occur. Increasing the instance size will increase the available network throughput.If you configure a VPC with an Internet gateway that has a private and a public subnet, with each subnet in a different Availability Zone. The VPC also has a dual-tunnel VPN between the Virtual Private Gateway and the router in the private data center. You want to make sure that you do not have a potential single point of failure in this design. What could you do to make sure we achieve this above environment?

You set up a secondary router in your private data center to establish another dual-tunnel VPN connection with your Virtual Private Gateway.

What item, when attached to a subnet, will allow the internal subnet to communicate to external networks? (Choose two)

Internet Gateway (IGW), Virtual Private Gateway

You are managing a large magazine application inside of Amazon Web Services. Your company posts an article that gets picked up internationally, causing millions of visitors to hit your application. Such a large increase in traffic causes strain on your

DB server which is dynamically servicing the blog content. How might you quickly resolve this issue and make the blog post infinitely scaleable?

Create a static HTML page using S3 and use Route 53 to point the DNS to the static S3 bucket.

What would we need to attach to a Bastion host or NAT host for high availability in the event that the primary host went down and that we needed to send traffic to a secondary host?

Elastic IP Address Explanation - EIPs can be detached from the primary host and attached to the

secondary host

You have been tasked by your manager to build a tiered storage setup for database backups and their logs. These backups must be archived to a durable solution. After 10 days, the backups can then be archived to a lower priced storage tier. The data, however, must be retained for compliance policies. Which tiered storage solution would help you save cost, and still meet this compliance policy?

Set up an independent EBS volume where we can store daily backups and then copy these files over to S3, where we configure a bucket that has a lifecycle policy to archive files older than 10 days to AWS Glacier

When working with Amazon RDS, by default, AWS is responsible for implementing which two management-related activities?

Installing and periodically patching the database software If automated backups are enabled, creating and maintaining automated database

backups with a point-in-time recovery of up to five minutes

You can customize your AWS deployments using the Ruby programming language with OpsWorks templates.You can customize your AWS deployments using JSON templates in CloudFormation.You are running an EC2 instance serving a website with an SSL certificate. Your CPU utilization is constantly high. How might you resolve this issue?

Offload the SSL cert from the EC2 instance and configure it on the Elastic Load Balancer

If we want to be able to monitor billing and cost metrics, what AWS configuration do we need to enable and use?

Billing Alerts in Account Preferences Explanation - CloudWatch is used to monitor billing and cost metrics, BUT we are

required to enable Billing Alerts in our Account Preferences before being able to create billing alerts with CloudWatch.

What would be a reason you would upgrade to Direct Connect instead of a traditional VPN connection?

You gain higher bandwidth and consistent network connectivity

Instance A and instance B are running in two different subnets, A and B, of a VPC. Instance A is not able to ping instance B. What are two possible reasons for this?

The security group attached to instance B does not allow inbound ICMP traffic, The NACL on subnet B does not allow outbound ICMP traffic

Explanation - Every route table contains a local route that enables communication within a VPC. This route cannot be modified or deleted, so that eliminates the routing issue. "The NACL on subnet B does not allow outbound ICMP traffic" is one of the correct answers because NACL is stateless - return traffic has to be explicitly allowed by rules. Because we are not allowing outbound ICMP traffic, the ping from instance A never gets a response.

Which of the following CloudWatch metrics require a custom monitoring script to populate the metric?

Swap Usage Available Disk Space

A deny overrides an allow in which circumstances?

An explicit allow is set in an IAM policy governing S3 access and an explicit deny is set on an S3 bucket via an S3 bucket policy.

If Multi-AZ is enabled and automated backups occur on your instance, your application will experience performance issues due to the increased I/O operations caused by the automated backup.

False Explanation - Automated backups are performed on the backup instance instead of

the source database instance in order to avoid this performance degradation.

You run a stateless web application with the following components: an Elastic Load Balancer, three Web/Application servers on EC2, and a MySQL RDS database with 5000 Provisioned IOPS. Average response time for users is increasing. Looking at CloudWatch, you observe 95% CPU usage on the Web/Application servers and 20% CPU usage on the database. The average number of database disk operations varies between 2000 and 2500. How would you improve performance? (Choose Two)

Choose a different EC2 instance type for the Web/Application servers with a more appropriate CPU/Memory ratio

Use Auto Scaling to add additional Web/Application servers based on CPU load threshold

In a Network ACL an explicit Deny always overrides an explicit Allow.

False Explanation - Rules are evaluated in order depending on the rule number. As soon as

a matching rule is found, it is applied, even if there is another rule contradicting the first rule.

You have decided to extend your on-site data center to Amazon Web Services by creating a VPC. You already have multiple DNS servers on-premises. You are using these DNS servers to host DNS records for your internal applications. You have a corporate security network policy that says that a DNS name for an internal application can only be resolved internally and never publicly over the internet. Your

existing on-premises data center is already connected to your VPC using IPSec VPN. You are deploying new applications within your AWS service that need to resolve these new applications by name. How might you set up the scalable DNS architecture?

Create a DNS option set that includes both the DHCP options with domain-name-servers=AmazonProvidedDNS and your internal DNS servers

You manage a popular blog website on EC2 instances in an Auto Scaling group. You notice that between 8:00 am and 8:00 pm, you see a 50% increase in traffic to your website. In addition, there are occasional random 1 to 2-hour spikes in traffic and some users are seeing timeouts when trying to load the index page during those spikes. What is the least cost-effective way to manage this Auto Scaling group?

Use reserved instances for the instances needed to handle the load during traffic spikes

Explanation - Reserved instances become cost-effective when they are in use for greater than 30% of the time. Using reserved instances to handle the brief spikes in traffic would not be cost effective.

Your supervisor is concerned about losing read access to your RDS database in the unlikely event of an AWS regional failure. You design a plan to create a read replica of the database in another region, but your supervisor sees a problem with this plan. What problem does he see?Incorrect

Your database is using PostgreSQL, which does not support cross-region replication. Explanation - PostgreSQL on RDS now supports cross-region read replicas since June

2016, but please keep in mind that the exam probably won't be updated for a while.

Which of the following metrics do not get automatically reported to Amazon CloudWatch from Amazon EC2? (Choose 3)

The amount of memory being used The amount of swap space used How much disk space is available THIS DOES GET AUTOMATICALLY REPORTED TO CLOUDWATCH - Network packets

received on all network interfaces

You currently have Nginx webservers on EC2 instances which receive requests from your ELB. Those Nginx webservers return results from your PHP application. This application connects to an RDS database instance to read and write data. However, a few months ago, you realized that ElastiCache with the Redis caching engine could reduce the load on your RDS database by caching some of the popular data. Fast-forward to today, and your ElastiCache Redis cluster is under a lot of load and needs to scale. Which of these is the best way to scale your cluster?

If the load is read-heavy, scale by adding read replicas to your cache cluster. If the load is write-heavy, scale vertically by increasing the node size

Explanation - The Redis engine in ElastiCache does not support scaling horizontally for write-heavy workloads because data is not partitioned across nodes (unlike Memcached). All of the data needs to fit in the master node. However, we can add read replicas to our cluster in order to scale for read-heavy workloads. 

Which of these are true when it comes to the differences between EBS-backed storage and SSD-backed instance store?

SSD-backed instance store is usually faster because it is physically attached to the host computer, while EBS volumes transfer data over the network which adds latency., SSD-backed instance store is ephemeral while EBS-backed storage is persistent.

You've been tasked with optimizing costs in your companies AWS environment. After logging in, you discover that there are 3 unused elastic IP addresses, 6 RDS instances that have not had a DB connection for over 7 days, 5 instances that are running at an average CPU utilization of < 5% and one EC2 instance running at 80% utilization. Your company has not purchased any reserved instances but is highly concerned over AWS costs. As a SysOps administrator you know that you can easily help reduce costs and make the company happy again, select all of the statements below that you might do in order to optimize costs quickly.

Remove all unassigned Elastic IP addresses and create snapshots of all unused EBS volumes and terminate the volumes

Reduce instance size for underutilized instances or combine the instances and terminate the unused

Create a snapshot of RDS instances that have had 0 DB connections after 7 days and terminate the RDS instances

NOT RIGHT - Purchase a reserved instance based off of the utilization on the heavily under utilized instance

Explanation - Cost optimization includes the process of terminating or stopping unused resources such as idle Elastic Load Balancers that do not have any backing instances, removing unassociated Elastic IP Addresses, resizing instances, and purchasing reserved instances. 

One of your instances is not responding. After investigation you see that the instance system status checks indicates a problem. What would be the best method for attempting to fix a failing system status check?

Stop and then start the instance so it can be launched on a new host

In order to monitor operating system-level metrics such as disk usage, swap usage, and memory usage, you must install EC2 monitoring scripts. These scripts put custom metric data into Amazon CloudWatch. What do you need to do in order to give the instance permissions to put those custom metrics in CloudWatch?

Assign a role to the EC2 instance which will be sending custom metrics to CloudWatch

Your organization is running an application on EC2 instances which transfers large amounts of data to their respective EBS volumes. You've noticed that the data being transferred from some instances is exceeding bandwidth capacity which is causing performance issues. Which of these solutions would help the most?

Change the instance size and type. Bandwidth capacity is dependent upon the instance size and the instance type. 

Change to an EBS-optimized instance type and enable EBS Optimization if it is not already enabled.

What is the best practice to setup and implement a Bastion host in a VPC?

Create the instance in your public subnet and assign it a public IP address. Then, use ssh-agent forwarding or OpenSSH ProxyCommand to connect to your private instances.

Explanation: The Bastion Host needs to be in your public subnet otherwise you won't be able to assign it a public IP address to connect to it and access the rest of your infrastructure hidden in private subnets. Using ssh-agent forwarding or OpenSSH ProxyCommand is recommended (versus uploading the PEM SSH key to the instance), because if someone gets access to the instance, they would have the key to your infrastructure. Instead, with the recommended methods, we don't have to upload the private key.

What error code does the Elastic Load Balancer return if it does not have enough resources to handle large spikes in traffic?

HTTP 503

You see an increased load on an EC2 instance that is used as a web server. You decide to place the server behind an ELB and deploy an additional instance to help meet this increased demand. You deploy the ELB, configure it to listen for traffic on port 80, bring up a second EC2 instance, move both instances behind the LB, and provide customers with the ELB's URL. You begin receiving complaints that customers cannot connect to the web app via the ELB's URL. Why?

You specified https:// in the ELB's URL but the ELB is not configured to listen on port 443

A deny overrides an allow in which circumstances?

An explicit allow is set in an IAM policy governing S3 access and an explicit deny is set on a S3 bucket via a S3 bucket policy

Your supervisor sends you a list of several processes in your AWS environment that she would like you to automate via scripts. Which of the following list items should you set as the highest priority?

Implement CoudWatch alerts for EC2 instances' memory usage

We are preparing for our regularly scheduled security assessment. What 2 configuration management practices should our org have implemented?

Determine that our remote admin access is performed securely Make sure that S3 bucket policies and ACLs correctly implement our security policies

Your infrastructure does not have an IGW attached to any of the subnets. What might you do in orde rto SSH into your EC2 instances?

Create a VPN connection

You notice that several of your AWS environment's CloudWatch metrics consistently have a value of zero. What of these are you must likely to be concerned about and take action on?

RDS DatabaseConnections - zero connections to a DB for a long time may mean yo uare praying for a DB that is not in use

You want to run a web app in which app servers on EC2 instances are in an Auto Scaling group spread across two AZs. After monitoring for 6 months, we notice that only one of our web servers is needed to handle our min load. During our core util hours, 5-6 web servers are needed to handle the min load. 4-5 days a year, the number of web servers required can go up to 18 servers. What choice would reduce our costs the most while providing the highest availalbility?

Five Reserved Instances (heavy util), the rest covered by on-demand instances - different levels of util (heavy, medium, light) have been phased out.

You manage a social media website on EC2 instances in an Auto Scaling group. You have configured your Auto Scaling group to deploy one new EC2 instance when CPU util is greater than 90% for 3 consecutive periods of 10 min. You notice that between 6-10pm every night, you see a gradual increase in traffic to your website. Although Auto Scaling launches several new instances every night, some users complain they are seeing timeouts when trying to load the index page during those hours. What is the LEAST cost-effective way to resolve this problem?

Increase the min number of instances in the Auto Scaling group.

You have enabled a CloudWatch metric on yoru Redis ElastiCache cluster. Your alarm is triggered due to an increased amount of evictions. How might you go about solving the increased eviction errors from the ElastiCache cluster?

Increase the size of your node

Which of the following is a security best practice for an AWS environment?

Enable FMA on the root user for your AWS account and use IAM users rather than the root user for admin tasks

Explanation Automated taskss do not use MFA The default VPC is built for ease of use and not for security IAM user credentials should not be stored on AMIs EC2 instances that need permission to perform actions on AWS resources should use

IAM roles

Your supervisor is concerned about losing read access to your RDS DB in the unlikely event of an AWS regional failure. You design a plan to create a read replica of the DB in another region, but your supervisor sees a problem with this plan. What doe she see?

Your DB is using PostgreSQL which does not support cross-region replication Explanation PostgreSQL on RDS NOW supports cross-region read replicas since June 2016 Read replicas are supported in different regions than the source RDS DB, but only

when using MySQL 5.6.  You cannot use synchronous replication between the 2 regions because, while

latency is an important metric, read replicas use asynchronous replication. You cannot VPC peer between VPCs in different regions and beause replication does

not require VPC peering

What item, when attached to a subnet, will allow the internal subnet to communicate to external networks?

IGW Virtual Private Gateway

Your company's compliance department mandates that within your multi-national org, all data for customers in the UK must never leave UK servers and networks. US data must never leave US servers and networks. What do we have to do to comply with this requirement in our web based apps running on AWS in EC2? The user has already set up a user profile that states their geographic location.

We can run EC2 instances in multiple regions and leverage a third-party data provider to determine whether a user should be redirected to the appropriate region based on thta user's profiles.

You have an ELB with an Auto Scaling group for your app. You also have 4 running instances and you have Auto Scaling enabled. Some of those instances are running in one AZ, and others are in a different AZ. Some instances within one of the zones are not available to the ELB. What could be the cause?

The ELB isn't configured for that AZ

Which of the following can be overridden at the EC2 instance level?

The vhoice to not use dedicated tenancy at the VPC level An IAM policy explicitly allowing a user the right to terminate all EC2 instances Explanation If the option to use dedicated tenancy is explicitly set at the VPC level, it it cannot be

overridden at the instance level Explicity denies in IAM policies always trump explicit allows so a user who is allowed

to terminate all EC2 instances in an account can be denied permission to terminate a particular instance

You notice that several of your AWS environments's CloudWatch metrics are hovering near a value of 100. Which of these are you least concerned about?

ElasticCache CurrConnections Explanation A nigh number of connections is not necessarily a bad thing if there are adequate

resources to service those connections.  100% usage of resources for the other options typically means they are strained

under a heavy load A high SpilloverCount for an ELB is bad, as you do not want requests to be rejected

Which of the following will causes a noticeable performance impact on a RDS Multi-AZ deployment?

None INSERT

You have been tasked with identifying an appropriate storage solution for a NoSQL db that requires random I/O reads of greater than 10,000 4KB IOPS. Which option will meet this requirement?

EBS provisioned IOPS EBS optimized instances

You can customize your AWS deployments using the Ruby programming language with OpsWorks templates. You can customize your AWS deployments using JSON templates in CloudFormation.If you configure a VPC with an IGW that has a private and a public subnet, with each subnet in a different AZ. The VPC also has a dual-tunnel VPN between the VPG and the router in the private data center. You want to make sure that you do not have a potential single point of failure in this design. What could you do?

Set up a secondary router in your private data center to establish another dual-tunnel VPN connection with your VPG.

Which of the following can be overridden at the EC2 instance level?

The choice to not use dedicated tenancy at the VPC level An IAM policy explicitly allowing a user the right to terminate all EC2 instances Explanation The default option for a VPC is to not use dedicated tenancy, but that can be

overridden at the instance level If the option to use dedicated tenancy is explicitly set at the VPC level, however, it

cannot be overridden at the instance level Explicit denies in IAM policies always trump explicit allows so a user who is allowed to

terminate all EC2 instances in an account can be denied the permission to terminate a particular instance

We have terminated an instance which had a root EBS volume attached to it. What do we do now if we need to access the important data that was on this volume if we created this insance with the default storage options?

If we did not first take a snapshot of the EBS volume, we will not be able to access the data after an instance termination because the volume was deleted

Explanation By default, EBS root volumes are configured to terminate upon instance termination However, whene creating an EC2 instance, we have the option to un-select the

Volume deletion option. We must also create snapshots of the EBS volume which we can restore the the data from

Your RDS db is experiencing high levels of read requests during the business day and performance is slowing down. You have already verified that the source of the congestion is not from backups taking place during the business day, as automatic backups are NOT enabled. Which of the following is the first step you can take toward resolving the issue?

Enable automated backups of the db Explanation A Read Replica of the db cannot be created until automated backups are enabled.

Bucket Policies: an explicit DENY overrides an ALLOW. If a user is allowed, but everyone is denied afterward, then the net result is deny for all.In a Network ACL an explicit Deny DOES NOT ALWAYS override an explicit Allow

Explanation - Rules are evaluated in order depending on the rule number

What item, when attached to a subnet, will allow the internal subnet to communicate to external networks?

IGW VPG

What would we need to attach to a Bastion host or NAT host for high availability in the event that the primary host (Bastion or NAT) went down and we needed to send traffic to a secondary host?

Elastic IP Address

Assuming you have kept the default settings and are using the automated backup services provided by AWS, which of the following will retain automated backups?

None, because Automated backups of RDS dbs are deleted when a RDS instance is terminated; only

manual snapshots of a RDS db remain afte rthe RDS instance is terminated The same goes for EBS volumes AWS does not offer an automated backup solution for volumes attached to EC2

instances

Your company has decided to deploy a Pilot Light AWS environment to keep minimal resources in AWS with the intention of rapidly expanding the environment in the event of a disaster in your on-premises datacenter. Which of the following services will you likely not make use of?

Gateway-Cached implementation of Storage Gateway for storing snapshot copies of on-premises data

Explanation Gateway-Cached stores all of your data in AWS and caches your frequently accessed

data on premises Gateway-Stored implementation of Storage Gateway would be preferred for a Pilot

Light scenario - it retains your data on-premises but takes snapshot copies of the data to AWS

You have an ELB with an Auto Scaling group for your app. You also have 4 running instances and you have Auto Scaling enabled. Some of those instances are running in one AZ, and others are in a different AZ. Some instances within one of the zones are not available to the ELB. What could be the cause?

ELB isn't configured for that AZ

When managing our VPC in an AWS region, we want to give other teams access to create their own instances and modify the security groups inside subnets dedicated to their teams. We have to make sure the dev team CANNOT do anything in their subnets that could allow their instances to impact production instances in the production subnets. What can be done?

We can create NACLs that restrict which subnets can talk to each other

Which one of the below setups would need a custom CloudWatch metric in order to be able to monitor it?

Disk usage percentage of an EBS volume

A Deny overrides an Allow in which circumstances

An explicit Allow is set in an IAM policy governing S3 access and an explicit Deny is set on a S3 bucket via a S3 bucket policy

Your supervisor sends you a list of several processes in your AWS envir that she would like you to automate via scripts. Which of the following list items should you set as the highest priority?

Implement CloudWatch alerts for EC2 instances; memory usage

You manage EC2 instances in 2 different VPCs and you would like instances in both VPCs to be able to easily communicate with each other. You are considering using VPC peering. Will this work?

Yes, as long as the VPCs are in the same region.  Yes, as long as the VPCs' CIDR blocks don't overlap

You run a stateless web app with the following components: ELB, 3 web servers on EC2, MySQL RDS with 5000 Provisioned IOPS. Average response time for users is increasing. Looking at CloudWatch, you observe 95% CPU usage on the web servers and 20 % CPU usage on the db. The avg number of database disk operations varies between 2000-2500. How would you improve performance?

Choose a different EC2 instance type for the web servers with a more appropriate CPU/memory ration

Use Auto Scaling to add additional web servers based on CPU load threshold

You have enabled a CloudWatch metric on your Redis ElastiCache cluster. Your alarm is triggered due to an increased amount of evictions. How might you go about solving the increased eviction errors from the ElastiCache cluster?

Increase the size of your node

Which of the following could be a procedure for disaster recovery as it relates to RDS?

Create a read replica in a different region. In the event of a failover, promote the read replica as the primary and change the DNS for your application to point to the new primary and then enable Multi AZ.

Your RDS instance is consistently maxed out on its resource utilization. What are multiple ways to solve this issue? (Choose three)

Fire up an ElastiCache cluster in front of your RDS instance Increase RDS instance size Offload read-only activity to a read replica if the application is read-intensive.

Rule 100 in a NACL associated with subnets A and B denies HTTP traffic from 0.0.0.0/0. Rule 105 in the same NACL allows HTTP traffic from 0.0.0.0/0. EC2 Instances in subnet A are associated with a security group that allows HTTP traffic from 192.168.0.0/24. EC2 Instances in subnet B are associated with a security group that denies HTTP traffic from 128.168.0.0/24. Which of the following statements are true?

HTTP traffic from the internet will be denied to EC2 instances in both subnets due to the NACL rules.

Explanation Rule 105 is the higher number rule and will not be evaluated. NACL rules are

evaluated in order from lowest to highest so HTTP traffic from the internet will be denied to instances in subnet B.

You manage a technology blog website on EC2 instances in an Auto Scaling group behind an Elastic Load Balancer. Traffic volume to the site is consistently low, except during several weeks of the year when major technology conferences are occurring, when traffic increases 300 percent. What is the least advisable way to manage this environment?

Upgrade the reserved instances that handle the typical load for the website to larger reserved instances during technology conference weeks.

Explanation Upgrading the size of reserved instances means you incur a cost to reserve resources

for the entire period of the reservation, which at a minimum of one year, is much more commitment than is needed for a few week-long conferences. It's better to keep the reserved instances sized properly to handle the typical load and use on-demand instances to handle the spikes.

Which of the following will cause a noticeable performance impact on an RDS Multi-AZ deployment?

None

Your applications in AWS need to authenticate against LDAP credentials that are in your on-premises data center. You need low latency between the AWS app authenticating and your credentials. How can you achieve this?

If you don’t already have a secure tunnel, create a VPN between your on-premises data center and AWS. You can then spin up a secondary LDAP server that replicates from the on-premises LDAP server.

Your EC2 instance has a system static check error with an error message of loss of network connectivity. What is the best way to attempt to resolve the EC2 instance status check error? (Choose two)

Attempt to change the physical host that the instance is on by stopping and starting the instance 

Terminate the instance and build a new one