Amazon AWS-Certified-Solutions-Architect-Professional Dumps Questions 2021

NEW QUESTION 1
Which of the following statements is correct about AWS Direct Connect?

• A. Connections to AWS Direct Connect require double clad fiber for 1 gigabit Ethernet with Auto Negotiation enabled for the port.
• B. An AWS Direct Connect location provides access to Amazon Web Services in the region it is associated with.
• C. AWS Direct Connect links your internal network to an AWS Direct Connect location over a standard 50 gigabit Ethernet cable.
• D. To use AWS Direct Connect, your network must be colocated with a new AWS Direct Connect locatio

Answer: B

Explanation: AWS Direct Connect links your internal network to an AWS Direct Connect location over a standard 1 gigabit or 10 gigabit Ethernet fiber-optic cable. An AWS Direct Connect location provides access to Amazon Web Services in the region it is associated with, as well as access to other US regions. To use AWS Direct Connect, your network is colocated with an existing AWS Direct Connect location. Connections to AWS Direct Connect require single mode fiber, 1000BASE-LX (1310nm) for 1 gigabit Ethernet, or 10GBASE-LR (1310nm) for 10 gigabit Ethernet. Auto Negotiation for the port must be disabled.
Reference: http://docs.aws.amazon.com/directconnect/latest/UserGuide/WeIcome.htmI

NEW QUESTION 2
You have subscribed to the AWS Business and Enterprise support plan. Your business has a backlog of problems, and you need about 20 of your IAM users to open technical support cases. How many users can open technical support cases under the AWS Business and Enterprise support plan?

• A. 5 users
• B. 10 users
• C. Unlimited
• D. 1 user

Answer: C

Explanation: In the context of AWS support, the Business and Enterprise support plans allow an unlimited number of users to open technical support cases (supported by AWS Identity and Access Management (IAM)). Reference: https://aws.amazon.com/premiumsupport/faqs/

NEW QUESTION 3
AWS Direct Connect itself has NO specific resources for you to control access to. Therefore, there are no AWS Direct Connect Amazon Resource Names (ARNs) for you to use in an Identity and Access Nlanagement (IAM) policy. With that in mind, how is it possible to write a policy to control access to AWS Direct Connect actions?

• A. You can leave the resource name field blank.
• B. You can choose the name of the AWS Direct Connection as the resource.
• C. You can use an asterisk (*) as the resource.
• D. You can create a name for the resourc

Answer: C

Explanation: AWS Direct Connect itself has no specific resources for you to control access to. Therefore, there are no AWS Direct Connect ARNs for you to use in an IAM policy. You use an asterisk (*) as the resource when writing a policy to control access to AWS Direct Connect actions.
Reference: http://docs.aws.amazon.com/directconnect/latest/UserGuide/using_iam.htmI

NEW QUESTION 4
Your firm has uploaded a large amount of aerial image data to S3 In the past, in your on-premises environment, you used a dedicated group of servers to oaten process this data and used Rabbit MQ - An open source messaging system to get job information to the servers. Once processed the data would go to tape and be shipped offsite. Your manager told you to stay with the current design, and leverage AWS archival storage and messaging services to minimize cost. Which is correct?

• A. Use SQS for passing job messages use Cloud Watch alarms to terminate EC2 worker instances when they become idl
• B. Once data is processed, change the storage class of the S3 objects to Reduced Redundancy Storage.
• C. Setup Auto-Scaled workers triggered by queue depth that use spot instances to process messages in SOS Once data is processed,
• D. Change the storage class of the S3 objects to Reduced Redundancy Storag
• E. Setup Auto-Scaled workers triggered by queue depth that use spot instances to process messages in SOS Once data is processed, change the storage class of the S3 objects to Glacier.
• F. Use SNS to pass job messages use Cloud Watch alarms to terminate spot worker instances when they become idl
• G. Once data is processed, change the storage class of the S3 object to Glacier.

Answer: D

NEW QUESTION 5
A user has configured EBS volume with PIOPS. The user is not experiencing the optimal throughput. Which of the following could not be factor affecting I/O performance of that EBS volume?

• A. EBS bandwidth of dedicated instance exceeding the PIOPS
• B. EBS volume size
• C. EC2 bandwidth
• D. Instance type is not EBS optimized

Answer: B

Explanation: If the user is not experiencing the expected IOPS or throughput that is provisioned, ensure that the EC2 bandwidth is not the limiting factor, the instance is EBS-optimized (or include 10 Gigabit network connectMty) and the instance type EBS dedicated bandwidth exceeds the IOPS more than he has provisioned.
Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ebs-io-characteristics.html

NEW QUESTION 6
In the context of policies and permissions in AWS IAM, the Condition element is .

• A. crucial while writing the IAM policies
• B. an optional element
• C. always set to null
• D. a mandatory element

Answer: B

Explanation: The Condition element (or Condition block) lets you specify conditions for when a policy is in effect. The Condition element is optional.
Reference: http://docs.aws.amazon.com/IAM/latest/UserGuide/AccessPoIicyLanguage_EIementDescriptions.html

NEW QUESTION 7
Which of the following statements is correct about the number of security groups and rules applicable for an EC2-Classic instance and an EC2-VPC network interface?

• A. In EC2-Classic, you can associate an instance with up to 5 security groups and add up to 50 rules to a security grou
• B. In EC2-VPC, you can associate a network interface with up to 500 security groups and add up to 100 rules to a security group.
• C. In EC2-Classic, you can associate an instance with up to 500 security groups and add up to 50 rules to a security grou
• D. In EC2-VPC, you can associate a network interface with up to 5 security groups and add up to 100 rules to a security group.
• E. In EC2-Classic, you can associate an instance with up to 5 security groups and add up to 100 rules to a security grou
• F. In EC2-VPC, you can associate a network interface with up to 500 security groups and add up to 50 rules to a security group.
• G. In EC2-Classic, you can associate an instance with up to 500 security groups and add up to 100 rules to a security grou
• H. In EC2-VPC, you can associate a network interface with up to 5 security groups and add up to 50 rules to a security group.

Answer: D

Explanation: A security group acts as a virtual firewall that controls the traffic for one or more instances. When you launch an instance, you associate one or more security groups with the instance. You add rules to each security group that allow traffic to or from its associated instances. If you're using EC2-Classic, you must use security groups created specifically for EC2-Classic. In EC2-Classic, you can associate an instance with up to 500 security groups and add up to 100 rules to a security group. If you're using EC2-VPC, you must use security groups created specifically for your VPC. In EC2-VPC, you can associate a network interface with up to 5 security groups and add up to 50 rules to a security group.
Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-network-security.html

NEW QUESTION 8
Which of the following are characteristics of Amazon VPC subnets? Choose 2 answers

• A. Each subnet spans at least 2 Availability Zones to provide a high-availability environment.
• B. Each subnet maps to a single Availability Zone.
• C. CIDR block mask of /25 is the smallest range supported.
• D. By default, all subnets can route between each other, whether they are private or public.
• E. Instances in a private subnet can communicate with the Internet only if they have an Elastic I

Answer: AE

NEW QUESTION 9
Mike is appointed as Cloud Consultant in ExamKi|Ier.com. ExamKiI|er has the following VPCs set-up in the US East Region:
A VPC with CIDR block 10.10.0.0/16, a subnet in that VPC with CIDR block 10.10.1.0/24 A VPC with CIDR block 10.40.0.0/16, a subnet in that VPC with CIDR block 10.40.1.0/24
ExamKiIIer.com is trying to establish network connection between two subnets, a subnet with CIDR block 10.10.1.0/24 and another subnet with CIDR block 10.40.1.0/24. Which one of the following solutions should lV|ike recommend to ExamKiI|er.com?

• A. Create 2 Virtual Private Gateways and configure one with each VPC.
• B. Create 2 Internet Gateways, and attach one to each VPC.
• C. Create a VPC Peering connection between both VPCs.
• D. Create one EC2 instance in each subnet, assign Elastic IPs to both instances, and configure a set up Site-to-Site VPN connection between both EC2 instances.

Answer: C

Explanation: A VPC peering connection is a networking connection between two VPCs that enables you to route traffic between them using private IP addresses. EC2 instances in either VPC can communicate with each other as if they are within the same network. You can create a VPC peering connection between your own VPCs, or with a VPC in another AWS account within a single region.
AWS uses the existing infrastructure of a VPC to create a VPC peering connection; it is neither a gateway nor a VPN connection, and does not rely on a separate piece of physical hardware.
Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/vpc-peering.htmI

NEW QUESTION 10
An IAM user is trying to perform an action on an object belonging to some other root account’s bucket. Which of the below mentioned options will AWS S3 not verify?

• A. The object owner has provided access to the IAM user
• B. Permission provided by the parent of the IAM user on the bucket
• C. Permission provided by the bucket owner to the IAM user
• D. Permission provided by the parent ofthe IAM user

Answer: B

Explanation: If the IAM user is trying to perform some action on the object belonging to another AWS user’s bucket, S3 will verify whether the owner of the IAM user has given sufficient permission to him. It also verifies the policy for the bucket as well as the policy defined by the object owner.
Reference:
http://docs.aws.amazon.com/AmazonS3/Iatest/dev/access-control-auth-workflow-object-operation.htmI

NEW QUESTION 11
An organization is planning to extend their data center by connecting their DC with the AWS VPC using the VPN gateway. The organization is setting up a dynamically routed VPN connection. Which of the below mentioned answers is not required to setup this configuration?

• A. The type of customer gateway, such as Cisco ASA, Juniper J-Series, Juniper SSG, Yamaha.
• B. Elastic IP ranges that the organization wants to advertise over the VPN connection to the VPC.
• C. Internet-routable IP address (static) of the customer gateway's external interface.
• D. Border Gateway Protocol (BGP) Autonomous System Number (ASN) of the customer gatewa

Answer: B

Explanation: The Amazon Virtual Private Cloud (Amazon VPC) allows the user to define a virtual networking environment in a private, isolated section of the Amazon Web Services (AWS) cloud. The user has complete control over the virtual networking environment. The organization wants to extend their network into the cloud and also directly access the internet from their AWS VPC. Thus, the organization should setup a Virtual Private Cloud (VPC) with a public subnet and a private subnet, and a virtual private gateway to enable communication with their data center network over an IPsec VPN tunnel. To setup this configuration the organization needs to use the Amazon VPC with a VPN connection. The organization network administrator must designate a physical appliance as a customer gateway and configure it. The organization would need the below mentioned information to setup this configuration:
The type of customer gateway, such as Cisco ASA, Juniper J-Series, Juniper SSG, Yamaha Internet-routable IP address (static) of the customer gateway's external interface
Border Gateway Protocol (BGP) Autonomous System Number (ASN) of the customer gateway, if the organization is creating a dynamically routed VPN connection.
Internal network IP ranges that the user wants to advertise over the VPN connection to the VPC. Reference: http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_VPN.htmI

NEW QUESTION 12
You control access to S3 buckets and objects with:

• A. Identity and Access Management (IAM) Policies.
• B. Access Control Lists (ACLs).
• C. Bucket Policies.
• D. All of the above

Answer: D

NEW QUESTION 13
The Principal element of an IAM policy refers to the specific entity that should be allowed or denied permission, whereas the translates to everyone except the specified entity.

• A. NotPrincipa|
• B. Vendor
• C. Principal
• D. Action

Answer: A

Explanation: The element NotPrincipa| that is included within your IAM policy statements allows you to specify an exception to a list of principals to whom the access to a specific resource is either allowed or denied. Use the NotPrincipaI element to specify an exception to a list of principals. For example, you can deny access to all principals except the one named in the NotPrincipa| element.
Reference: http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_poIicies_eIements.htmI#PrincipaI

NEW QUESTION 14
Identify a true statement about using an IAM role to grant permissions to applications running on Amazon EC2 instances.

• A. When AWS credentials are rotated, developers have to update only the root Amazon EC2 instance that uses their credentials.
• B. When AWS credentials are rotated, developers have to update only the Amazon EC2 instance on which the password policy was applied and which uses their credentials.
• C. When AWS credentials are rotated, you don't have to manage credentials and you don't have to worry about long-term security risks.
• D. When AWS credentials are rotated, you must manage credentials and you should consider precautions for long-term security risks.

Answer: C

Explanation: Using IAM roles to grant permissions to applications that run on EC2 instances requires a bit of extra configuration. Because role credentials are temporary and rotated automatically, you don't have to manage credentials, and you don't have to worry about long-term security risks.
Reference: http://docs.aws.amazon.com/IAM/latest/UserGuide/role-usecase-ec2app.htmI

NEW QUESTION 15
You deployed your company website using Elastic Beanstalk and you enabled log file rotation to S3. An Elastic Map Reduce job is periodically analyzing the logs on S3 to build a usage dashboard that you share with your CIO.
You recently improved overall performance of the website using Cloud Front for dynamic content delivery and your website as the origin.
After this architectural change, the usage dashboard shows that the traffic on your website dropped by an order of magnitude. How do you fix your usage dashboard'?

• A. Enable Cloud Front to deliver access logs to S3 and use them as input of the Elastic Map Reduce job.
• B. Turn on Cloud Trail and use trail log tiles on S3 as input of the Elastic Map Reduce job
• C. Change your log collection process to use Cloud Watch ELB metrics as input of the Elastic MapReduce job
• D. Use Elastic Beanstalk "Rebuild Environment" option to update log delivery to the Elastic lV|ap Reduce job.
• E. Use Elastic Beanstalk 'Restart App server(s)" option to update log delivery to the Elastic Map Reduce job.

Answer: D

NEW QUESTION 16
An organization is planning to setup a management network on the AWS VPC. The organization is trying to secure the webserver on a single VPC instance such that it allows the internet traffic as well as the back-end management traffic. The organization wants to make so that the back end management network
interface can receive the SSH traffic only from a selected IP range, while the internet facing webserver will have an IP address which can receive traffic from all the internet IPs.
How can the organization achieve this by running web server on a single instance?

• A. It is not possible to have two IP addresses for a single instance.
• B. The organization should create two network interfaces with the same subnet and security group to assign separate IPs to each network interface.
• C. The organization should create two network interfaces with separate subnets so one instance can have two subnets and the respective security groups for controlled access.
• D. The organization should launch an instance with two separate subnets using the same network interface which allows to have a separate CIDR as well as security groups.

Answer: C

Explanation: A Virtual Private Cloud (VPC) is a virtual network dedicated to the user’s AWS account. It enables the user to launch AWS resources into a virtual network that the user has defined. An Elastic Network Interface (ENI) is a virtual network interface that the user can attach to an instance in a VPC.
The user can create a management network using two separate network interfaces. For the present scenario it is required that the secondary network interface on the instance handles the public facing traffic and the primary network interface handles the back-end management traffic and it is connected to a separate subnet in the VPC that has more restrictive access controls. The public facing interface, which may or may not be behind a load balancer, has an associated security group to allow access to the server from the internet while the private facing interface has an associated security group allowing SSH access only from an allowed range of IP addresses either within the VPC or from the internet, a private subnet within the VPC or a virtual private gateway.
Reference: http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-eni.htmI

NEW QUESTION 17
Which statement is NOT true about a stack which has been created in a Virtual Private Cloud (VPC) in AWS OpsWorks?

• A. Subnets whose instances cannot communicate with the Internet are referred to as public subnets.
• B. Subnets whose instances can communicate only with other instances in the VPC and cannot communicate directly with the Internet are referred to as private subnets.
• C. All instances in the stack should have access to any package repositories that your operating system depends on, such as the Amazon Linux or Ubuntu Linux repositories.
• D. Your app and custom cookbook repositories should be accessible for all instances in the stac

Answer: A

Explanation: In AWS OpsWorks, you can control user access to a stack's instances by creating it in a virtual private cloud (VPC). For example, you might not want users to have direct access to your stack's app servers or databases and instead require that all public traffic be channeled through an Elastic Load Balancer.
A VPC consists of one or more subnets, each of which contains one or more instances. Each subnet has an associated routing table that directs outbound traffic based on its destination IP address.
Instances within a VPC can generally communicate with each other, regardless of their subnet. Subnets whose instances can communicate with the Internet are referred to as public subnets. Subnets whose instances can communicate only with other instances in the VPC and cannot communicate directly with the Internet are referred to as private subnets.
AWS OpsWorks requires the VPC to be configured so that every instance in the stack, including instances in private subnets, has access to the following endpoints:
The AWS OpsWorks service, https://opsworks-instance-service.us-east-1.amazonaws.com . Amazon S3
The package repositories for Amazon Linux or Ubuntu 12.04 LTS, depending on which operating system you specify.
Your app and custom cookbook repositories. Reference:
http://docs.aws.amazon.com/opsworks/latest/userguide/workingstacks-vpc.htmI#workingstacks-vpc-basi cs