The Secret Of Amazon-Web-Services CLF-C02 Preparation Labs

NEW QUESTION 1

A company wants to generate a list of IAM users. The company also wants to view the status of various credentials that are associated with the users, such as password, access keys: and multi-factor authentication (MFA) devices
Which AWS service or feature will meet these requirements?

• A. IAM credential report
• B. AWS IAM Identity Center (AWS Single Sign-On)
• C. AWS Identity and Access Management Access Analyzer
• D. AWS Cost and Usage Report

Answer: A

Explanation:
An IAM credential report is a feature of AWS Identity and Access Management (IAM) that allows you to view and download a report that lists all IAM users in your account and the status of their various credentials, such as passwords, access keys, and MFA devices. You can use this report to audit the security status of your IAM users and ensure that they follow the best practices for credential
management1. References: 1: AWS Documentation - IAM User Guide - Getting credential reports for your AWS account

NEW QUESTION 2

In the AWS shared responsibility model, which tasks are the responsibility of AWS? (Select TWO.)

• A. Patch an Amazon EC2 instance operating system.
• B. Configure a security group.
• C. Monitor the health of an Availability Zone.
• D. Protect the infrastructure that runs Amazon EC2 instances.
• E. Manage access to the data in an Amazon S3 bucket

Answer: CD

Explanation:
According to the AWS shared responsibility model, AWS is responsible for the security of the cloud, which includes the tasks of monitoring the health of an Availability Zone and protecting the infrastructure that runs Amazon EC2 instances. An Availability Zone is a physically isolated location within an AWS Region that has its own power, cooling, and network connectivity. AWS monitors the health and performance of each Availability Zone and notifies customers of any issues or disruptions. AWS also protects the infrastructure that runs AWS services, such as Amazon EC2, by implementing physical, environmental, and operational security measures. AWS is not responsible for patching an Amazon EC2 instance operating system, configuring a security group, or managing access to the data in an Amazon S3 bucket. These are the customer’s responsibilities for security in the cloud. The customer must ensure that the operating system and applications on their EC2 instances are up to date and secure. The customer must also configure the security group rules that control the inbound and outbound traffic for their EC2 instances. The customer must also manage the access permissions and encryption settings for their S3 buckets and objects2

NEW QUESTION 3

Which AWS service or feature will search for and identify AWS resources that are shared externally?

• A. Amazon OpenSearch Service
• B. AWS Control Tower
• C. AWS IAM Access Analyzer
• D. AWS Fargate

Answer: C

Explanation:
AWS IAM Access Analyzer is an AWS service that helps customers identify and review the resources in their AWS account that are shared with an external entity, such as another AWS account, a root user, an organization, or a public entity. AWS IAM Access Analyzer uses automated reasoning, a form of mathematical logic and inference, to analyze the resource-based policies in the account and generate comprehensive findings that show the access level, the source of the access, the affected resource, and the condition under which the access applies. Customers can use AWS IAM Access Analyzer to audit their shared resources, validate their access policies, and monitor any changes to the resource sharing status. References: AWS IAM Access Analyzer, Identify and review resources shared with external entities, How AWS IAM Access Analyzer works

NEW QUESTION 4

Which pillar of the AWS Well-Architected Framework includes a design principle about measuring the overall efficiency of workloads in terms of business value?

• A. Operational excellence
• B. Security
• C. Reliability
• D. Cost optimization

Answer: A

Explanation:
The operational excellence pillar of the AWS Well-Architected Framework includes a design principle about measuring the overall efficiency of workloads in terms of business value. This principle states that you should monitor and measure key performance indicators (KPIs) and set targets and thresholds that align with your business goals. You should also use feedback loops to continuously improve your processes and procedures1.

NEW QUESTION 5

Which AWS services can a company use to host and run a MySQL database? (Select TWO.)

• A. Amazon RDS
• B. Amazon DynamoDB
• C. Amazon S3
• D. Amazon EC2
• E. Amazon MQ

Answer: AD

Explanation:
Amazon RDS and Amazon EC2 are two AWS services that you can use to host and run a MySQL database. Amazon RDS is a service that makes it easy to set up, operate, and scale a relational database in the cloud. You can use Amazon RDS to launch a MySQL database instance and let Amazon RDS manage common database tasks such as backups, patching, scaling, and replication6. Amazon EC2 is a service that provides secure, resizable compute capacity in the cloud. You can use Amazon EC2 to launch a virtual server and install MySQL software on it. You have complete control over your database configuration, but you are responsible for managing and maintaining the
database software and the underlying infrastructure7. Amazon DynamoDB is a key-value and document database that delivers single-digit millisecond performance at any scale. Amazon S3 is an object storage service that offers industry-leading scalability, data availability, security, and performance. Amazon MQ is a managed message broker service for Apache ActiveMQ. None of these services can help you host and run a MySQL database.

NEW QUESTION 6

Which pillar of the AWS Well-Architected Framework focuses on the return on investment of moving into the AWS Cloud?

• A. Sustainability
• B. Cost optimization
• C. Operational excellence
• D. Reliability

Answer: B

Explanation:
Cost optimization is the pillar of the AWS Well-Architected Framework that focuses on the return on investment of moving into the AWS Cloud. Cost optimization means that users can achieve the desired business outcomes at the lowest possible price point, while maintaining high performance and reliability. Cost optimization can be achieved by using various AWS features and best practices, such as pay-as-you-go pricing, right- sizing, elasticity, reserved instances, spot instances, cost allocation tags, cost and usage reports, and AWS Trusted Advisor. [AWS Well-Architected Framework] AWS Certified Cloud Practitioner - aws.amazon.com

NEW QUESTION 7

A company wants to establish a security layer in its VPC that will act as a firewall to control subnet traffic.
Which AWS service or feature will meet this requirement?

• A. Routing tables
• B. Network access control lists (network ACLs)
• C. Security groups
• D. Amazon GuardDuty

Answer: C

Explanation:
Security groups are the service or feature that meets the requirement of establishing a security layer in a VPC that will act as a firewall to control subnet traffic. Security groups are stateful firewalls that control the inbound and outbound traffic at the instance level. You can assign one or more security groups to each instance in a VPC, and specify the rules that allow or deny traffic based on the protocol, port, and source or destination. Security groups are associated with network interfaces, and therefore apply to all the instances in the subnets that use those network interfaces. Routing tables are used to direct traffic between subnets and gateways, not to filter traffic. Network ACLs are stateless firewalls that control the inbound and outbound traffic at the subnet level, but they are less granular and more cumbersome to manage than security groups. Amazon GuardDuty is a threat detection service that monitors your AWS account and workloads for malicious or unauthorized activity, not a firewall service.

NEW QUESTION 8

Which task can a company perform by using security groups in the AWS Cloud?

• A. Allow access to an Amazon EC2 instance through only a specific port.
• B. Deny access to malicious IP addresses at a subnet level.
• C. Protect data that is cached by Amazon CloudFront.
• D. Apply a stateless firewall to an Amazon EC2 instance.

Answer: A

Explanation:
Security groups are virtual firewalls that control the inbound and outbound traffic for Amazon EC2 instances. They can be used to allow access to an Amazon EC2 instance through only a specific port, such as port 22 for SSH or port 80 for HTTP. Security groups cannot deny access to malicious IP addresses at a subnet level, as they only allow or deny traffic based on the rules defined by the customer. To block malicious IP addresses, customers can use network ACLs, which are stateless firewalls that can be applied to subnets. Security groups cannot protect data that is cached by Amazon CloudFront, as they only apply to EC2 instances. To protect data that is cached by Amazon CloudFront, customers can use encryption, signed URLs, or signed cookies. Security groups are not stateless firewalls, as they track the state of the traffic and automatically allow the response traffic to flow back to the source. Stateless firewalls do not track the state of the traffic and require rules for both inbound and outbound traffic.

NEW QUESTION 9

A user is moving a workload from a local data center to an architecture that is distributed between the local data center and the AWS Cloud.
Which type of migration is this?

• A. On-premises to cloud native
• B. Hybrid to cloud native
• C. On-premises to hybrid
• D. Cloud native to hybrid

Answer: C

Explanation:
C is correct because moving a workload from a local data center to an architecture that is distributed between the local data center and the AWS Cloud is an example of an on-premises to hybrid migration. A hybrid cloud is a cloud computing environment that uses a mix of on-premises, private cloud, and public cloud services with orchestration between the platforms. A is incorrect because on-premises to cloud native migration is the process of moving a workload from a local data center to an architecture that is fully hosted and managed on the AWS Cloud. B is incorrect because hybrid to cloud native migration is the process of moving a workload from an architecture that is distributed between the local data center and the AWS Cloud to an architecture that is fully hosted and managed on the AWS Cloud. D is incorrect because cloud native to hybrid migration is the process of moving a workload from an architecture that is fully hosted and managed on the AWS Cloud to an architecture that is distributed between the local data center and the AWS Cloud.

NEW QUESTION 10

Which AWS service or tool should a company use to forecast AWS spending?

• A. Amazon DevPay
• B. AWS Organizations
• C. AWS Trusted Advisor
• D. Cost Explorer

Answer: D

Explanation:
Cost Explorer is an AWS service or tool that can be used to forecast AWS spending. It allows users to analyze their AWS costs and usage using interactive graphs and tables. It also provides features such as filtering, grouping, and forecasting to help users plan their future spending. Amazon DevPay is an AWS service that allows developers to sell applications that are built on AWS services. It handles the billing and metering for the customers of the applications and collects payments from them. It is not a tool for forecasting AWS spending. AWS Organizations is an AWS service that allows users to centrally manage and govern their AWS accounts. It provides features such as creating groups of accounts, applying policies, and automating account creation. It is not a tool for forecasting AWS spending. AWS Trusted Advisor is an AWS service that provides best practices and recommendations to optimize the performance, security, and cost of AWS resources. It can help users identify opportunities to reduce their AWS costs, but it is not a tool for forecasting AWS spending

NEW QUESTION 11

Which of the following acts as an instance-level firewall to control inbound and outbound access?

• A. Network access control list
• B. Security groups
• C. AWS Trusted Advisor
• D. Virtual private gateways

Answer: B

Explanation:
The correct answer is B because security groups are AWS features that act as instance-level firewalls to control inbound and outbound access. Security groups are virtual firewalls that can be attached to one or more Amazon EC2 instances. Users can configure rules for security groups to allow or deny traffic based on protocols, ports, and source or destination IP addresses. The other options are incorrect because they are not AWS features that act as instance-level firewalls to control inbound and outbound access. Network access control list is an AWS feature that acts as a subnet-level firewall to control inbound and outbound access. AWS Trusted Advisor is an AWS service that provides real- time guidance to help users follow AWS best practices for security, performance, cost optimization, and fault tolerance. Virtual private gateways are AWS features that enable users to create a secure and encrypted connection between their VPC and their on- premises network. Reference: Security Groups for Your VPC

NEW QUESTION 12

At what support level do users receive access to a support concierge?

• A. Basic Support
• B. Developer Support
• C. Business Support
• D. Enterprise Support

Answer: D

Explanation:
Users receive access to a support concierge at the Enterprise Support level. A support concierge is a team of AWS billing and account experts that specialize in working with enterprise accounts. They can help users with billing and account inquiries, cost optimization, FinOps support, cost analysis, and prioritized answers to billing questions. The support concierge is included as part of the Enterprise Support plan, which also provides access to a Technical Account Manager (TAM), Infrastructure Event Management, AWS Trusted Advisor, and 24/7 technical support. References: AWS Support Plan Comparison, AWS Enterprise Support Plan, AWS Support Concierge

NEW QUESTION 13

Which AWS service can provide a dedicated network connection with consistent low latency from on premises to the AWS Cloud?

• A. Amazon VPC
• B. Amazon Kinesis Data Streams
• C. AWS Direct Connect
• D. Amazon OpenSearch Service

Answer: C

Explanation:
AWS Direct Connect is a service that provides a dedicated network connection from on premises to the AWS Cloud. It can reduce network costs, increase bandwidth throughput, and provide a more consistent network experience than internet- based connections. It can also provide low latency for applications that require real-time data transfer4. Amazon VPC is a service that provides a logically isolated section of the AWS Cloud where users can launch AWS resources in a virtual network that they define. Amazon Kinesis Data Streams is a service that provides a scalable and durable stream of data records for real-time data processing. Amazon OpenSearch Service is a service that provides a fully managed, scalable, and secure search and analytics solution that is compatible with Elasticsearch.

NEW QUESTION 14

A company is moving to the AWS Cloud to reduce operational overhead for its application infrastructure.
Which IT operation will the company still be responsible for after the migration to AWS?

• A. Security patching of AWS Elastic Beanstalk
• B. Backups of data that is stored in Amazon Aurora
• C. Termination of Amazon EC2 instances that are managed by AWS Auto Scaling
• D. Configuration of IAM access controls

Answer: D

Explanation:
AWS Elastic Beanstalk, Amazon Aurora, and AWS Auto Scaling are managed services that reduce the operational overhead for the customers. AWS is responsible for security patching, backups, and termination of these services. However, the customers are still responsible for configuring IAM access controls to manage the permissions and policies for their AWS resources. This is part of the AWS shared responsibility model, which defines the security and compliance responsibilities of AWS and the customers. You can learn more about the AWS shared responsibility model from this whitepaper or this digital course.

NEW QUESTION 15

A company has been storing monthly reports in an Amazon S3 bucket. The company exports the report data into comma-separated values (.csv) files. A developer wants to write a simple query that can read all of these files and generate a summary report.
Which AWS service or feature should the developer use to meet these requirements with the LEAST amount of operational overhead?

• A. Amazon S3 Select
• B. Amazon Athena
• C. Amazon Redshift
• D. Amazon EC2

Answer: B

Explanation:
Amazon Athena is the AWS service that the developer should use to write a simple query that can read all of the .csv files stored in an Amazon S3 bucket and generate a summary report. Amazon Athena is an interactive query service that allows users to analyze data in Amazon S3 using standard SQL. Amazon Athena does not require any server setup or management, and users only pay for the queries they run. Amazon Athena can handle various data formats, including .csv, and can integrate with other AWS services such as Amazon QuickSight for data visualization

NEW QUESTION 16

Which AWS service can a company use to find security and compliance reports, including International Organization for Standardization (ISO) reports?

• A. AWS Artifact
• B. Amazon CloudWatch
• C. AWS Config
• D. AWS Audit Manager

Answer: A

Explanation:
AWS Artifact is a self-service portal that provides on-demand access to AWS security and compliance reports and select online agreements. You can use AWS Artifact to download AWS service audit reports, such as ISO, PCI, and SOC, and to accept and manage agreements with AWS, such as the Business Associate Addendum (BAA).

NEW QUESTION 17

Which of the following is an AWS value proposition that describes a user's ability to scale infrastructure based on demand?

• A. Speed of innovation
• B. Resource elasticity
• C. Decoupled architecture
• D. Global deployment

Answer: B

Explanation:
Resource elasticity is an AWS value proposition that describes a user’s ability to scale infrastructure based on demand. Resource elasticity means that the user can provision or deprovision resources quickly and easily, without any upfront commitment or long-term contract. Resource elasticity can help the user optimize the cost and performance of the application, as well as respond to changing business needs and customer expectations. Resource elasticity can be achieved by using services such as Amazon EC2, Amazon S3, Amazon RDS, Amazon DynamoDB, Amazon ECS, and AWS Lambda. [AWS Cloud Value Framework] AWS Certified Cloud Practitioner - aws.amazon.com

NEW QUESTION 18

Which scenarios represent the concept of elasticity on AWS? (Select TWO.)

• A. Scaling the number of Amazon EC2 instances based on traffic
• B. Resizing Amazon RDS instances as business needs change
• C. Automatically directing traffic to less-utilized Amazon EC2 instances
• D. Using AWS compliance documents to accelerate the compliance process
• E. Having the ability to create and govern environments using code

Answer: AB

Explanation:
These are two scenarios that represent the concept of elasticity on AWS. Elasticity means the ability to adjust the resources and capacity of the system in response to changes in demand or environment. Scaling the number of Amazon EC2 instances based on traffic means using services such as AWS Auto Scaling or Elastic Load Balancing to add or remove instances as the traffic increases or decreases. Resizing Amazon RDS instances as business needs change means using the Amazon RDS console or API to modify the instance type, storage type, or storage size of the database as the workload grows or shrinks. You can learn more about the concept of elasticity on AWS from [this webpage] or [this digital course].

NEW QUESTION 19

Which AWS services or features give users the ability to create a network connection between two VPCs? (Select TWO.)

• A. VPC endpoints
• B. Amazon Route 53
• C. VPC peering
• D. AWS Direct Connect
• E. AWS Transit Gateway

Answer: CE

Explanation:
VPC peering and AWS Transit Gateway are two AWS services or features that give users the ability to create a network connection between two VPCs. VPC peering is a networking connection between two VPCs that enables you to route traffic between them privately. You can create a VPC peering connection between your own VPCs, with a VPC in another AWS account, or with a VPC in a different AWS Region. Traffic between peered VPCs never traverses the public internet. VPC peering does not support transitive peering relationships, which means that if VPC A is peered with VPC B, and VPC B is peered with VPC C, then VPC A and VPC C are not automatically peered789. AWS Transit Gateway is a networking service that acts as a regional router for your VPCs and on- premises networks. You can attach up to 5,000 VPCs and VPN connections to a single transit gateway and route traffic between them. AWS Transit Gateway simplifies the management and scalability of your network architecture, as you only need to create and manage a single connection from the central transit gateway to each connected network. AWS Transit Gateway supports transitive routing, which means that any network that is attached to the transit gateway can communicate with any other network that is attached to the same transit gateway . References: 7: VPC peering - Amazon Virtual Private Cloud, 8: Connect VPCs using VPC peering - Amazon Virtual Private Cloud, 9: Amazon VPC-to-Amazon VPC connectivity options - Amazon Virtual Private Cloud, : [AWS Transit Gateway - Amazon Web Services], : [Connect VPCs using AWS Transit Gateway - Amazon Virtual Private Cloud], : [AWS Transit Gateway: Simplify Your Network Architecture]

NEW QUESTION 20
......