AWS Certified Solutions Architect -
Associate Exam Questions And
Answers 2022/2023
Elastic Network Interface (ENI) - Answer- An elastic network
... [Show More] interface (ENI) is a
logical networking component in a VPC that represents a virtual network card. You
can attach a network interface to an EC2 instance in the following ways:
When it's running (hot attach)
When it's stopped (warm attach)
When the instance is being launched (cold attach).
Amazon SQS (Simple Queue Service) - Answer- Offers reliable and scalable hosted
queues for storing messages as they travel between computer. Provides hosted
level queue for storing messages as they travel between computers
Makes it easy to build automated workflow between web services
Transmit any volume of data, at any throughput level without losing messages or
requiring other services to be always available
A hosted queue that lets you integrate and decouple distributed software systems
and
components.
SQS supports both standard and FIFO queues.
SQS uses pull based (polling) not push based.
Users can access Amazon SQS from their VPC using VPC endpoints, without using
public
IPs, and without needing to traverse the public internet. VPC endpoints for Amazon
SQS are
powered by AWS PrivateLink.
Amazon S3 - Answer- Simple Storage Service (SaaS), a scalable, high-speed, lowcost, web-based cloud storage service designed for online backup and archiving of
data and application programs.
AWS Lambda - Answer- AWS Lambda - AWS Lambda is a compute service where
you can upload your code and the service can run the code on your behalf using the
AWS infrastructure. You package up and upload your custom code to AWS Lambda
when you create a Lambda function
Amazon S3 Notification Feature - Answer- The Amazon S3 notification feature
enables you to receive notifications when certain events happen in your bucket. To
enable notifications, you must first add a notification configuration identifying the
events you want Amazon S3 to publish, and the destinations where you want
Amazon S3 to send the event notifications.
Amazon S3 supports the following destinations where it can publish events:
Amazon Simple Notification Service (Amazon SNS) topic - A web service that
coordinates and manages the delivery or sending of messages to subscribing
endpoints or clients.
Amazon Simple Queue Service (Amazon SQS) queue - Offers reliable and scalable
hosted queues for storing messages as they travel between computer.
AWS Lambda - AWS Lambda is a compute service where you can upload your code
and the service can run the code on your behalf using the AWS infrastructure. You
package up and upload your custom code to AWS Lambda when you create a
Lambda function
Amazon DynamoDB - Answer- DynamoDB is a NoSQL database that supports keyvalue and document data structures. A key-value store is a database service that
provides support for storing, querying, and updating collections of objects that are
identified using a key and values that contain the actual content being stored.
Meanwhile, a document data store provides support for storing, querying, and
updating items in a document format such as JSON, XML, and HTML.
Amazon S3 as a Database Repository or Search Engine Target - Answer- To speed
up access to relevant data, you can pair Amazon S3 with a search engine such as
Amazon CloudSearch or a database such as Amazon DynamoDB or Amazon RDS.
In these scenarios, Amazon S3 stores the actual information, and the search engine
or database serves as the repository for associated metadata such as the object
name, size, keywords, and so on. Metadata in the database can easily be indexed
and queried, making it very efficient to locate an object's reference by using a search
engine or a database query. This result can be used to pinpoint and retrieve the
object itself from Amazon S3.
Amazon Snowball Edge - Answer- Although an AWS Snowball device costs less
than AWS Snowball Edge, it cannot store 80 TB of data in one device. Take note
that the storage capacity is different from the usable capacity for Snowball and
Snowball Edge. Remember that an 80 TB Snowball appliance and 100 TB Snowball
Edge appliance only have 72 TB and 83 TB of usable capacity respectively. Hence,
it would be costly if you use two Snowball devices compared to using just one AWS
Snowball Edge device.
The AWS Snowball Edge is a type of Snowball device with on-board storage and
compute power for select AWS capabilities. Snowball Edge can undertake local
processing and edge-computing workloads in addition to transferring data between
your local environment and the AWS Cloud.
Each Snowball Edge device can transport data at speeds faster than the internet.
This transport is done by shipping the data in the appliances through a regional
carrier. The appliances are rugged shipping containers, complete with E Ink shipping
labels. The AWS Snowball Edge device differs from the standard Snowball because
it can bring the power of the AWS Cloud to your on-premises location, with local
storage and compute functionality.
Snowball Edge devices have three options for device configurations - storage
optimized, compute optimized, and with GPU. When this guide refers to Snowball
Edge devices, it's referring to all options of the device. Whenever specific information
applies only to one or more optional configurations of devices, like how the Snowball
Edge with GPU has an on-board GPU, it will be called out.
AWS Security Token Service (AWS STS) - Answer- AWS Security Token Service
(AWS STS) is the service that you can use to create and provide trusted users with
temporary security credentials that can control access to your AWS resources.
Temporary security credentials work almost identically to the long-term access key
credentials that your IAM users can use.
In this diagram, IAM user Alice in the Dev account (the role-assuming account)
needs to access the Prod account (the role-owning account). Here's how it works:
Alice in the Dev account assumes an IAM role (WriteAccess) in the Prod account by
calling AssumeRole.
STS returns a set of temporary security credentials.
Alice uses the temporary security credentials to access services and resources in
the Prod account. Alice could, for example, make calls to Amazon S3 and Amazon
EC2, which are granted by the WriteAccess role.
Amazon Data Lifecycle Manager (Amazon DLM) - Answer- You can use Amazon
Data Lifecycle Manager (Amazon DLM) to automate the creation, retention, and
deletion of snapshots taken to back up your Amazon EBS volumes. Automating
snapshot management helps you to:
-Protect valuable data by enforcing a regular backup schedule.
-Retain backups as required by auditors or internal compliance.
-Reduce storage costs by deleting outdated backups.
Combined with the monitoring features of Amazon CloudWatch Events and AWS
CloudTrail, Amazon DLM provides a complete backup solution for EBS volumes at
no additional cost. Hence, Option 5 is the correct answer as it is the fastest and costeffective solution in providing an automated way of backing up your EBS volumes.
Amazon EC2 Autoscaling Cooldown Period - Answer- In Auto Scaling, the following
statements are correct regarding the cooldown period:
It ensures that the Auto Scaling group does not launch or terminate additional EC2
instances before the previous scaling activity takes effect.
Its default value is 300 seconds.
It is a configurable setting for your Auto Scaling group.
NACL Definition and Execution Process - Answer- A network access control list
(ACL) is an optional layer of security for your VPC that acts as a firewall for
controlling traffic in and out of one or more subnets. You might set up network ACLs
with rules similar to your security groups in order to add an additional layer of
security to your VPC.
Network ACL Rules are evaluated by rule number, from lowest to highest, and
executed immediately when a matching allow/deny rule is found.
EBS Replication - Answer- EBS volume in an Availability Zone, it is automatically
replicated within that zone only to prevent data loss due to a failure of any single
hardware component. After you create a volume, you can attach it to any EC2
instance in the same Availability Zone.
Virtual Private Gateway - Answer- By default, instances that you launch into a virtual
private cloud (VPC) can't communicate with your own network. You can enable
access to your network from your VPC by attaching a virtual private gateway to the
VPC, creating a custom route table, updating your security group rules, and creating
an AWS managed VPN connection.
Although the term VPN connection is a general term, in the Amazon VPC
documentation, a VPN connection refers to the connection between your VPC and
your own network. AWS supports Internet Protocol security (IPsec) VPN
connections.
A customer gateway is a physical device or software application on your side of the
VPN connection.
To create a VPN connection, you must create a customer gateway resource in AWS,
which provides information to AWS about your customer gateway device. Next, you
have to set up an Internet-routable IP address (static) of the customer gateway's
external interface.
AWS OpsWorks - Answer- AWS OpsWorks is a configuration management service
that provides managed instances of Chef and Puppet. Chef and Puppet are
automation platforms that allow you to use code to automate the configurations of
your servers. OpsWorks lets you use Chef and Puppet to automate how servers are
configured, deployed, and managed across your Amazon EC2 instances or onpremises compute environments. OpsWorks has three offerings - AWS Opsworks for
Chef Automate, AWS OpsWorks for Puppet Enterprise, and AWS OpsWorks Stacks.
Amazon S3 Data Encryption - Answer- Server-side encryption is about data
encryption at rest—that is, Amazon S3 encrypts your data at the object level as it
writes it to disks in its data centers and decrypts it for you when you access it. As
long as you authenticate your request and you have access permissions, there is no
difference in the way you access encrypted or unencrypted objects. For example, if
you share your objects using a pre-signed URL, that URL works the same way for
both encrypted and unencrypted objects.
You have three mutually exclusive options depending on how you choose to manage
the encryption keys:
Use Server-Side Encryption with Amazon S3-Managed Keys (SSE-S3)
Use Server-Side Encryption with AWS KMS-Managed Keys (SSE-KMS)
Use Server-Side Encryption with Customer-Provided Keys (SSE-C)
Pilot Light - Answer- The term pilot light is often used to describe a DR scenario in
which a minimal version of an environment is always running in the cloud. The idea
of the pilot light is an analogy that comes from the gas heater. In a gas heater, a
small flame that's always on can quickly ignite the entire furnace to heat up a house.
This scenario is similar to a backup-and-restore scenario.
For example, with AWS you can maintain a pilot light by configuring and running the
most critical core elements of your system in AWS. When the time comes for
recovery, you can rapidly provision a full-scale production environment around the
critical core.
RDS Failover - Answer- In Amazon RDS, failover is automatically handled so that
you can resume database operations as quickly as possible without administrative
intervention in the event that your primary database instance went down. When
failing over, Amazon RDS simply flips the canonical name record (CNAME) for your
DB instance to point at the standby, which is in turn promoted to become the new
primary.
Allowing a Custom Port - Answer- To allow the custom port, you have to change the
Inbound Rules in your Security Group to allow traffic coming from the mobile
devices. Security Groups usually control the list of ports that are allowed to be used
by your EC2 instances and the NACLs control which network or list of IP addresses
can connect to your whole VPC.
When you create a security group, it has no inbound rules. Therefore, no inbound
traffic originating from another host to your instance is allowed until you add inbound
rules to the security group. By default, a security group includes an outbound rule
that allows all outbound traffic. You can remove the rule and add outbound rules that
allow specific outbound traffic only. If your security group has no outbound rules, no
outbound traffic originating from your instance is allowed.
ELB Types and Details - Answer- Elastic Load Balancing supports three types of
load balancers. You can select the appropriate load balancer based on your
application needs.
If you need flexible application management and TLS termination then we
recommend that you use Application Load Balancer. If extreme performance and
static IP is needed for your application then we recommend that you use Network
Load Balancer. If your application is built within the EC2 Classic network then you
should use Classic Load Balancer.
An Application Load Balancer functions at the application layer, the seventh layer of
the Open Systems Interconnection (OSI) model. After the load balancer receives a
request, it evaluates the listener rules in priority order to determine which rule to
apply, and then selects a target from the target group for the rule action. You can
configure listener rules to route requests to different target groups based on the
content of the application traffic. Routing is performed independently for each target
group, even when a target is registered with multiple target groups.
Application Load Balancers support TLS termination capabilities, path-based routing,
host-based routing and support for containerized applications hence, Option 1 is
correct.
AWS provides a number of security related managed services. From the options
below, select which AWS service is related to protecting your infrastructure from
which security issue. - Answer- AWS provides various services to cope with many
security related issues and because of this, there are a number of options which are
correct. AWS Shield has two options listed above, but only one is correct. AWS
Shield operates on layer 3 and 4 of the ISO network model and its primary purpose
is to protect against DDoS attacks. It does not have any affect against SQL Injection
attacks which are dealt with by AWS WAF. WAF also protects against Cross Site
Scripting and can block traffic from IP addresses based on rules. Finally, Amazon
Macie tackles a different problem related to Data Loss Prevention and protects
sensitive data........... [Show Less]