Amazon Amazon Certifications ANS-C00 Questions & Answers

• Question 281:

  You need to create a subnet in a VPC that supports 14 hosts. You need to be as accurate as possible since you run a very large company. What CIDR should you use?

  A. /28

  B. /24

  C. /25

  D. /27

  Correct Answer: D

  Explanation:

  /27 supports 27 hosts since AWS reserves 5 addresses. /25 supports 123 hosts, /28 supports 11, /24

  supports 251.

• Question 282:

  A user is running a batch process on EBS backed EC2 instances. The batch process launches few EC2 instances to process hadoop Map reduce jobs which can run between 50-600 minutes or sometimes for even more time. The user wants a configuration that can terminate the instance only when the process is completed. How can the user configure this with CloudWatch?

  A. Configure a job which terminates all instances after 600 minutes

  B. It is not possible to terminate instances automatically

  C. Set up the CloudWatch with Auto Scaling to terminate all the instances

  D. Configure the CloudWatch action to terminate the instance when the CPU utilization falls below 5%

  Correct Answer: D

  Explanation: Amazon CloudWatch alarm watches a single metric over a time period that the user specifies and performs one or more actions based on the value of the metric relative to a given threshold over a number of time periods. The user can setup an action which terminates the instances when their CPU utilization is below a certain threshold for a certain period of time. The EC2 action can either terminate or stop the instance as part of the EC2 action.

  Reference: http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/ UsingAlarmActions.html

• Question 283:

  You can use the ____ command of the AWS Config service CLI to see the compliance state of each resource that AWS Config evaluates for a specific rule.

  A. describe-compliance-by-resource

  B. describe-compliance-by-config-rule

  C. get-compliance-details-by-config-rule

  D. get-compliance-details-by-resource

  Correct Answer: C

  Explanation:

  You can use the get-compliance-details-by-config-rule command of the AWS Config CLI to see the

  compliance state of each resource that AWS Config evaluates for a specific rule.

  Reference: http://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_viewcompliance.html

• Question 284:

  You have many IAM users with the ability to create EC2 volumes. Most of the data your team works with is sensitive, so you would like to make sure all volumes are encrypted. How might you facilitate this requirement?

  A. Create an AWS KMS policy and attach it to all IAM users that can create EC2 volumes.

  B. Use AWS Config and create a rule that requires all volumes, upon creation, be encrypted.

  C. Use AWS Config to send out reminders to IAM users every time they create an EC2 volume.

  D. Set EC2 to notify creators to encrypt their EC2 volumes.

  Correct Answer: B

  Explanation:

  AWS Config is used to evaluate the configuration settings of many AWS resources. When an EC2 volume

  in created, AWS Config can evaluate the volume against a rule that requires volumes to be encrypted. If

  the volume is not encrypted, AWS Config flags the volume and the rule as noncompliant.

  Reference: http://docs.aws.amazon.com/config/latest/developerguide/evaluate-config.html

• Question 285:

  You would like to ensure that all Amazon S3 buckets going forward, current and newly created ones, have logging enabled. What type of trigger(s) should you use?

  A. only a periodic trigger

  B. only a configuration change trigger

  C. both configuration change and periodic triggers

  D. only a transitioning trigger

  Correct Answer: B

  Explanation:

  This case requires only a configuration change trigger because you only need to trigger when S3 buckets

  are created and changed. There is no time component to when the trigger needs to fire.

  Reference: http://docs.aws.amazon.com/config/latest/developerguide/evaluate-config-rules.html

• Question 286:

  Which of the following characters is not allowed while creating a Namespace for a CloudWatch metric?

  A. /

  B. :

  C. #

  D. @

  Correct Answer: D

  Explanation:

  Namespace is a grouping or a container for a CloudWatch metric. The names must be valid XML

  characters, typically containing the alphanumeric characters "0-9A-Za-z" plus "."(period), "-" (hyphen),

  "_" (underscore), "/" (slash), "#" (hash), and ":" (colon). All AWS namespaces follow the convention AWS/

  , such as AWS/EC2 and AWS/ELB.

  Reference: http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/

  cloudwatch_concepts.html

• Question 287:

  In order to change the name of the AWS Config ____, you must stop the configuration recorder, delete the current one, and create a new one with a new name, since there can only be one of these per AWS account.

  A. SNS topic

  B. configuration history

  C. delivery channel

  D. S3 bucket path

  Correct Answer: C

  Explanation: As AWS Config continually records the changes that occur to your AWS resources, it sends notifications and updated configuration states through the delivery channel. You can manage the delivery channel to control where AWS Config sends configuration updates. You can have only one delivery channel per AWS account, and the delivery channel is required to use AWS Config. To change the delivery channel name, you must delete it and create a new delivery channel with the desired name. Before you can delete the delivery channel, you must temporarily stop the configuration recorder. The AWS Config console does not provide the option to delete the delivery channel, so you must use the AWS CLI, the AWS Config API, or one of the AWS SDKs.

  Reference: http://docs.aws.amazon.com/config/latest/developerguide/update-dc.html

• Question 288:

  You have several Amazon Glacier vaults you would like to monitor. How might you monitor those vaults?

  A. Create a custom AWS Config rule.

  B. Use an AWS master Config rule.

  C. Use an AWS managed Config rule.

  D. Create a KMS policy and attach it to your Amazon Glacier vault.

  Correct Answer: A

  Explanation:

  AWS Config does not currently record Amazon Glacier resources; you must create a custom rule if you

  wish to monitor such a resource.

  Reference:

  http://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_developrules_nodejs.html#creating-custom-rules-for-additional-resource-types

• Question 289:

  You can use the ____ command of the AWS Config service CLI to see the compliance state of each of your rules.

  A. get-compliance-details-by-resource

  B. describe-compliance-by-config-rule

  C. get-compliance-details-by-config-rule

  D. describe-compliance-by-resource

  Correct Answer: B

  Explanation:

  You can use the describe-compliance-by-config-rule command of the AWS Config CLI to see the

  compliance state of each of your rules. For each rule that has a compliance type of NON_COMPLIANT,

  AWS Config returns the number of noncompliant resources for the CappedCount parameter.

  Reference: http://docs.aws.amazon.com/config/latest/developerguide/evaluate-config_viewcompliance.html

• Question 290:

  A user is trying to understand the detailed CloudWatch monitoring concept. Which of the below mentioned services does not provide detailed monitoring with CloudWatch?

  A. AWS Route53

  B. AWS EMR

  C. AWS ELB

  D. AWS RDS

  Correct Answer: B

  Explanation: CloudWatch is used to monitor AWS as well as the custom services. It provides either basic or detailed monitoring for the supported AWS products. In basic monitoring, a service sends data points to CloudWatch every five minutes, while in detailed monitoring a service sends data points to CloudWatch every minute. Services, such as RDS, EC2, Auto Scaling, ELB, and Route 53 can provide the monitoring data every minute.

  Reference:

  http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/supported_services.html