Amazon Amazon Certifications ANS-C00 Questions & Answers

• Question 71:

  Which of the following statements is true of AWS Elastic Beanstalk?

  A. AWS Elastic Beanstalk uses CloudWatch for monitoring and alarms, meaning CloudWatch costs are applied to your AWS account for any alarms that you use.

  B. AWS Elastic Beanstalk uses CloudWatch for monitoring and alarms, and both are free of charge.

  C. AWS Elastic Beanstalk doesn't use CloudWatch for monitoring and alarms, but you pay extra for any AWS Elastic Beanstalk Alarm you set in the monitoring tool.

  D. AWS Elastic Beanstalk has its own free-of-charge monitoring tool, and you are not charged for the alarm you set.

  Correct Answer: A

  Explanation:

  AWS Elastic Beanstalk uses CloudWatch for monitoring and alarms, meaning CloudWatch costs are

  applied to your AWS account for any alarms that you use.

  Reference: http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/using-features.alarms.html

• Question 72:

  To directly manage your CloudTrail security layer, you can use ____ for your CloudTrail log files A. SSE-S3

  B. SCE-KMS

  C. SCE-S3

  D. SSE-KMS

  Correct Answer: D

  Explanation: By default, the log files delivered by CloudTrail to your bucket are encrypted by Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3). To provide a security layer that is directly manageable, you can instead use server-side encryption with AWS KMS-managed keys (SSE-KMS) for your CloudTrail log files.

  Reference: http://docs.aws.amazon.com/awscloudtrail/latest/userguide/encrypting-cloudtrail-log-files-withaws-kms.html

• Question 73:

  Use ___________ to get more visibility into the health of your AWS Elastic Beanstalk application and take appropriate actions in case of hardware failure or performance degradation.

  A. Amazon Elastic Beanstalk command line

  B. Amazon EC2 log files

  C. Amazon CloudWatch

  D. Amazon Load balancing

  Correct Answer: C

  Explanation:

  In AWS Elastic Beanstalk, you can use Amazon CloudWatch to get more visibility into the health of your

  AWS Elastic Beanstalk application and take appropriate actions in case of hardware failure or performance

  degradation.

  Reference: http://docs.aws.amazon.com/elasticbeanstalk/latest/dg/concepts.concepts.design.html

• Question 74:

  You are deploying a web application in a VPC that requires SSL mutual authentication with a client- side, smartcard-stored certificate. The ELB Classic Load Balancer listener must support mutual authentication between the client and the application.

  Which load balancer protocol should you select for this application?

  A. HTTP

  B. HTTPS

  C. SSL

  D. TCP

  Correct Answer: D

  Explanation:

  An ELB Classic Load Balancer cannot validate a client side certificate, so it must be passed through as

  standard TCP on port 443 to let the EC2 instance handle the validation.

• Question 75:

  You have an application that is processing confidential data. The data is currently stored in your data center. You are moving workloads to AWS, and you need to ensure confidentiality and integrity of the data in transit to your VPC. Your company has an existing AWS Direct Connect connection.

  What combination of steps should you perform to set up the most cost-effective connection between your on-premises data center and AWS? (Choose three.)

  A. Set up a VPC with a virtual private gateway.

  B. Set up a VPC with an Internet gateway.

  C. Configure a public virtual interface on your Direct Connect connection.

  D. Configure a private virtual interface to the virtual private gateway.

  E. Set up an IPsec tunnel between your customer gateway and a software VPN on Amazon EC2 in the VPC.

  F. Set up an IPsec tunnel between your customer gateway appliance and the virtual private gateway.

  Correct Answer: ACF

  Explanation:

  Setting up a VPN over your Direct Connect connection will secure the data in transit. The steps to do so

  are: adding a VGW to the VPC; setting up a public virtual interface; and creating the IPsec tunnel between

  your data center and the VGW via the public virtual interface. B would send traffic over the public Internet.

  D is not possible because a public virtual interface is needed to announce the VGW endpoint IPs. E would

  not take advantage of the already existing Direct Connect connection.

• Question 76:

  You are architecting your e-business application for PCI compliance. To meet the compliance requirements, you need to monitor web application logs to identify any malicious activity. You also need to monitor for remote attempts to change the network interface of web instances.

  Which two AWS services will be helpful to achieve this goal?

  A. Amazon CloudWatch Logs and VPC Flow Logs

  B. AWS CloudTrail and VPC Flow Logs

  C. AWS CloudTrail and CloudWatch Logs

  D. AWS CloudTrail and AWS Config

  Correct Answer: C

  Explanation: Web application logs are internal to the operating system, so the only way to monitor them with an AWS service is to export them using CloudWatch Logs. AWS CloudTrail monitors the API activity and can be used to watch for particular API calls. The correct answer is the only one that references both these services.

• Question 77:

  An AWS account owner has setup multiple IAM users. One of these IAM users, named John, has CloudWatch access, but no access to EC2 services. John has setup an alarm action which stops EC2 instances when their CPU utilization is below the threshold limit. When an EC2 instance's CPU Utilization rate drops below the threshold John has set, what will happen and why?

  A. Nothing will happen. John cannot set an alarm on EC2 since he does not have the permission.

  B. CloudWatch will stop the instance when the action is executed

  C. Nothing will happen because it is not possible to stop the instance using the CloudWatch alarm

  D. Nothing will happen. John can setup the action, but it will not be executed because he does not have EC2 access through IAM policies.

  Correct Answer: D

  Explanation: Amazon CloudWatch alarms watch a single metric over a time period that the user specifies and performs one or more actions based on the value of the metric relative to a given threshold over a number of time periods. The user can setup an action which stops the instances when their CPU utilization is below a certain threshold for a certain period of time. The EC2 action can either terminate or stop the instance as part of the EC2 action. If the IAM user has read/write permissions for Amazon CloudWatch but not for Amazon EC2, he can still create an alarm. However, the stop or terminate actions will not be performed on the Amazon EC2 instance.

  Reference: http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/ UsingAlarmActions.html

• Question 78:

  What is the maximum number of CloudTrails that you can create per AWS region?

  A. 10

  B. 2

  C. 16

  D. 5

  Correct Answer: D

  Explanation:

  You can create up to five CloudTrails per Amazon AWS region. A trail that applies to all regions exists in

  each region and is counted as one trail in each region.

  Reference: https://aws.amazon.com/cloudtrail/faqs/

• Question 79:

  A user is trying to send custom metrics to CloudWatch using the PutMetricData APIs. Which of the below mentioned points should the user needs to take care while sending the data to CloudWatch?

  A. The size of a request is limited to 128KB for HTTP GET requests and 64KB for HTTP POST requests

  B. The size of a request is limited to 40KB for HTTP GET requests and 8KB for HTTP POST requests

  C. The size of a request is limited to 16KB for HTTP GET requests and 80KB for HTTP POST requests

  D. The size of a request is limited to 8KB for HTTP GET requests and 40KB for HTTP POST requests

  Correct Answer: D

  Explanation: With AWS CloudWatch, the user can publish data points for a metric that share not only the same time stamp, but also the same namespace and dimensions. CloudWatch can accept multiple data points in the same PutMetricData call with the same time stamp. The only thing that the user needs to take care of is that the size of a PutMetricData request is limited to 8KB for HTTP GET requests and 40KB for HTTP POST requests.

  Reference: http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/ cloudwatch_concepts.html

• Question 80:

  A user has enabled detailed CloudWatch monitoring with the AWS Simple Notification Service. Which of

  the below mentioned statements helps the user understand detailed monitoring better?

  A. SNS cannot provide data every minute

  B. There is no need to enable since SNS provides data every minute

  C. SNS will send data every minute after configuration

  D. AWS CloudWatch does not support monitoring for SNS

  Correct Answer: A

  Explanation: CloudWatch is used to monitor AWS as well as the custom services. It provides either basic or detailed monitoring for the supported AWS products. In basic monitoring, a service sends data points to CloudWatch every five minutes, while in detailed monitoring a service sends data points to CloudWatch every minute. The AWS SNS service sends data every 5 minutes. Thus, it supports only the basic monitoring. The user cannot enable detailed monitoring with SNS.

  Reference: http://docs.aws.amazon.com/AmazonCloudWatch/latest/DeveloperGuide/ supported_services.html