1. Your developers need a simple way to deploy a highly available, auto-scaled web application. What would be the simplest approach with the least management overhead?

A. Create a VPC with one public subnet for ELB. Create two public subnets for the web servers. Create a private subnet for the database. Deploy the ELB and two EC2 instances in the public subnets and a Multi-AZ RDS instance in the private subnet.

B. Create a VPC with two public subnets for the web servers and two private subnets for the databases. Deploy the two EC2 instances in the public subnets and a Multi-AZ RDS instance in the private subnets. Direct the traffic to the application via a Route 53 multi-value answer.

C. Use Elastic Beanstalk to deploy a new application and deploy the code into a new environment.

D. Use a CloudFormation quick-start template to deploy a new application and deploy the code into a new environment.

2. A private instance is required to update its software from the internet. Which network device would need to be implemented to allow for this?

A. An ENI

B. An NAT Gateway

C. An Internet Gateway

D. An Virtual Private Gateway

3. You are required to select the appropriate solution for cluster of servers. Each of the servers will require the ability to provide in excess of 100,000 4 KB IOPS from the root volume. Which EC2 option will meet this requirement?

A. An EBS volume with provisioned IOPS

B. An instance type with an instance store volume

C. Any type of EBS optimized instance

D. A D1 instance type

4. CloudWatch metrics have some limitations. Which of these would you require you to use custom metrics? Choose all that apply:

A. Disk full percentage of an EBS volume

B. Disk usage activity of an EC2 instance store volume

C. Disk usage activity of an EC2 RDS volume

D. Disk full percentage of an instance store volume

5. A user has created a private S3 bucket where he stores hundreds of files. The user wants to make all objects in the bucket public. How can he configure this with minimal efforts?

A. Select each object in the management console and make it public.

B. Use an S3 SDK or AWS CLI script to change permissions for each object.

C. Apply a bucket policy that makes all objects in the bucket public.

D. Tag the bucket with public=true, which makes all objects in the bucket public.

6. How can we find a particular error that occurred in a MySQL RDS database?

A. It is not possible to get the log files for MySQL RDS.

B. Find all the transaction logs from around the time the error happened and query those records to try and recreate the error.

C. The MySQL logs are accessible and searchable directly through the Amazon RDS console. 

D. Retrieve the log through ElastiSearch and search for the error.

7. You are operating an Auto Scaling group of EC2 instances. We would like to terminate one instance if the aggregate CPU usage of the Auto Scaling group goes below 20%. How can we achieve this?

A. Set up a notification email using SNS when the CPU utilization is less than 20%. Set the desired capacity to one less whenever you get an email.

B. Use CloudWatch to analyze the data and create a scheduled action to remove the instance when you estimate the usage will be below 20%.

C. Configure CloudWatch to continuously send notifications of CPU usage to SNS. Subscribe a Lambda to the SNS service to determine when the aggregate usage is below 20% and instruct the Lambda to terminate one instance.

D. Configure CloudWatch to send a notification to Auto Scaling when the aggregated CPU utilization is below 20%. Configure an Auto Scaling policy to remove one instance.

8. You need to configure security groups for an application with a HTTP/HTTPS web frontend and a MySQL backend. The IP addressing information is as follows:
   • VPC: 10.10.0.0/16
   • Private subnet: 10.10.1.0/24
   • Public subnet: 10.10.0.0/24

Which of these entries is not required?

A. Private security group Source: 10.10.0.0/24. Action: allow port 80.

B. Private security group Source: 10.10.0.0/24. Action: allow port 3306.

C. Public security group Source: 0.0.0.0/0. Action: allow port 443.

D. Public security group Source: 0.0.0.0/0. Action: allow port 80.

9. You have designed a CloudFormation script that deploys a MySQL RDS database. The database will be receiving a high amount of data very rapidly after deployment. You must ensure the template is designed in a way that will allow the database to perform at maximum efficiency:

A. Design the CloudFormation script to attach an S3 volume instead of EBS.

B. Design the CloudFormation script to deploy a CasandraDB RDS instance instead.

D. Using a combination of CloudFormation and Python scripting, pre-warm the EBS volumes after the EBS volume has been deployed.

E. You should not be using CloudFormation. Instead, it would be better to script this using CodeDeploy.

10. What is the durability of S3 RRS?

A. 99.5%

B. 99.95%

C. 99.995%

D. 99.999999995%

11. You have an Auto Scaling group that runs a web server. The developers are seeing issues in performance and have asked you to deliver logs from the servers. The servers scale in and out frequently and the logs are being lost. How can you design your system to satisfy the request of the developers?

A. Periodically poll the events on the application via an API and store the results in a local file.

B. Create a crontab job for the instances that sends the logs to Glacier.

C. Use the CloudWatch agent to stream the logs into CloudWatch and direct the developers to view the logs in the CloudWatch management console.

D. Have the developers SSH in daily to extract the logs from the instances.

12. You are running a hybrid environment with a VPN. Your management is considering using a Direct Connect connection instead of a VPN. Which operational aspect would be the most appropriate driver for switching from VPN to AWS Direct Connect?

A. AWS DirectConnect provides greater redundancy than a VPN connection.

B. AWS DirectConnect provides greater resiliency than a VPN connection.

C. AWS DirectConnect provides greater bandwidth than a VPN connection.

D. AWS DirectConnect provides greater control of network provider selection than a VPN connection.

13. You are exploring encryption for S3 and you are reading up on S3 SSE. What is S3 SSE?

A. Encryption of data in transit with a private link between the VPC and S3.

B. Encryption of bucket attributes at rest with a customer-managed encryption key.

C. Encryption of data at rest with an S3-managed encryption key.

D. Encryption of attributes in transit. KMS must be used when encryption of all data in transit is required.

14. You are managing a Windows-based .NET application running in Elastic Beanstalk. You need to maintain the application log files due to compliance reasons. The infrastructure will scale in and out and you are afraid of losing the logs. How can you ensure the developers will be able to access only the log files?

A. Access the logs from the Elastic Beanstalk console.

B. Enable log file rotation to S3 within the Elastic Beanstalk configuration.

C. Ask your developers to enable log delivery via the web.config file.

D. Create a Windows Scheduled task to rotate the log files to S3.

15. You have enabled detailed metrics on all of your ELBs in all of your regions. What would that option do?

A. Each ELB sends data to the regional CloudWatch endpoint every minute with no additional cost.

B. Each ELB sends data to the regional CloudWatch endpoint every minute at an additional cost.

C. Each ELB sends detailed metrics to one S3 bucket that you specify when enabling the setting.

D. Detailed monitoring is not supported on the ELB.

16. You need to configure routing tables for your VPC. The IP addressing information is as follows:
    • VPC: 10.10.0.0/16
    • Private subnet: 10.10.1.0/24
    • Public subnet: 10.10.0.0/24
      Which entry is required in the main route table to allow the instances to communicate on the internal IP addresses in all subnets?

A. Destination: 10.100.0.0/24 and Target: VPC

B. Destination: 10.100.0.0/16 and Target: ALL

C. Destination: 10.100.0.0/0 and Target: ALL

D. Destination: 10.100.0.0/16 and Target: Local

17. Your application is running an SQS queue with an Auto Scaling group of consumers on EC2 instances. The group is scaled according to the number of messages in the queue. After a week, you find the group is at maximum with the EC2 instances idling but the number of messages in the queue keeps growing. What would be a possible reason for this situation?

A. The Auto Scaling group is too small for the number of messages and the messages can not be processed and de-queued.

B. Try using Kinesis streams instead of SQS.

C. Messages in the SQS are corrupted and can't be processed and de-queued.

D. This is the normal operation of SQS. It just takes time to process the messages.

18. You need to choose a service that will allow you to perform daily backups that are kept for 14 days without any management overhead. Which service would allow you to do this? Choose 2 answers:

A. Amazon S3

B. Amazon RDS

C. Amazon EBS

D. Amazon Redshift

19. You are instructed to deploy a highly available application in EC2. You need to design the application from the ground up. What is the minimum design that will make sure the application is highly available with 99.9% availability?

A. Create a VPC with a single subnet. Deploy an Auto Scaling group of EC2 instances with a minimum of two instances. Use an ELB to load balance the instances.

B. Create a VPC with two subnets. Deploy an Auto Scaling group of EC2 instances with a minimum of two instances. Use an ELB for cross-zone load balancing.

C. Create a VPC with two subnets. Deploy an Auto Scaling group of EC2 instances with a minimum of one instance. Use an ELB for cross-zone load balancing.

D. Create a VPC with one subnet. Deploy an Auto Scaling group of EC2 instances with a minimum of one instance. Use an ELB for cross-zone load balancing.

20. An application in an Auto Scaling group is misbehaving and the CPU regularly spikes to over 90% with no traffic triggering Auto Scaling. How can you quickly troubleshoot this issue with minimum downtime?

A. Take a snapshot of your EC2 instance. Delete the Auto Scaling group and the associated EC2 instances. Create a new EC2 instance with your snapshot and then begin troubleshooting. Once you have figured out the cause of the problem, take a new snapshot and use that snapshot as the base AMI for your new Auto Scaling group.

B. Suspend Auto Scaling. SSH into the EC2 instance and begin trouble shooting. Once you have fixed the problem, resume Auto Scaling.

C. Delete the Auto Scaling group and the associated EC2 instances. Create a new EC2 instance from scratch and reinstall your application. Once you have figured out the cause of the problem, take a new snapshot and use that snapshot as the base AMI for your new Auto Scaling group.

D. Delete Auto Scaling all together and rely on manual scaling based off SNS notifications sent to your SysOps team from the appropriate CloudWatch metric.

21. You are operating a mobile application that has several hundred thousand users. Which authentication solution would allow for distributing data stored in an S3 bucket and provide the highest flexibility to rotate credentials?

A. Use Identity Federation with an identity provider IdP or STS service. Create a role for the federated identities and create an AM policy for the S3 bucket.

B. Distribute IAM users to each client with an IAM policy granting access to the S3 bucket.

C. Create S3 bucket policies with a conditional statement for each client.

D. Create Access Control Lists (ACL) based on mobile client ID.

22. Your application is running a web server and a database. You are seeing performance decreases in the web responses that are becoming longer and longer. You analyze the setup and see that the database responses are responsible for the slow responses. The more data you have, the slower the response from the database. Which of the following options could speed up performance? Choose 3 answers:

A. Create an RDS read replica and direct database read requests to the replica.

B. Cache database responses in ElastiCache and direct your read requests to ElastiCache.

C. Set up RDS in Multi-AZ and direct database read requests to the standby database.

D. Shard the RDS database into multiple databases and distribute load between shards.

E. Use database responses in CloudFront and direct your read requests to CloudFront.

23. You are required to migrate a single volume instance from one region to another. How can this be done?

A. Create an AMI from the instance. Create a new instance from the AMI in the other region.

B. Use the ec2-migrate-instance command to move it to another region.

C. Create a snapshot of the instance. Copy the snapshot to the other region. Create a new instance from the snapshot in the other region.

D. Create an AMI from the instance. Copy the AMI to the other region. Create a new instance from the new AMI in the other region.

24. You are designing a hybrid environment between your on-premises site and AWS. Your local network has a CIDR of 172.16.0.0/16. You have created a VPC with the CIDR of 10.100.0.0/16. Within the VPC, you have a public subnet with a CIDR of 10.100.0.0/24 and a private subnet of 10.100.1.0/24. You create a VPN gateway with the vgw-11112222 identifier. Which of the following entries would be valid?

A. Destination: 10.100.0.0/24 and Target: vgw-11112222

B. Destination: 172.16.0.0/16 and Target: ALL

C. Destination: 172.16.0.0/16 and Target: vgw-11112222

D. Destination: 0.0.0.0/0 and Target: vgw-11112222

25. You are using a single multi-homed m5.large NAT instance inside a VPC to allow hosts in the private subnet to communicate with the internet. Lately, updates are not being downloaded to the instances in the private subnet. You decide to monitor the environment during the updates and see that the m5.large instance CPU is being maxed out and some instances can not download the updates. What could you do to fix this? Choose all that apply:

A. Add another IGW to your VPC and load balance the IGWs.

B. Change the instance type from m5.large to m5.xlarge.

C. Implement a Direct Connect link to your on-premises environment and retrieve the updates from on-premises.

D. Deploy another NAT m5.large instance and add a route table entry that will spread traffic across the two NAT instances.

E. Point the instances to an ELB rather than an NAT instance. The ELB can scale on demand, so all traffic should pass seamlessly.

26. You have four m5.large EC2 web servers deployed in an Auto Scaling group behind an ALB. You are running a MySQL RDS database with 5,000 Provisioned IOPS. Your application responses are slowing down and you look at the CloudWatch metrics. There is constant 95% CPU utilization on the web servers and only 20% CPU utilization on the RDS. The disk I/Os on the web servers are in the hundreds, while the database disk operations are as high as 2,500. Which two options do you have? Choose all that apply:

A. Change the instance type to c4.xlarge.

B. Use Auto Scaling and scale your servers based on CPU utilization.

C. Increase the database Provisioned IOPS, as the disk operations on the database are where the bottleneck is.

D. Rewrite your applications to allow for more TCP connections to your web tier. The current application is not optimized and is using too much CPU.

27. You are the SysOps team lead and are trying to increase the security of your operations before the auditing team performs an assessment. What practices should you start using to prepare for the assessment? Choose 2 answers:

A. Implement a policy for remote administrative access to be performed securely.

B. Implement MFA for privileged team members.

C. Implement a policy to identify which Amazon-published AMIs can be used by your team.

D. Implement Trusted Advisor. Identify and disable all vulnerabilities on your EC2 instances.

28. Your web application operates across the EU and the US. The auditing department identified that the application does not comply with the GDPR. Your developers have designed a registration system where all and new users declare their country of residence. You have discovered that based on their IP, some users seem to be coming from the EU and selecting other countries as their country of residence. How would you enhance the application to allow it to comply with the GDPR in full? 

A. Run a copy of your application in both the US and EU regions. Use Route 53's latency -based routing route traffic to the appropriate region based on the user's origin IP.

B. Run a copy of your application in both the US and EU regions. Use an ELB with sticky sessions to route traffic to the appropriate region based on the user's origin IP.

C. Run a copy of your application in both the US and EU regions. Use Route 53's geolocation-based routing to route traffic to the appropriate region based on the user's origin IP.

D. Run a copy of your application in two AZs in any of the US regions. Use an ELB with sticky sessions to route traffic to the appropriate region based on the user's origin IP.

29. What does the following policy do?

 {
 "Id": "IPBasedPolicy"
 "Statement":[
 {
 "Sid": "IPRange",
 "Action": "s3",
 "Effect": "Allow",
 "Resource": "arn:aws:s3:::imagebucket/*,
 "Condition": {
 "IPAddress": {
 "aws:SourceIP": "10.100.100.0/24"
 },
 "NotipAddress": {
 "aws:SourceIp": "100.100.100.20/32
 }
 },
 "Principal": {
 "AWS": {
 "*"
 ]
 }
 }
 ]
 }

A. Denies any server within the 10.100.100.0 subnet access to the "imagebucket bucket

B. Denies the server with the 10.100 100.20 IP access to the "imagebucket bucket

C. Allows any server within the 10.100.100.0 subnet except the server with the 10.100.100.20 IP access to the "imagebucket" bucket

D. Denies any server within the 10.100.100.0 subnet access to the "imagebucket" bucket but allows the server with the 10.100 100.20 IP access to the "imagebucket bucket

30. An S3 bucket will serve a static website. The bucket is hosted in Ohio and the the bucket name is sitefiles. What is the correct format of the URL that you can use as A CNAME for your website?

A. sitefiles.com.s3-website.us-east-2.amazonaws.com

B. sitefiles.s3-website-us-east-2.amazonaws.com

C. s3-us-east-2.amazonaws.com/sitefiles

D. sitefiles.s3-website.us-east-2.amazonaws.com

31. You have started using S3 as a backup repository for your on-premises infrastructure. You need to back up approximately 150 TB of data to S3. You have a 10 GB internet line that you can use for backing up. The backup needs to be completed in 24 hours. What would be the correct approach to perform this backup?

A. Establish a VPN with AWS, as the VPN will reduce the data size by 1.5 times.

B. Upload the files in parallel to S3.

C. Compress the data into a single archive, upload it to S3, then extract the files in AWS.

D. Use the AWS Snowball service to order several snowball devices and transfer the data in this manner.

32. You are required to keep track of the performance of your application running across different components of AWS including hundreds of EC2 instances, ELBs, thousands of CS containers, multiple RDS, and DynamoDB databases. What would be the correct approach to creating a simple overview of your application's crucial statistics?

A. Tag your resources and project the tag name as an attribute in CloudWatch. Create a saved query and use the management console to view the metrics when required with the saved query.

B. Tag your resources and project the tag name as an attribute in CloudWatch. Create a custom dashboard and use the management console to view the metrics when required in the dashboard.

C. Tag your resources and project the tag name as an attribute in CloudWatch. Create a CLI query and use the CLI to export the metrics when required with the CLI query.

D. Tag your resources and project the tag name as an attribute in CloudWatch. The tag can be used directly in the CloudWatch Overview section.

33. You are designing a security group for your web application. The application runs an ELB with the 34.187.12.134 IP, a web server instance group in a 10.200.0.0/24 subnet and a pair of Multi-AZ MySQL RDS instances with sharded data across the pair with the 10.200.100.0/24 subnet. You create a security group for each tier and now need to add the correct rules to the security groups. Which of the following rules would not be required?

A. Security group - web-tier. Source: 34.187.12.134/32. Port: 80

B. Security group - elb-tier. Source: 0.0.0.0/0. Port: 80

C. Security group - rds-tier. Source: web-tier. Port: 3306

D. Security group - web-tier. Source: elb-tier. Port: 80

34. Which option is not available when configuring the negotiation of client SSL connections on the ELB?

A. SSL Protocols

B. Client Order Preference

C. SSL Ciphers

D. Server Order Preference

35. If it is possible, identify which of the following options needs to be configured to enable a client to identify a matching cipher in the ELB cipher list when the client requests ELB DNS over SSL?

A. Cipher Protocol.

B. Client Configuration Preference.

C. Server Order Preference.

D. Load Balancer Preference.

E. This is not possible.

36. A user has created an SQS FIFO queue. The application has been working great, but the number of messages in the FIFO queue is growing. You determine that the worker servers are mostly idling and are hitting the 300 operations per second limit, and only retrieving 300 messages at a time. The input to the message queue is delivering a much higher number of messages. How can you fix the issue?

A. Request an operations limit increase by submitting a ticket to AWS.

B. Use bulk requests in your worker tier.

C. Reduce the number of incoming messages and purge the queue to catch up with the latest data.

D. The 300 operations limit is a hard limit. Create a second FIFO queue and distribute the messages across two queues. The FIFO order will be maintained across the queues.

37. You have an application that has predictable performance of approximately 2,500 500-byte write operations per second. You need to select a data store that would be optimal in performance and cost for your application. The solution needs to be highly available and should allow for minimal read performance.

A. RDS MySQL instance with Multi-AZ

B. An EC2 instance with a SSD instance store volume

C. An S3 bucket with 1,250 connections per second provisioned

D. A DynamoDB table with 2,500 WCUs and a low number of RCUs provisioned

38. You are capturing 5-minute ELB metrics with CloudWatch. For the purpose of analyzing traffic patterns and troubleshooting, you need to also start capturing connection information, such as source IPs. Which option do you need to select to enable the capturing of connection information from your ELB?

A.Use AWS CloudTrail on the ELB.

B. Enable access logs on the ELB.

C. Use the CloudWatch logs agent on the ELB.

D. Use CloudWatch detailed metrics on the ELB.

39. You are running a hybrid environment with a VPN from AWS to your on-premises location. You have multiple DNS servers on-premises. The on-premises DNS servers are serving internal application DNS records. The internal DNS servers are also able to resolve public FQDN names. The security policy dictates that the internal DNS names should only be resolved within the internal network and not from the public IP ranges. You will be building a public and a private subnet in your VPN that will host an extension to your applications. You need to provide the internal DNS to the EC2 instances that require the DNS names of the internal resources. What would be the appropriate way to allow EC2 to resolve internal resources but not expose the internal DNS to public IPs?

A. This is not possible, as you would be exposing your DNS to public IP space by connecting it to AWS.

B. Use a Route 53 hosted-zone for the internal domain name and replicate the DNS entries from the on-premises DNS.

C. Create a DHCP option set that specifies the domain name server value as the on-premises DNS servers. Replace the default DHCP option set for the VPC with the newly created DHCP option set.

D. Create two DHCP options sets, DHCPSetA and DHCPSetB. Configure DHCPSetA to specify the Amazon-provided DNS server as the domain name server to resolve all internet domain names. Configure DHCPSetB to specify the on-premises DNS server as the domain name server to resolve all internal domain names. Apply both the DHCP options set to the VPC so that both internet domain names and internal domain names can be resolved.

40. You are operating an application using SQS, S3, and EC2. When a file is uploaded to the EC2 web tier it is stored in S3. A message is then created in SQS. The application tier threads the messages and processes the contents of the file. Your application gets hacked over a long weekend and is down for 3 days until you are able to secure it. You want to bring it online, but are worried that the messages received have been lost and the files from the long weekend will not be processed. It this statement correct?

A. Yes, because the default SQS message retention period is only 12 hours.

B. Yes, because the default SQS message retention period is only 1 day.

C. No, because the default SQS message retention period is 4 days.

D. No, because the default SQS message retention period is 14 days.

41. You are running a sports news service that records the information about game scores from across the world 24/7 in real time to a DynamoDB table by game ID. Your users are able to see the scores on the website, but have requested a feature to be notified as soon as a score in a particular game that they subscribe to has changed. What would be an appropriate approach to building this solution?

A. Subscribe a Lambda function to a DynamoDB stream. Have the Lambda read the changes and send all the changes to an SNS topic that the users can subscribe to. The users can then receive the scores.

B. Subscribe a Lambda function to a DynamoDB stream. Have the Lambda read the changes and send the changes for each game ID to a corresponding SNS topic that the users can subscribe to. The users can then receive the scores.

C. Subscribe one SNS topic to each game ID to DynamoDB. When a game ID is updated, a message will automatically be generated that will send the subscribers a notification of the change.

D. Have the service record the changes in a Kinesis stream. Have the Lambda read the changes in the Kinesis stream and send the changes for each game ID to a corresponding SNS topic that the users can subscribe to. The users can then receive the scores.

42. Which method can be used to prevent an IP address from accessing objects in a public S3 bucket?

A. Apply a bucket policy on the bucket.

B. Create a NACL on the VPC of the bucket.

C. Create an ACL on all objects in the bucket.

D. Modify the IAM policies of any users from that IP range.

43. You have created a VPC with an internet gateway (IGW). The VPC has two public and two private subnets each with one subnet per AZ. You have provisioned an ELB and configured it to with cross-zone load balancing. You spin up instances in an Auto Scaling group behind the ELB in both public and the private subnets. You have created a MySQL instance in one private subnet and a read replica for BI purposes in the other subnet. Are there any single points of failure in this design?

A. There are no single points of failure in this design.

B. You need to create a second IGW to make this highly available.

C. The RDS requires Multi-AZ. Remove the read replica and implement Multi-AZ on the MySQL DB.

D. The RDS requires Multi-AZ. Implement Multi-AZ on the MySQL DB.

44. You are designing a multi-regional web site that can automatically recover from a disaster very quickly with minimum downtime. Which of the following approaches is best?

A. Use multi-region S3 replication for your buckets.

B. Use the Pilot Light DR architecture to automatically fail over to a secondary site when the primary site becomes unreachable.

C. Use a Low Capacity Standby site to automatically fail over to a secondary site when the primary site becomes unreachable.

D. Use multiple fully functional sites and a Route 53 health checks to automatically fail over to a different site when a site becomes unreachable.

45. You are looking to implement cost oversight of all AWS resources consumed by its departments. The company policy requires each department to be autonomous and have complete control over their environment. Which options would allow you to provide this functionality? Choose two:

A. Use AWS Consolidated Billing.

B. Enable IAM cross-account access for all corporate IT administrators.

C. Use separate VPCs per department within the corporate account.

D. Use separate accounts per department.

E. Forward all CloudTrail logs to a centralized billing account.

46. You would like to schedule scaling for your application during work hours. Which of the following parameters is not required in this case?

A. Desired size

B. Auto Scaling group name

C. End time

D. Resource usage threshold for scaling

E. Start time

47. According to shared responsibility, which task does AWS perform to make sure that data does not leak from the AWS environment? Choose all that apply:

A. AES-256 encryption of data stored on any shared storage device

B. Decommissioning of storage devices using industry-standard practices

C. Background virus scans of EBS volumes and EBS snapshots

D. Replication of data across multiple AWS Regions

E. Secure wiping of EBS data when an EBS volume is unmounted

48. You are required to extend a highly sensitive application to the cloud. You are required to pass all traffic encrypted through private links. What would be the correct solution for this design?

A. Deploy a VPN between your on-premises and AWS. This automatically encrypts all the data in transit via IPSec and keeps the data always on private networks.

B. Deploy a Direct Connect connection between your on-premises and AWS. This automatically encrypts all the data in transit via IPSec and keeps the data always on private links.

C. Deploy a VPN over a Direct Connect connection between your on-premises and AWS. This automatically encrypts all the data in transit via IPSec and keeps the data always on private links.

D. It is impossible to keep the data on private links when connecting to AWS.

49. You manage a catalog application where users upload product images for your e-commence website. The users would like to share a link with others to view and comment on the photos. What AWS storage option will offer high availability, high scalability, the lowest cost, and highest reliability to store and share these photos?

A. Use the instance store on each web server. Replicate the storage using a cluster filesystem. 

B. Use S3 to store the images. Create a system to distribute signed URLs.

C. Use EBS to store the images. Share the EBS among instances of web servers so they can serve the images with signed URLs.

D. Use EFS to store the images. Share the EFS among instances of web servers so they can serve the images with signed URLs.

50. A mission-critical web app with a minimum of eight EC2s and a maximum of 24 instances behind an ELB. The application is running in two AZs in a single region. The app depends on synchronous replication of the database layer to sync the data across all the instances in all the AZs. The application needs to retain full capacity of eight instances even if one availability one goes down. How can the current architecture be improved to ensure this?

A. Deploy a minimum of eight instances in each AZ. This will ensure there is enough capacity at all times.

B. Deploy in three AZs with four instances in each. This will ensure there is enough capacity at all times.

C. Replicate this setup to another region. Use Route 53 round robin and ensure the there are two instances running in each AZ in each region, for a total of eight.

D. Replicate this setup to another region and use the Pilot Light approach to enable disaster recovery if an AZ goes down.

51. You have a global application that needs to share key:value data in a centralized database distributed across regions for HA. What AWS option would be best suited to achieve this?

A. Use one DynamoDB table in one region. All application components should access this one table. Back up the table to a DynamoDB backup to another region for HA and redirect the traffic in case of primary failure. 

B. Use one RDS instance in one region. All application components should access this one database. Create a read replica to another region for HA and redirect the traffic in case of primary failure. 

C. Create multiple DynamoDB table in multiple regions. Create a global DynamoDB tables by specifying all of the tables you just created. All application components should access the global table.

D. Use an ElastiCache Casandra database cluster distributed across regions. This will enable all the features required.

52. What does the following IAM policy do? Choose all that apply:

{
 "Version": "2012-10-17",
 "Statement": [ {
 "Effect": "Allow",
 "Action": [ "s3:Get", "s3:List" ],
 "Resource": "*" },
 { "Effect": "Allow",
 "Action": "s3:PutObject",
 "Resource": "arn:aws:s3:::samplebucket/*" }
 ]
 }

A. Permission to read all objects from all S3 buckets

B. Permission to write to all objects into the bucket named "samplebucket"

C. Permission to deny the listing of all of the objects in the bucket named "samplebucket"

D. Permission to read objects from the bucket named "samplebucket"

E. Permission to change access rights for the bucket named "samplebucket"

53. You run EC2 Instances in an Auto Scaling group behind an ELB. You have been monitoring over the last year, showing that there is no traffic on any day between 1 a.m and 6 a.m. on the servers. The minimum number of servers in the Auto Scaling group is set to two for high availability. How could you optimize the setup to save costs, but also ensure that if any traffic ever comes between 1 a.m and 6 a.m., the site would still provide some kind of valid website response?

A. Create a scheduled scaling event that terminates all the instances at 1 a.m. and brings two instances back at 6 a.m. The ELB will respond with a cached page in the meantime.

B. Create a scheduled scaling event that terminates all the instances at 1 a.m. and brings two instances back at 6 a.m. Create a static S3 website and a Route 53 health check. This will show the static page in the meantime.

C. Create a scheduled scaling event that terminates all the instances at 1 a.m. Create an SQS queue to which the ELB will send requests. Scale according to the queue depth.

D. Create a scheduled scaling event that terminates all the instances at 1 a.m. Create a CPU usage scaling policy that will scale as soon as the ELB CPU usage is above 1%.

54. You are operating a Java application designed with the AWS Java SDK that writes to a DynamoDB backend with 1,000 provisioned write capacity units. The application worked well for over a year. Last week, a developer submitted a ticket to support due to an issue with DynamoDB. When he was testing a new version on the production DynamoDB table, he saw several "provisionedthroughputexceededexception" errors come up during his test. You check your application and see that at certain times there are spikes in writes, and approximately 2% of all the daily requests to the backend are receiving the same error. But the application seems to be working properly and no complaints have been received from any of the users. What should you do to avoid losing any data due to this issue?

A. Increase the size of the WCUs to match the spikes.

B. Nothing. The SDK automatically retries all the requests that receive this error.

C. View the performance metrics for provisioned throughput versus consumed throughput in CloudWatch. Determine the times when the spikes occur and provision Spot instances to cache the load during these times.

D. Implement DAX DynamoDB acceleration to handle the spikes.

55.  Which of the following logs are not available in the console for MySQL?

A. Error Log

B. Slow Query Log

C. Transaction Log

D. General Log

56. You are capturing bulk metric data from weather sensors every hour to your EC2 instance. The metrics are being discarded after 48 hours, but you would like to send the data to CloudWatch to keep them for longer and create graphs of the captured data. How could you do that?

A. Use the AWS CLI or API to upload the metrics.

B. Use the AWS Database Migration Tool to import data to CloudWatch.

C. Download the data from the EC2 instance and use the AWS console to bulk import into CloudWatch.

D. The weather data is not supported by CloudWatch.

57. You use S3 to store critical data for your company. Everyone requires full access to the S3 buckets. You need to protect against the accidental deletion of critical files in the bucket. Which two options will address this issue? Choose 2 answers:

A. Enable versioning on S3.

B. Enable object lifecycle policy to archive data to Glacier every day.

C. Create a Bucket policy that will change the permissions to read-only permissions at the bucket level.

D. Configure all the S3 buckets with MFA delete.

58. What are characteristics of Amazon SQS? Choose all that apply:

A. FIFO queues guarantee ordered delivery.

B. The maximum size of a message is 512 KB including the metadata (256 KB data + 256 KB metadata).

C. SQS works in a publisher/subscriber push model.

D. SQS standard queues have unlimited throughput.

E. SQS workers can be developed using the Lambda SQS worker CLI.

59. You are looking to update an existing application using EC2 from AMIs, ECS from tasks, Aurora RDS instances, SQS and SNS, ElastiCache, and DynamoDB. You would like to use the blue/green approach. You have deployed your application manually in the past, but now you would like to automate the way new deployments are being delivered. What tool could you choose to achieve this in the simplest way possible?

A. Deploy your new application with Elastic Beanstalk.

B. Deploy your new application with CloudFormation.

C. Deploy your new application with OpsWorks.

D. Deploy your new application manually according to the design of your current application.

60. You need to analyze the performance of the application behind your ELB. You have enabled ELB logging and are now able to see processing time information. Identify the three processing times you are able to see:

A. Response processing time

B. Backend processing time

C. Database processing time

D. Frontend processing time

E. Request processing time