Q1. Which of the following RDS database engines have a limit to the number of databases that can run per instance? [Select 2]
a) PostgreSQL
b) Amazon Aurora
c) Oracle
d) SQL Server
Explanation
Both the Oracle and SQL Server database engines have limits to how many databases that can run per instance. Primarily, this is due to the underlying technology being proprietary and requiring specific licensing to operate. The database engines based on Open Source technology such as Aurora, MySQL, MariaDB or PostgreSQL have no such limits.
Abbreviations
RDS - Relational Database Service
Q2. Your server logs are full of what appear to be application-layer attacks, so you deploy AWS Web Application Firewall. Which of the following conditions may you set when configuring AWS WAF? [Select 3]
a) IP Match Conditions
b) Size Contraint Conditions
c) URL Match Conditions
d) Termination Conditions
e) String Match Conditions
f) SQL Rejection Match Conditions
Abbreviations
WAF - Web Application Firewall
Q3. Which of the below are database services from AWS? [Select 2]
a) Dynamo DB
b) RDS
c) EC2
d) S3
Explanation
RDS is a service for relational databases provided by AWS. DynamoDB is AWS fast, flexible, no-sql database service. S3 provides the ability to store files in the cloud and is not suitable for databases, while EC2 is part of the compute family of services.
Abbreviations
RDS - Relational Database Service
EC2 - Elastic Compute Cloud
S3 - Simple Storage Service
Q4. You've been tasked with building a new application with a stateless web tier for a company that produces reusable rocket parts. Which three services could you use to achieve this? [Select 1]
a) RDS for structured data, DynamoDB for unstructured data and ElastiCache
b) AWS Storage Gateway, ElastiCache and ELB
c) ELB, ElastiCache and RDS
d) CloudWatch, RDS for structured data and DynamoDB for unstructured data
Explanation
The essence of a stateless installation is that the scalable components are disposable, and configuration is stored away from the disposable components. The best way to solve this type of problem is by elimination. Storage Gateway offers no advantage in this situation. CloudWatch is a reporting tool and will not help. An ELB will distribute the load but will not really be specific to stateless design. ElastiCache is well suited for very short fast cycle data and is very suitable to replace in memory or on disk state data previously held on the web servers. RDS is well suited to structured and long cycle data, and DynamoDB is well suited for unstructured and medium cycle data. Both can be used for certain types of stateful data either in partner with or instead of Elasticache.
Abbreviations
RDS - Relational Database Service
ELB - Elastic Load Balancing
Q5. What are the four levels of AWS premium support? [Select 1]
a) Free, Bronze, Silver and Gold
b) Basic, Startup, Business and Enterprise
c) It's an IAAS, there is no support
d) Basic, Developer, Business and Enterprise
Explanation
Remember that 'Free Tier' is a billing rebate. It is not an account type or support type.
Abbreviations
IaaS - Infrastructure as a Service is a standardized, highly automated offering in which computing resources owned by a service provider, complemented by storage and networking capabilities, are offered to customers on demand. Resources are scalable and elastic in near real time and metered by use.
PaaS - Platform as a Service is a complete development and deployment environment in the cloud, with resources that enable you to deliver everything from simple cloud-based apps to sophisticated, cloud-enabled enterprise applications.
Q6. Your company has a policy of encrypting all data at rest. You host your production environment on EC2 in a bespoke VPC. Attached to your EC2 instances are multiple EBS volumes, and you must ensure this data is encrypted. Which of the following options will allow you to do this? [Select 3]
a) Encrypt your data inside your application, before storing it on EBS.
b) EBS Volumes are encrypted by default. You do not need to do anything.
c) Encrypt the data using native encryption tools available in the operating system (such as Windows BitLocker).
d) Use third party volume encryption tools.
e) Install SSL certificates on the servers so as to encrypt your data.
Explanation
EBS volumes can be encrypted, but they are not encrypted by default. SSL certificates will only be useful to encrypt data in transit, not data at rest.
Abbreviations
EC2 - Elastic Compute Cloud
VPC - Virtual Private Cloud
EBS - Elastic Block Store
Q7. Your company has decided to set up a new AWS account for test and dev purposes. They already use AWS for production but would like a new account dedicated for test and dev so as to not accidentally break the production environment. You launch an exact replica of your production environment using a CloudFormation template that your company uses in production. However, CloudFormation fails. You use the exact same CloudFormation template in production, so the failure is something to do with your new AWS account. The CloudFormation template is trying to launch 60 new EC2 instances in a single availability zone. After some research, you discover that the problem is __. [Select 1]
a) For all new AWS accounts, there is a soft limit of 20 EC2 instances per region. You should submit the limit increase form and retry after your limit has been increased.
b) You cannot launch more than 20 instances in your default VPC. Instead, reconfigure the CloudFormation template to provision the instances in a custom VPC.
c) Your CloudFormation template is configured to use the parent account and not the new account. Change the account number in the CloudFormation template and relaunch the template.
d) For all new AWS accounts, there is a soft limit of 20 EC2 instances per availability zone. You should submit the limit increase form and retry after your limit has been increased.
Q8. Which of the following options allow users to have secure access to private files located in S3. [Select 3]
a) CloudFront Origin Access Identity
b) CloudFront Signed URLs
c) Public S3 bucket
d) CloudFront Signed Cookies
Explanation
There are three options in the question which can be used to secure access to files stored in S3 and therefore can be considered correct. Signed URLs and Signed Cookies are different ways to ensure that users attempting access to files in an S3 bucket can be authorised. One method generates URLs and the other generates special cookies but they both require the creation of an application and policy to generate and control these items. An Origin Access Identity on the other hand, is a virtual user identity that is used to give the CloudFront distribution permission to fetch a private object from an S3 bucket. Public S3 buckets should never be used unless you are using the bucket to host a public website and therefore this is an incorrect option.