AWS CLOUD CERTIFICATION EXAM PRACTICE
QUESTIONS WITH 100% CORRECT ANSWERS AND
RATIONALES
Which of the below are TRUE when running a database in an EC2 Instance?
(choose 3)
The customer is responsible for updating the operating system
The customer is responsible for updating the database software
The customer is responsible for managing access to the database
AWS is responsible for managing access to the database
AWS is responsible for updating the operating system
AWS is responsible for updating the database software -ANSWER-- The customer is
responsible for updating the operating system
The customer is responsible for updating the database software
The customer is responsible for managing access to the database
In this case - as the database is being run in an EC2 instance, all aspects of database
updates and access is the responsibility of the customer. Similarly as it is and EC2
instance, the customer is responsible for OS patching. Under the Shared Responsibility
Model, AWS takes responsibility for managing all the hardware (including access,
patching and other maintenance) and software required to deliver the service - which in
this case is the EC2 instance - anything to do with the instance itself is the
responsibility of the customer
You want to streamline access management for your AWS administrators by assigning
them a pre-defined set of permissions based on their job role - which of the below is the
best way to approach this?
Use IAM Groups
Use Amazon Cognito
Use AWS Organizations
Use IAM Roles -ANSWER-- Use IAM Groups
Using IAM Groups lets you create a list of pre-defined permissions that any user made
a part of that group will be granted. Roles are primarily used to grant AWS resources
permissions to other AWS resources and generally are not for end-users. Amazon
Cognito is a service that help authenticate users to your apps, and not the AWS
console itself
A purchasing department staff member is setup as an AWS user in the company's
,procurement AWS account. At each month-end, the staff member needs access to an
application running on EC2 in the company's accounts payable AWS account to
reconcile reports. Which of the following provides the most secure and operationally
efficient way to give the staff member access to the accounts payable application?
Configure Active Directory integration so that you can federate the staff member's
access to the accounts payable AWS account
Create a user for the staff member in the accounts payable AWS account
Invoke an AWS Lambda function to run the application in the accounts payable AWS
account
Have the user request temporary security credentials for the application by assuming a
role -ANSWER-- Have the user request temporary security credentials for the
application by assuming a role
The staff member should be given the ability to assume a role programmatically with the
permissions necessary to run the accounts payable application. Setting up another
AWS user for the staff member in the accounts payable account will require the
presentation of hard credentials programmatically. Both federation and Lambda will
require the use of a role as well, but with the added overhead of maintaining Active
Directory or the Lambda function
Which of the following statements are true about who can use IAM roles?
(choose 3)
An IAM user in a different AWS account than the role
An IAM user in the same AWS account as the role
A web service offered by AWS
A web service offered by providers other than AWS -ANSWER-- An IAM user in a
different AWS account than the role
An IAM user in the same AWS account as the role
A web service offered by AWS
A role can be used by either an IAM user in the same AWS account as the role or a
user in a different AWS account. A role can also be used by a web service that AWS
offers; a prime example is Amazon EC2
According to the Shared Responsibility Model, which of the following is AWS
responsible for?
(choose 2)
Network Access Control Lists
Elastic Cloud Compute (EC2) infrastructure
Amazon Virtual Private Cloud
,Security Groups
Subnets -ANSWER-- Elastic Cloud Compute (EC2) infrastructure
Amazon Virtual Private Cloud
Protecting the infrastructure that runs all of the services in the AWS Cloud is the
responsibility of AWS. Such services include EC2 infrastructure - the hardware
compute platform for running EC2 instances and Amazon Virtual Private Cloud, or
VPC, which enables customers to provision a logically isolated section of the AWS
Cloud to launch their resources. The subnets, security groups, and network access
control lists configured in the VPC are the responsibility of the customer
Which service might you use to provide Distributed Denial of Service (DDoS) protection
to your applications running on AWS?
AWS Shield
AWS WAF
DynamoDB
AWS Inspector -ANSWER-- AWS Shield
AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that
safeguards applications running on AWS
Which of the below are TRUE statements when it comes to data security in AWS?
(choose 3)
The customer is responsible for managing who can access the data
AWS is responsible for the security of the hardware the data resides on
The customer is responsible for the security of the software that manages the data
AWS is responsible for the security of the software that manages the data
AWS is responsible for managing who can access the data
The customer is responsible for the security of the hardware the data resides on
ANSWER-- The customer is responsible for managing who can access the data
AWS is responsible for the security of the hardware the data resides on
AWS is responsible for the security of the software that manages the data
Under the Shared Responsibility Model, AWS takes responsibility for managing all the
hardware (including access, patching and other maintenance) and software required to
deliver the service - which includes security. The customer is responsible for who can
access the data itself
Enabling Amazon GuardDuty automatically grants this service the permission to
analyze which of the following data sources?
(choose 3)
, DNS query logs
VPC Flow Logs
AWS CloudTrail logs
Amazon S3 buckets -ANSWER-- DNS query logs
VPC Flow Logs
AWS CloudTrail logs
Amazon GuardDuty monitors the security of your AWS environment by analyzing and
processing three data sources, which are VPC Flow Logs, AWS CloudTrail event logs,
and DNS logs
With AWS services, you can use as many resources as you need, as well as use them
when you need them. Which of the following terms can be applied to this concept?
(choose 2)
Disposable resources
Temporary resources
Dedicated resources
Fixed resources -ANSWER-- Disposable resources
Temporary resources
Working in a traditional infrastructure environment means that you have to deal with
fixed resources, which is comparatively costly and labor-intensive. By contrast, AWS
services are much more convenient; the services provide the ability to use as many
resources as you need and dispose of them when you no longer need them. That's why
such resources are both temporary and disposable
Which of the following is a Shared Control of the AWS Shared Responsibility Model?
Patch Management
Firmware Upgrades
Hardware Maintanence
Security Group Configuration -ANSWER-- Patch Management
Shared Controls are elements of the Shared Responsibility Model where both AWS and
the customer have shared responsibilities within their own contexts. Patch
Management is a Shared Control, since AWS is responsible for patching and fixing
flaws within the infrastructure, including managed services like RDS, but customers are
responsible for patching their guest OS and applications. Firmware Upgrades, and
other Hardware maintenance processes are solely the responsibility of AWS.
Configuration of Security Groups remain the responsibility of the customer
If you have a new application and you are not sure about future demand, which of the
QUESTIONS WITH 100% CORRECT ANSWERS AND
RATIONALES
Which of the below are TRUE when running a database in an EC2 Instance?
(choose 3)
The customer is responsible for updating the operating system
The customer is responsible for updating the database software
The customer is responsible for managing access to the database
AWS is responsible for managing access to the database
AWS is responsible for updating the operating system
AWS is responsible for updating the database software -ANSWER-- The customer is
responsible for updating the operating system
The customer is responsible for updating the database software
The customer is responsible for managing access to the database
In this case - as the database is being run in an EC2 instance, all aspects of database
updates and access is the responsibility of the customer. Similarly as it is and EC2
instance, the customer is responsible for OS patching. Under the Shared Responsibility
Model, AWS takes responsibility for managing all the hardware (including access,
patching and other maintenance) and software required to deliver the service - which in
this case is the EC2 instance - anything to do with the instance itself is the
responsibility of the customer
You want to streamline access management for your AWS administrators by assigning
them a pre-defined set of permissions based on their job role - which of the below is the
best way to approach this?
Use IAM Groups
Use Amazon Cognito
Use AWS Organizations
Use IAM Roles -ANSWER-- Use IAM Groups
Using IAM Groups lets you create a list of pre-defined permissions that any user made
a part of that group will be granted. Roles are primarily used to grant AWS resources
permissions to other AWS resources and generally are not for end-users. Amazon
Cognito is a service that help authenticate users to your apps, and not the AWS
console itself
A purchasing department staff member is setup as an AWS user in the company's
,procurement AWS account. At each month-end, the staff member needs access to an
application running on EC2 in the company's accounts payable AWS account to
reconcile reports. Which of the following provides the most secure and operationally
efficient way to give the staff member access to the accounts payable application?
Configure Active Directory integration so that you can federate the staff member's
access to the accounts payable AWS account
Create a user for the staff member in the accounts payable AWS account
Invoke an AWS Lambda function to run the application in the accounts payable AWS
account
Have the user request temporary security credentials for the application by assuming a
role -ANSWER-- Have the user request temporary security credentials for the
application by assuming a role
The staff member should be given the ability to assume a role programmatically with the
permissions necessary to run the accounts payable application. Setting up another
AWS user for the staff member in the accounts payable account will require the
presentation of hard credentials programmatically. Both federation and Lambda will
require the use of a role as well, but with the added overhead of maintaining Active
Directory or the Lambda function
Which of the following statements are true about who can use IAM roles?
(choose 3)
An IAM user in a different AWS account than the role
An IAM user in the same AWS account as the role
A web service offered by AWS
A web service offered by providers other than AWS -ANSWER-- An IAM user in a
different AWS account than the role
An IAM user in the same AWS account as the role
A web service offered by AWS
A role can be used by either an IAM user in the same AWS account as the role or a
user in a different AWS account. A role can also be used by a web service that AWS
offers; a prime example is Amazon EC2
According to the Shared Responsibility Model, which of the following is AWS
responsible for?
(choose 2)
Network Access Control Lists
Elastic Cloud Compute (EC2) infrastructure
Amazon Virtual Private Cloud
,Security Groups
Subnets -ANSWER-- Elastic Cloud Compute (EC2) infrastructure
Amazon Virtual Private Cloud
Protecting the infrastructure that runs all of the services in the AWS Cloud is the
responsibility of AWS. Such services include EC2 infrastructure - the hardware
compute platform for running EC2 instances and Amazon Virtual Private Cloud, or
VPC, which enables customers to provision a logically isolated section of the AWS
Cloud to launch their resources. The subnets, security groups, and network access
control lists configured in the VPC are the responsibility of the customer
Which service might you use to provide Distributed Denial of Service (DDoS) protection
to your applications running on AWS?
AWS Shield
AWS WAF
DynamoDB
AWS Inspector -ANSWER-- AWS Shield
AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that
safeguards applications running on AWS
Which of the below are TRUE statements when it comes to data security in AWS?
(choose 3)
The customer is responsible for managing who can access the data
AWS is responsible for the security of the hardware the data resides on
The customer is responsible for the security of the software that manages the data
AWS is responsible for the security of the software that manages the data
AWS is responsible for managing who can access the data
The customer is responsible for the security of the hardware the data resides on
ANSWER-- The customer is responsible for managing who can access the data
AWS is responsible for the security of the hardware the data resides on
AWS is responsible for the security of the software that manages the data
Under the Shared Responsibility Model, AWS takes responsibility for managing all the
hardware (including access, patching and other maintenance) and software required to
deliver the service - which includes security. The customer is responsible for who can
access the data itself
Enabling Amazon GuardDuty automatically grants this service the permission to
analyze which of the following data sources?
(choose 3)
, DNS query logs
VPC Flow Logs
AWS CloudTrail logs
Amazon S3 buckets -ANSWER-- DNS query logs
VPC Flow Logs
AWS CloudTrail logs
Amazon GuardDuty monitors the security of your AWS environment by analyzing and
processing three data sources, which are VPC Flow Logs, AWS CloudTrail event logs,
and DNS logs
With AWS services, you can use as many resources as you need, as well as use them
when you need them. Which of the following terms can be applied to this concept?
(choose 2)
Disposable resources
Temporary resources
Dedicated resources
Fixed resources -ANSWER-- Disposable resources
Temporary resources
Working in a traditional infrastructure environment means that you have to deal with
fixed resources, which is comparatively costly and labor-intensive. By contrast, AWS
services are much more convenient; the services provide the ability to use as many
resources as you need and dispose of them when you no longer need them. That's why
such resources are both temporary and disposable
Which of the following is a Shared Control of the AWS Shared Responsibility Model?
Patch Management
Firmware Upgrades
Hardware Maintanence
Security Group Configuration -ANSWER-- Patch Management
Shared Controls are elements of the Shared Responsibility Model where both AWS and
the customer have shared responsibilities within their own contexts. Patch
Management is a Shared Control, since AWS is responsible for patching and fixing
flaws within the infrastructure, including managed services like RDS, but customers are
responsible for patching their guest OS and applications. Firmware Upgrades, and
other Hardware maintenance processes are solely the responsibility of AWS.
Configuration of Security Groups remain the responsibility of the customer
If you have a new application and you are not sure about future demand, which of the
