Which AWS service or feature identifies whether an Amazon S3 bucket or an IAM role has been shared with an external entity?
AWS Service Catalog
AWS Systems Manager
AWS IAM Access Analyzer
AWS Organizations
Answer is AWS IAM Access Analyzer
AWS IAM Access Analyzer is a service that helps identify and review unintended access to resources in an AWS account. It uses automated reasoning to analyze resource policies, including S3 bucket policies and IAM roles, to identify any potential external access permissions.
With IAM Access Analyzer, users can quickly identify whether their S3 bucket or IAM role has been shared with external entities such as other AWS accounts. It provides detailed findings that highlight any potential issues with access permissions and recommends actions to remediate them.
A large enterprise with multiple VPCs in several AWS Regions around the world needs to connect and centrally manage network connectivity between its VPCs.
Which AWS service or feature meets these requirements?
AWS Direct Connect
AWS Transit Gateway
AWS Site-to-Site VPN
VPC endpoints
Answer is AWS Transit Gateway
AWS Transit Gateway is a fully managed service that simplifies the connectivity and routing between VPCs and on-premises networks. It acts as a hub that enables inter-VPC communication and connectivity to on-premises data centers or remote networks.
With AWS Transit Gateway, the large enterprise can create a single gateway and establish peering connections with multiple VPCs across different AWS Regions. This allows for centralized management and control of network traffic between VPCs, simplifying network architecture and reducing administrative overhead.
Which AWS service supports the creation of visual reports from AWS Cost and Usage Report data?
Amazon Athena
Amazon QuickSight
Amazon CloudWatch
AWS Organizations
Answer is Amazon QuickSight
Amazon QuickSight is a business intelligence (BI) service that allows users to create interactive visualizations, reports, and dashboards from various data sources, including AWS services. It provides rich visualization capabilities to analyze and explore data, enabling users to gain insights and make data-driven decisions.
With Amazon QuickSight, users can connect to their AWS Cost and Usage Report data and create visual reports to analyze and track their AWS costs. They can build charts, graphs, and other visualizations to understand cost trends, identify cost drivers, and compare spending across different dimensions such as services, accounts, regions, and more.
Which AWS service should be used to monitor Amazon EC2 instances for CPU and network utilization?
Amazon Inspector
AWS CloudTrail
Amazon CloudWatch
AWS Config
Answer is Amazon CloudWatch
Amazon CloudWatch is a monitoring service provided by AWS that enables users to collect and track metrics, logs, and events from various AWS resources, including Amazon EC2 instances. With CloudWatch, users can monitor CPU utilization, network utilization, and other metrics to gain insights into the performance and health of their EC2 instances.
By setting up CloudWatch metrics, users can collect data on CPU usage and network traffic at regular intervals, allowing them to monitor resource utilization and identify any performance bottlenecks or anomalies. CloudWatch provides real-time monitoring, customizable dashboards, and the ability to set alarms and receive notifications based on predefined thresholds.
Question 245
A user wants to deploy a service to the AWS Cloud by using infrastructure-as-code (IaC) principles.
Which AWS service can be used to meet this requirement?
AWS Systems Manager
AWS CloudFormation
AWS CodeCommit
AWS Config
Answer is AWS CloudFormation
AWS CloudFormation is a service that allows users to define and provision AWS infrastructure resources using a declarative template. It enables the creation of cloud resources in a consistent and repeatable manner, using infrastructure-as-code principles.
With AWS CloudFormation, users can define their desired infrastructure configuration in a template file written in YAML or JSON format. This template describes the desired state of the AWS resources, including EC2 instances, load balancers, databases, and more. By deploying the CloudFormation stack, the infrastructure is automatically provisioned based on the template, ensuring consistency and reducing manual configuration.
CloudFormation templates can be version-controlled, shared, and reused, making it easier to manage and maintain infrastructure configurations. They also support advanced features such as parameterization, conditional resource creation, and orchestration of multi-tier applications.
Which AWS service or feature gives a company the ability to control incoming traffic and outgoing traffic for Amazon EC2 instances?
Security groups
Amazon Route 53
AWS Direct Connect
Amazon VPC
Answer is Security groups
A security group acts as a virtual firewall for your EC2 instances to control incoming and outgoing traffic. Inbound rules control the incoming traffic to your instance, and outbound rules control the outgoing traffic from your instance. When you launch an instance, you can specify one or more security groups. If you don't specify a security group, Amazon EC2 uses the default security group for the VPC. You can add rules to each security group that allow traffic to or from its associated instances. You can modify the rules for a security group at any time. New and modified rules are automatically applied to all instances that are associated with the security group. When Amazon EC2 decides whether to allow traffic to reach an instance, it evaluates all of the rules from all of the security groups that are associated with the instance.
A company is migrating its public website to AWS. The company wants to host the domain name for the website on AWS.
Which AWS service should the company use to meet this requirement?
AWS Lambda
Amazon Route 53
Amazon CloudFront
AWS Direct Connect
Answer is Amazon Route 53
Amazon Route 53 is a scalable and highly available Domain Name System (DNS) web service provided by AWS. It allows you to register and manage domain names and perform DNS routing for your applications. Route 53 provides various DNS management features, including domain registration, DNS routing policies, and health checks.
In the case of hosting the domain name for the company's website on AWS, Amazon Route 53 can be used to register the domain name, configure the DNS settings, and point the domain to the appropriate AWS resources, such as the website hosted on Amazon S3, Amazon EC2 instances, or load balancers.
Question 248
A company needs to evaluate its AWS environment and provide best practice recommendations in five categories: cost, performance, service limits, fault tolerance, and security.
Which AWS service can the company use to meet these requirements?
AWS Shield
AWS WAF
AWS Trusted Advisor
AWS Service Catalog
Answer is AWS Trusted Advisor
The AWS service that can help the company evaluate its AWS environment and provide best practice recommendations in the five categories of cost, performance, service limits, fault tolerance, and security is AWS Trusted Advisor.
AWS Trusted Advisor provides real-time guidance to help users optimize their AWS resources, improve performance, reduce costs, and enhance security by identifying opportunities and providing recommendations. It covers the five categories mentioned in the question and provides specific advice on how to address issues related to each of them.
Which AWS service provides the capability to view end-to-end performance metrics and troubleshoot distributed applications?
AWS Cloud9
AWS CodeStar
AWS Cloud Map
AWS X-Ray
Answer is AWS X-Ray
AWS X-Ray is a service that helps developers analyze and debug distributed applications, such as those running on microservices architectures. It provides end-to-end visibility into requests as they travel across various components and services, allowing you to identify performance bottlenecks, troubleshoot issues, and optimize application performance.
With AWS X-Ray, you can trace requests as they flow through different AWS resources and services, including AWS Lambda functions, Amazon EC2 instances, Amazon ECS containers, and more. It captures information about each step of the request journey, including response times, errors, and the dependencies between different components.
Which AWS service provides threat detection by monitoring for malicious activities and unauthorized actions to protect AWS accounts, workloads, and data that is stored in Amazon S3?
AWS Shield
AWS Firewall Manager
Amazon GuardDuty
Amazon Inspector
Answer is Amazon GuardDuty
Amazon GuardDuty is an AWS service that provides threat detection by continuously monitoring for malicious activities and unauthorized actions in AWS accounts. It analyzes data from various sources, such as VPC Flow Logs, CloudTrail event logs, and DNS logs, to identify potential security threats.
Specifically, Amazon GuardDuty is designed to protect AWS accounts, workloads, and data stored in Amazon S3 from various types of threats, including unauthorized access, compromised instances, and data exfiltration attempts. It uses machine learning algorithms and threat intelligence to identify patterns and anomalies that may indicate malicious activity.
When GuardDuty detects a potential threat, it generates findings and alerts, which can be viewed in the AWS Management Console or integrated with other AWS services for automated responses. This helps organizations quickly identify and respond to security incidents, improving their overall security posture.