Dumps4download providing 100% reliable Exam dumps that are verified by experts panel. Our Dumps4download CLF-C02 study material are totally unique and exam questions are valid all over the world. By using our CLF-C02 dumps we assure you that you will pass your exam on first attempt. You can easily score more than 97%.
100% exam passing Guarantee on your purchased exams.
100% money back guarantee if you will not clear your exam.
Amazon CLF-C02 Practice Test Helps You Turn Dreams To Reality!
IT Professionals from every sector are looking up certifications to boost their careers. Amazon being the leader certification provider earns the most demand in the industry.
The Amazon Certification is your short-cut to an ever-growing success. In the process, Dumps4download is your strongest coordinator, providing you with the best CLF-C02 Dumps PDF as well as Online Test Engine. Let’s steer your career to a more stable future with interactive and effective CLF-C02 Practice Exam Dumps.
Many of our customers are already excelling in their careers after achieving their goals with our help. You can too be a part of that specialized bunch with a little push in the right direction. Let us help you tread the heights of success.
Apply for the CLF-C02 Exam right away so you can get certified by using our Amazon Dumps.
Bulk Exams Package
2 Exams Files
10% off
2 Different Exams
Latest and Most Up-todate Dumps
Free 3 Months Updates
Exam Passing Guarantee
Secure Payment
Privacy Protection
3 Exams Files
15% off
3 Different Exams
Latest and Most Up-todate Dumps
Free 3 Months Updates
Exam Passing Guarantee
Secure Payment
Privacy Protection
5 Exams Files
20% off
5 Different Exams
Latest and Most Up-todate Dumps
Free 3 Months Updates
Exam Passing Guarantee
Secure Payment
Privacy Protection
10 Exams Files
25% off
10 Different Exams
Latest and Most Up-todate Dumps
Free 3 Months Updates
Exam Passing Guarantee
Secure Payment
Privacy Protection
Dumps4download Leads You To A 100% Success in First Attempt!
Our CLF-C02 Dumps PDF is intended to meet the requirements of the most suitable method for exam preparation. We especially hired a team of experts to make sure you get the latest and compliant CLF-C02 Practice Test Questions Answers. These questions are been selected according to the most relevance as well as the highest possibility of appearing in the exam. So, you can be sure of your success in the first attempt.
Interactive & Effective CLF-C02 Dumps PDF + Online Test Engine
Aside from our Amazon CLF-C02 Dumps PDF, we invest in your best practice through Online Test Engine. They are designed to reflect the actual exam format covering each topic of your exam. Also, with our interactive interface focusing on the exam preparation is easier than ever. With an easy-to-understand, interactive and effective study material assisting you there is nothing that could go wrong. We are 100% sure that our CLF-C02 Questions Answers Practice Exam is the best choice you can make to pass the exam with top score.
How Dumps4download Creates Better Opportunities for You!
Dumps4download knows how hard it is for you to beat this tough Amazon Exam terms and concepts. That is why to ease your preparation we offer the best possible training tactics we know best. Online Test Engine provides you an exam-like environment and PDF helps you take your study guide wherever you are. Best of all, you can download CLF-C02 Dumps PDF easily or better print it. For the purpose of getting concepts across as easily as possible, we have used simple language. Adding explanations at the end of the CLF-C02 Questions and Answers Practice Test we ensure nothing slips your grasp.
The exam stimulation is 100 times better than any other test material you would encounter. Besides, if you are troubled with anything concerning AWS Certified Cloud Practitioner Exam or the CLF-C02 Dumps PDF, our 24/7 active team is quick to respond. So, leave us a message and your problem will be solved in a few minutes.
Get an Absolutely Free Demo Today!
Dumps4download offers an absolutely free demo version to test the product with sample features before actually buying it. This shows our concern for your best experience. Once you are thoroughly satisfied with the demo you can get the AWS Certified Cloud Practitioner Practice Test Questions instantly.
24/7 Online Support – Anytime, Anywhere
Have a question? You can contact us anytime, anywhere. Our 24/7 Online Support makes sure you have absolutely no problem accessing or using AWS Certified Cloud Practitioner Practice Exam Dumps. What’s more, Dumps4download is mobile compatible so you can access the site without having to log in to your Laptop or PC.
Features to use Dumps4download CLF-C02 Dumps:
Thousands of satisfied customers.
Good grades are 100% guaranteed.
100% verified by Experts panel.
Up to date exam data.
Dumps4download data is 100% trustworthy.
Passing ratio more than 99%
100% money back guarantee.
Amazon CLF-C02 Frequently Asked Questions
Amazon CLF-C02 Sample Questions
Question # 1
A company has a centralized group of users with large file storage requirements that haveexceeded the space available on premises. The company wants to extend its file storagecapabilities for this group while retaining the performance benefit of sharing content locally.What is the MOST operationally efficient AWS solution for this scenario?
A. Create an Amazon S3 bucket for each user. Mount each bucket by using an S3 filesystem mounting utility. B. Configure and deploy an AWS Storage Gateway file gateway. Connect each user'sworkstation to the file gateway. C. Move each user's working environment to Amazon Workspaces. Set up an AmazonWorkDocs account for each user. D. Deploy an Amazon EC2 instance and attach an Amazon Elastic Block Store (AmazonEBS) Provisioned IOPS volume. Share the EBS volume directly with the users.
Answer: B
Explanation: AWS Storage Gateway is a hybrid cloud storage service that allows you to
extend your on-premises file storage capabilities to the AWS Cloud. AWS Storage
Gateway file gateway enables you to store and access your files in Amazon S3 using
industry-standard file protocols such as NFS and SMB. File gateway caches frequently
accessed files locally, providing low-latency access to your data. File gateway also
optimizes the transfer of data between your on-premises environment and AWS,
minimizing the amount of bandwidth consumed. By using file gateway, you can retain the
performance benefit of sharing content locally while leveraging the scalability, durability,
and cost-effectiveness of Amazon S3. References: AWS Storage Gateway, File Gateway
Question # 2
Which complimentary AWS service or tool creates data-driven business cases for cloudplanning?
A. Migration Evaluator B. AWS Billing Conductor C. AWS Billing Console D. Amazon Forecast
Answer: A
Explanation: Migration Evaluator is a cloud-based service that provides organizations with
a comprehensive assessment of their current IT environment and estimates the cost
savings and performance improvements that can be achieved by migrating to
AWS. Migration Evaluator helps users build a data-driven business case for AWS by discovering over-provisioned on-premises instances, providing recommendations for costeffective
AWS alternatives, and analyzing existing licenses and cost comparisons of Bring
Your Own License (BYOL) and License Included (LI) options
Question # 3
Which AWS services or features provide disaster recovery solutions for Amazon EC2instances? (Select TWO.)
A. EC2 Reserved Instances B. EC2 Amazon Machine Images (AMIs) C. Amazon Elastic Block Store (Amazon EBS) snapshots D. AWS Shield E. Amazon GuardDuty
Answer: B,C
Explanation: The correct answer is B and C. EC2 Amazon Machine Images (AMIs) and
Amazon Elastic Block Store (Amazon EBS) snapshots are two AWS services that provide
disaster recovery solutions for Amazon EC2 instances.
EC2 AMIs are preconfigured templates that contain the software configuration and
data required to launch an EC2 instance. You can create AMIs from your running
EC2 instances and use them to launch new instances in the same or different
AWS Regions. This way, you can quickly recover your EC2 instances in case of a
disaster that affects your primary Region or Availability Zone1.
Amazon EBS snapshots are incremental backups of your Amazon EBS volumes.
You can create snapshots of your volumes and store them in Amazon S3, which is
a highly durable and scalable storage service. You can use snapshots to restore
your volumes to a previous point in time or to create new volumes from
snapshots. Snapshots can also be copied across AWS Regions, enabling you to
recover your data in another Region in case of a disaster2.
The other options are not directly related to disaster recovery for EC2 instances:
EC2 Reserved Instances are a pricing model that allows you to reserve EC2
capacity for a specific period of time and receive a discount on the hourly
charge. Reserved Instances do not provide any disaster recovery benefits, as they
are only a billing option3.
AWS Shield is a managed service that protects your AWS resources from
for all AWS customers at no additional charge, and advanced protection for
customers who need higher levels of detection and mitigation. AWS Shield does
not provide any disaster recovery benefits, as it is only a security service4.
Amazon GuardDuty is a threat detection service that monitors your AWS account
and workloads for malicious or unauthorized activity. Amazon GuardDuty analyzes
various data sources, such as AWS CloudTrail, Amazon VPC Flow Logs, and DNS
logs, to identify potential threats and alert you via Amazon CloudWatch Events or
AWS Lambda. Amazon GuardDuty does not provide any disaster recovery
benefits, as it is only a monitoring service5.
Question # 4
Using AWS Identity and Access Management (IAM) to grant access only to the resourcesneeded to perform a task is a concept known as:
A. restricted access. B. as-needed access. C. least privilege access. D. token access.
Answer: C
Explanation: The concept of granting access only to the resources needed to perform a
task is known as least privilege access. This is a security best practice in IAM that helps to
reduce the risk of unauthorized or malicious actions. By applying least privilege access,
you can limit the permissions of your IAM users, groups, and roles to the minimum required
for their specific tasks. You can also use conditions, permissions boundaries, and IAM
Access Analyzer to further restrict and verify access. References: Security best practices in
IAM, Policies and permissions in IAM, Use IAM policies to grant the least privileges
required to access Amazon RDS resources, How to Design a Least Privilege Architecture
in AWS, 12 Azure & AWS IAM Security Best Practices
Question # 5
Which AWS service or feature provides log information of the inbound and outbound trafficon network interfaces in a VPC?
A. Amazon CloudWatch Logs B. AWS CloudTrail C. VPC Flow Logs D. AWS Identity and Access Management (IAM)
Answer: C
Explanation: VPC Flow Logs is a feature that enables you to capture information about the
IP traffic going to and from network interfaces in your VPC. Flow log data can be published
to the following locations: Amazon CloudWatch Logs, Amazon S3, or Amazon Kinesis Data
Firehose. You can use VPC Flow Logs to monitor network traffic, diagnose security issues,
troubleshoot connectivity problems, and perform network forensics1. References:
Logging IP traffic using VPC Flow Logs - Amazon Virtual Private Cloud
Question # 6
What is the best resource for a user to find compliance-related information and reportsabout AWS?
A. AWS Artifact B. AWS Marketplace C. Amazon Inspector D. Increase operational costs across data centers.
Answer: A
Explanation: AWS Artifact is a self-service portal that provides on-demand access to AWS
security and compliance reports and select online agreements. Users can download
reports such as AWS ISO certifications, PCI reports, SOC reports, and GDPR DPA, and
review and accept agreements such as BAA and NDA. AWS Artifact helps users to
understand and meet compliance requirements for various standards and regulations that
apply to AWS services and infrastructure. AWS Artifact is the best resource for a user to
find compliance-related information and reports about AWS, whereas the other options are
not
Question # 7
A company operates a petabyte-scale data warehouse to analyze its data. The companywants a solution that will not require manual hardware and software management. WhichAWS service will meet these requirements?
A. Amazon DocumentDB (with MongoDB compatibility) B. Amazon Redshift C. Amazon Neptune D. Amazon ElastiCache
Answer: B
Explanation: Amazon Redshift is a fast, fully managed, petabyte-scale data warehouse
service that makes it simple and cost-effective to analyze all your data using your existing
business intelligence tools. You can start small with no commitments, and scale to
petabytes for less than a tenth of the cost of traditional solutions. Amazon Redshift does
not require manual hardware and software management, as AWS handles all the tasks
such as provisioning, patching, backup, recovery, failure detection, and repair12. Amazon
Redshift also offers serverless capabilities, which allow you to access and analyze data
without any configurations or capacity planning. Amazon Redshift automatically scales the
data warehouse capacity to deliver fast performance for even the most demanding and
unpredictable workloads3. Therefore, Amazon Redshift meets the requirements of the
company, compared to the other options.
The other options are not suitable for the company’s requirements, because:
Amazon DocumentDB (with MongoDB compatibility) is a fast, scalable, highly
available, and fully managed document database service that supports MongoDB
workloads. It is not designed for petabyte-scale data warehousing or analytics4.
Amazon Neptune is a fast, reliable, and fully managed graph database service that
makes it easy to build and run applications that work with highly connected
datasets. It is not designed for petabyte-scale data warehousing or analytics5.
Amazon ElastiCache is a fully managed in-memory data store and cache service that supports Redis and Memcached. It is not designed for petabyte-scale data
warehousing or analytics.
References:
What is Amazon Redshift? - Amazon Redshift
Amazon Redshift Features - Amazon Redshift
Amazon Redshift Serverless - Amazon Redshift
What Is Amazon DocumentDB (with MongoDB compatibility)? - Amazon
DocumentDB (with MongoDB compatibility)
What Is Amazon Neptune? - Amazon Neptune
[What Is Amazon ElastiCache for Redis? - Amazon ElastiCache for Redis]
Question # 8
A company wants to move its on-premises databases to managed cloud database servicesby using a simplified migration process. Which AWS service or tool can help the companymeet this requirement?
A. AWS Storage Gateway B. AWS Application Migration Service C. AWS DataSync D. AWS Database Migration Service (AWS DMS)
Answer: D
Explanation: AWS Database Migration Service (AWS DMS) is a cloud service that makes
it possible to migrate relational databases, data warehouses, NoSQL databases, and other
types of data stores. You can use AWS DMS to migrate your data into the AWS Cloud or
between combinations of cloud and on-premises setups. With AWS DMS, you can discover
your source data stores, convert your source schemas, and migrate your data. AWS DMS
supports migration between 20-plus database and analytics engines, such as Oracle to
Amazon Aurora MySQL-Compatible Edition, MySQL to Amazon Relational Database
(RDS) for MySQL, Microsoft SQL Server to Amazon Aurora PostgreSQL-Compatible
Edition, MongoDB to Amazon DocumentDB (with MongoDB compatibility), Oracle to Amazon Redshift, and Amazon Simple Storage Service (S3). You can perform one-time
migrations or replicate ongoing changes to keep sources and targets in sync. AWS DMS
automatically manages the deployment, management, and monitoring of all hardware and
software needed for your migration. AWS DMS is a highly resilient, secure cloud service
that provides database discovery, schema conversion, data migration, and ongoing
replication to and from a wide range of databases and analytics systems12. References:
Database Migration - AWS Database Migration Service - AWS
What is AWS Database Migration Service? - AWS Database Migration Service
Question # 9
A company wants to allow users to authenticate and authorize multiple AWS accounts byusing a single set of credentials.Which AWS service or resource will meet this requirement?
A. AWS Organizations B. IAM user C. AWS IAM Identity Center (AWS Single Sign-On) D. AWS Control Tower
Answer: C
Explanation: AWS IAM Identity Center (AWS Single Sign-On) is a cloud-based service
that makes it easy to centrally manage single sign-on (SSO) access to multiple AWS
accounts and business applications. You can use AWS SSO to enable your users to sign in
to the AWS Management Console or the AWS Command Line Interface (AWS CLI) with
their existing corporate credentials2. You can also manage SSO access and user
permissions across all your AWS accounts in AWS Organizations3. References: AWS
Single Sign-On - AWS Documentation, AWS Organizations - AWS Documentation
Question # 10
An ecommerce company wants to use Amazon EC2 Auto Scaling to add and remove EC2instances based on CPU utilization. Which AWS service or feature can initiate an Amazon EC2 Auto Scaling action to achievethis goal?
A. Amazon Simple Queue Service (Amazon SQS) B. Amazon Simple Notification Service (Amazon SNS) C. AWS Systems Manager D. Amazon CloudWatch alarm
Answer: D
Explanation: Amazon CloudWatch alarm is an AWS service or feature that can initiate an
Amazon EC2 Auto Scaling action based on CPU utilization. Amazon CloudWatch is a
monitoring and observability service that collects and tracks metrics, logs, events, and
alarms for your AWS resources and applications. Amazon CloudWatch alarms are actions
that you can configure to send notifications or automatically make changes to the
resources you are monitoring based on rules that you define67.
Amazon EC2 Auto Scaling is a service that helps you maintain application availability and
allows you to automatically add or remove EC2 instances according to definable
conditions. You can create dynamic scaling policies that track a specific CloudWatch
metric, such as CPU utilization, and define what action to take when the associated
CloudWatch alarm is in ALARM. When the policy is in effect, Amazon EC2 Auto Scaling
adjusts the group’s desired capacity up or down when the threshold of an alarm is
CloudWatch Documentation, 8: Dynamic scaling for Amazon EC2 Auto Scaling, 9: Amazon
EC2 Auto Scaling Documentation
Question # 11
A company needs to track the activity in its AWS accounts, and needs to know when anAPI call is made against its AWS resources. Which AWS tool or service can be used tomeet these requirements?
A. Amazon CloudWatch B. Amazon Inspector C. AWS CloudTrail D. AWS IAM
Answer: C
Explanation: AWS CloudTrail is the service that can be used to meet these requirements.
AWS CloudTrail is a service that records AWS API calls for your account and delivers log
files to you. The recorded information includes the identity of the API caller, the time of the
API call, the source IP address of the API caller, the request parameters, and the response
elements returned by the AWS service1. You can use CloudTrail to track the activity in your
AWS accounts, such as who made an API call, when it was made, and what resources
were affected. You can also use CloudTrail to monitor the compliance, security, and
governance of your AWS environment2. The other services are not designed to track the
activity and API calls in your AWS accounts. Amazon CloudWatch is a service that
monitors and collects metrics, logs, and events from your AWS resources and applications. You can use CloudWatch to set alarms, visualize data, and automate actions
based on predefined thresholds or rules3. Amazon Inspector is a service that helps you
improve the security and compliance of your applications running on AWS. Inspector
automatically assesses applications for exposure, vulnerabilities, and deviations from best
practices4. AWS IAM is a service that enables you to manage access to AWS services and
resources securely. IAM allows you to create and manage AWS users and groups, and use
permissions to allow and deny their access to AWS resources. References: AWS
Which AWS service enables companies to deploy an application dose to end users?
A. Amazon CloudFront B. AWS Auto Scaling C. AWS AppSync D. Amazon Route S3
Answer: A
Explanation:
Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers
data, videos, applications, and APIs to customers globally with low latency, high transfer
speeds, all within a developer-friendly environment. CloudFront enables companies to
deploy an application close to end users by caching the application’s content at edge
locations that are geographically closer to the users. This reduces the network latency and
improves the user experience. CloudFront also integrates with other AWS services, such
as Amazon S3, Amazon EC2, AWS Lambda, AWS Shield, and AWS WAF, to provide a
secure and scalable solution for delivering applications12. References:
What Is Amazon CloudFront? - Amazon CloudFront Amazon CloudFront Features - Amazon CloudFront
Question # 13
A company needs to perform data processing once a week that typically takes about 5hours to complete. Which AWS service should the company use for this workload?
A. AWS Lambda B. Amazon EC2 C. AWS CodeDeploy D. AWS Wavelength
Answer: B
Explanation: Amazon EC2 is the most suitable AWS service for this workload. Amazon
EC2 provides secure, resizable compute capacity in the cloud. You can launch virtual
servers, called instances, and configure them according to your needs. You can choose
from different instance types, sizes, and families, and pay only for the resources you
use. Amazon EC2 also offers features such as auto scaling, load balancing, security
groups, and placement groups to optimize your performance, availability, and
security1. Amazon EC2 is ideal for workloads that require consistent and reliable compute
power, such as data processing, web hosting, gaming, and high-performance computing2.
The other services are not suitable for this workload. AWS Lambda is a serverless compute
service that lets you run code without provisioning or managing servers. You pay only for
the compute time you consume. Lambda is best for short-lived, stateless, and event-driven
workloads that can be completed in under 15 minutes3. AWS CodeDeploy is a deployment
service that automates application deployments to Amazon EC2 instances, on-premises instances, serverless Lambda functions, or Amazon ECS services. CodeDeploy is not a
compute service, but a tool to help you update your applications with minimal downtime4.
AWS Wavelength is a service that delivers ultra-low latency applications for 5G devices.
Wavelength embeds AWS compute and storage services at the edge of
telecommunications providers’ 5G networks. Wavelength is designed for mobile edge
computing, such as interactive gaming, video streaming, and augmented
Which AWS service or tool gives users the ability to connect with AWS and deployresources programmatically?
A. Amazon quickSight B. AWS PrivateLink C. AWS Direct Connect D. AWS SDKs
Answer: D
Explanation: AWS SDKs are a set of tools that allow users to connect with AWS and
deploy resources programmatically. AWS SDKs provide libraries, code samples,
documentation, and other resources to help users write code that interacts with AWS APIs.
AWS SDKs support various programming languages, such as Java, Python, Ruby, .NET,
Node.js, Go, and more. AWS SDKs make it easier for users to access AWS services, such
as Amazon S3, Amazon EC2, Amazon DynamoDB, AWS Lambda, and more, from their
applications. AWS SDKs also handle tasks such as authentication, error handling, retries,
and data serialization, so users can focus on their application logic .
The other options are not AWS services or tools that give users the ability to connect with
AWS and deploy resources programmatically. Amazon QuickSight is a business
intelligence service that lets users create and share interactive dashboards and
visualizations1. AWS PrivateLink is a service that enables users to securely access
services hosted on AWS in a scalable and cost-effective manner2. AWS Direct Connect is
a service that establishes a dedicated network connection between a user’s premises and
AWS3.
Question # 15
Which AWS Cloud service can send alerts to customers if custom spending thresholds areexceeded?
A. AWS Budgets B. AWS Cost Explorer C. AWS Cost Allocation Tags D. AWS Organizations
Answer: A
Explanation: AWS Budgets is a service that allows you to set custom budgets for your
AWS costs and usage, and receive alerts via email or Amazon SNS notifications if you
exceed or are forecasted to exceed your budgeted amount1. You can create budgets
based on different dimensions, such as service, linked account, tag, or purchase option,
and define various types of alerts, such as actual, forecasted, or RI utilization alerts2. You
can also configure custom actions to automatically execute remediation tasks or workflows
when a budget threshold is breached3. AWS Budgets is the only service among the
options that can send alerts to customers if custom spending thresholds are exceeded. The
other options are not AWS services that provide this functionality.
Question # 16
Which AWS feature provides a no-cost platform for AWS users to join community groups,ask questions, find answers, and read community-generated articles about best practices?
A. AWS Knowledge Center B. AWS re:Post C. AWS 10 D. AWS Enterprise Support
Answer: B
Explanation: AWS re:Post is a no-cost platform for AWS users to join community groups,
ask questions, find answers, and read community-generated articles about best practices.
AWS re:Post is a social media platform that connects AWS users with each other and with
AWS experts. Users can create posts, comment on posts, follow topics, and join groups
related to AWS services, solutions, and use cases. AWS re:Post also features live event
feeds, community stories, and AWS Hero profiles. AWS re:Post is a great way to learn from
the AWS community, share your knowledge, and get inspired. References:
AWS re:Post
Join the Conversation
Question # 17
Which AWS service provides command line access to AWS tools and resources directly(torn a web browser?
A. AWS CIoudHSM B. AWS CloudShell C. Amazon Workspaces D. AWS Cloud Map
Answer: B
Explanation: AWS CloudShell is the service that provides command line access to AWS
tools and resources directly from a web browser. AWS CloudShell is a browser-based shell
that makes it easy to securely manage, explore, and interact with your AWS resources. It
comes pre-authenticated with your console credentials and common development and
administration tools are pre-installed, so no local installation or configuration is required.
You can open AWS CloudShell from the AWS Management Console with a single click and
start running commands and scripts using the AWS Command Line Interface (AWS CLI),
Git, or SDKs. AWS CloudShell also provides persistent home directories with 1 GB of
storage per AWS Region12. The other services do not provide command line access to
AWS tools and resources directly from a web browser. AWS CloudHSM is a service that
helps you meet corporate, contractual and regulatory compliance requirements for data
security by using dedicated Hardware Security Module (HSM) appliances within the AWS
Cloud3. Amazon WorkSpaces is a service that provides a fully managed, secure Desktopas-
a-Service (DaaS) solution that runs on AWS4. AWS Cloud Map is a service that makes
it easy for your applications to discover and connect to each other using logical names and
attributes5. References: AWS CloudShell, AWS CloudShell – Command-Line Access to
Which AWS service can run a managed PostgreSQL database that provides onlinetransaction processing (OLTP)?
A. Amazon DynamoDB B. Amazon Athena C. Amazon RDS D. Amazon EMR
Answer: C
Explanation: Amazon RDS is a fully managed relational database service that supports several database engines, including PostgreSQL. Amazon RDS can run a managed
PostgreSQL database that provides online transaction processing (OLTP), which is a type
of database workload that handles frequent read and write operations on small amounts of
data. Amazon RDS for PostgreSQL offers high performance, availability, scalability,
security, and compatibility with the PostgreSQL community edition. Amazon RDS also
provides automated backups, point-in-time recovery, encryption, monitoring, and
maintenance for PostgreSQL databases. References:
Hosted PostgreSQL - Amazon RDS for PostgreSQL
OLTP Database, MySQL And PostgreSQL Managed Database - Amazon Aurora
PostgreSQL options on AWS: Self- managed, managed, and serverless
Question # 19
Which responsibility belongs to AWS when a company hosts its databases on AmazonEC2 instances?
A. Database backups B. Database software patches C. Operating system patches D. Operating system installations
Answer: C
Explanation: When a company hosts its databases on Amazon EC2 instances, AWS and
the customer share the responsibility for the security and management of the database
environment. According to the AWS shared responsibility model, AWS is responsible for
the security of the cloud, while the customer is responsible for the security in the cloud.
This means that AWS is responsible for protecting the infrastructure that runs the EC2
instances, such as the hardware, software, networking, and facilities. The customer is
responsible for properly configuring the security of the provided service, such as the guest
operating system, the database software, the data, and the network traffic12.
One of the tasks that belongs to AWS when a company hosts its databases on Amazon
EC2 instances is operating system patches. AWS provides regular updates and patches to
the operating system of the EC2 instances, which are applied automatically by default. The
customer can also choose to manually apply the patches or schedule them for a specific
time window3. Operating system patches are important for maintaining the security and
performance of the EC2 instances and the databases running on them.
The other tasks that belong to AWS when a company hosts its databases on Amazon EC2
instances are:
Operating system installations: AWS provides a variety of operating system
options for the EC2 instances, such as Linux, Windows, and Amazon Linux. The
customer can choose the operating system that best suits their database needs
and AWS will install it on the EC2 instances4.
Server maintenance: AWS performs regular maintenance and repairs on the
physical servers that host the EC2 instances, ensuring that they are in optimal condition and have adequate power, cooling, and network connectivity5.
Hardware lifecycle: AWS manages the lifecycle of the hardware that supports the
EC2 instances, such as replacing faulty components, upgrading equipment, and
decommissioning old servers.
The tasks that do not belong to AWS when a company hosts its databases on Amazon
EC2 instances are:
Database backups: The customer is responsible for backing up their data and
databases on the EC2 instances, using tools such as Amazon S3, Amazon EBS
snapshots, or AWS Backup. Database backups are essential for data protection
and recovery in case of failures or disasters.
Database software patches: The customer is responsible for applying patches and
updates to the database software on the EC2 instances, such as MySQL,
PostgreSQL, Oracle, or SQL Server. Database software patches are important for
fixing bugs, improving features, and addressing security vulnerabilities.
Database software install: The customer is responsible for installing the database
software on the EC2 instances, choosing the version and configuration that meets
their requirements. AWS provides some preconfigured AMIs (Amazon Machine
Images) that include common database software, or the customer can use their
own custom AMIs.
References:
Shared Responsibility Model - Amazon Web Services (AWS)
Shared responsibility model - Amazon Web Services: Risk and Compliance
Patching Amazon EC2 instances - AWS Systems Manager
Amazon EC2 FAQs - Amazon Web Services
Maintenance and Retirements - Amazon Elastic Compute Cloud
[Hardware Lifecycle - Amazon Web Services (AWS)]
[Backing Up Your Data - Amazon Web Services (AWS)]
[Database Patching - Amazon Web Services (AWS)]
[Installing Database Software on Amazon EC2 Instances - Amazon Web Services
(AWS)]
Question # 20
A developer needs to maintain a development environment infrastructure and a productionenvironment infrastructure in a repeatable fashion Which AWS service should thedeveloper use to meet these requirements?
A. AWS Ground Station B. AWS Shield C. AWS loT Device Defender D. AWS CloudFormation
Answer: D
Explanation: AWS CloudFormation is a service that allows developers to model and
provision their AWS infrastructure in a repeatable and declarative way, using code and
templates. AWS CloudFormation enables developers to define the resources they need for
their development and production environments, such as compute, storage, network, and
application services, and automate their creation and configuration. AWS CloudFormation
also provides features such as change sets, nested stacks, and rollback triggers to help
developers manage and update their infrastructure safely and efficiently12. References: AWS CloudFormation
What is AWS CloudFormation?
Question # 21
Which Amazon EC2 pricing model is the MOST cost efficient for an uninterruptibleworkload that runs once a year for 24 hours?
A. On-Demand Instances B. Reserved Instances C. Spot Instances D. Dedicated Instances
Answer: A
Explanation:
On-Demand Instances are the most cost-efficient pricing model for an uninterruptible
workload that runs once a year for 24 hours. On-Demand Instances let you pay for
compute capacity by the hour or second, depending on which instances you run. No longterm
commitments or up-front payments are required. You can increase or decrease your
compute capacity to meet the demands of your application and only pay the specified
hourly rates for the instance you use1. This model is suitable for developing/testing
applications with short-term or unpredictable workloads2. The other pricing models are not
cost-efficient for this use case. Reserved Instances and Savings Plans require a
commitment to a consistent amount of usage, in USD per hour, for a term of 1 or 3
years. They provide significant discounts compared to On-Demand Instances, but they are
not flexible or scalable for workloads that run only once a year12. Spot Instances are the
cheapest option, but they are not suitable for uninterruptible workloads, as they can be
reclaimed by AWS at any time. They are recommended for applications that have flexible
start and end times, or that are only feasible at very low compute prices12. Dedicated
Instances are designed for compliance and licensing requirements, not for cost
optimization. They are more expensive than the other options, as they run on single-tenant
A company is migrating to the AWS Cloud and plans to run experimental workloads for 3 to6 months on AWS. Which pricing model will meet these requirements?
A. Use Savings Plans for a 3-year term. B. Use Dedicated Hosts. C. Buy Reserved Instances. D. Use On-Demand Instances.
Answer: D
Explanation:
On-Demand Instances are the most flexible and cost-effective pricing model for short-term,
experimental, or unpredictable workloads on AWS. On-Demand Instances let you pay only
for the resources you use, without any long-term commitments or upfront fees. You can
easily start and stop instances as needed, and scale up or down depending on your
demand.
Savings Plans, Reserved Instances, and Dedicated Hosts are all pricing models that
require a commitment for a certain amount of usage or capacity for a one- or three-year
term. These pricing models offer lower prices than On-Demand Instances, but they are not
suitable for workloads that only run for 3 to 6 months or have variable usage patterns.
Savings Plans and Reserved Instances also offer flexibility to change instance types, sizes,
or regions within the same family or pool, while Dedicated Hosts are physical servers that
can only run specific instance types.
Question # 23
A user wants to allow applications running on an Amazon EC2 instance to make calls toother AWS services. The access granted must be secure. Which AWS service or featureshould be used?
A. Security groups B. AWS Firewall Manager C. IAM roles D. IAM user SSH keys
Answer: C
Explanation: IAM roles are a secure way to grant permissions to applications running on
an Amazon EC2 instance to make calls to other AWS services. IAM roles are entities that
have specific permissions policies attached to them. You can create an IAM role and
associate it with an EC2 instance when you launch it or later. The applications on the
instance can then use the temporary credentials provided by the role to access AWS
resources that the role allows. This way, you do not have to store any long-term credentials
or access keys on the instance, which reduces the risk of compromise or misuse12.
The other options are not correct, because:
Security groups are virtual firewalls that control the inbound and outbound traffic
for your EC2 instances. Security groups do not grant permissions to access other
AWS services, but rather filter the network traffic based on rules that you define3.
AWS Firewall Manager is a service that helps you centrally configure and manage
firewall rules across your accounts and resources. AWS Firewall Manager works
with AWS WAF, AWS Shield Advanced, and Amazon VPC security groups. AWS
Firewall Manager does not grant permissions to access other AWS services, but
rather helps you enforce consistent security policies across your AWS
infrastructure4.
IAM user SSH keys are credentials that allow you to connect to your EC2 instance
using SSH. SSH keys do not grant permissions to access other AWS services, but
rather authenticate your identity when you log in to your instance5.
References:
Using an IAM role to grant permissions to applications running on Amazon EC2
instances - AWS Identity and Access Management
IAM roles for Amazon EC2 - Amazon Elastic Compute Cloud
Security groups for your VPC - Amazon Virtual Private Cloud
What is AWS Firewall Manager? - AWS Firewall Manager
Connecting to your Linux instance using SSH - Amazon Elastic Compute Cloud
Question # 24
Which AWS service or feature will search for and identify AWS resources that are sharedexternally?
A. Amazon OpenSearch Service B. AWS Control Tower C. AWS IAM Access Analyzer D. AWS Fargate
Answer: C
Explanation: AWS IAM Access Analyzer is an AWS service that helps customers identify
and review the resources in their AWS account that are shared with an external entity, such
as another AWS account, a root user, an organization, or a public entity. AWS IAM Access
Analyzer uses automated reasoning, a form of mathematical logic and inference, to
analyze the resource-based policies in the account and generate comprehensive findings
that show the access level, the source of the access, the affected resource, and the
condition under which the access applies. Customers can use AWS IAM Access Analyzer
to audit their shared resources, validate their access policies, and monitor any changes to
the resource sharing status. References: AWS IAM Access Analyzer, Identify and review
resources shared with external entities, How AWS IAM Access Analyzer works
Question # 25
Which AWS service or feature improves network performance by sending traffic throughthe AWS worldwide network infrastructure?
A. Route table B. AWS Transit Gateway C. AWS Global Accelerator D. Amazon VPC
Answer: C
Explanation: AWS Global Accelerator is a service that improves network performance by sending traffic
through the AWS worldwide network infrastructure. It uses the AWS global network to
direct TCP or UDP traffic to a healthy application endpoint in the closest AWS Region to
the client. This provides improvements in terms of latency, throughput, and jitter. Global
Accelerator also introduces features such as TCP termination at the edge, jumbo frame
support, and large receive side window and TCP buffers to optimize data transfer12. Route
table, AWS Transit Gateway, and Amazon VPC are not services or features that improve
network performance by sending traffic through the AWS worldwide network
infrastructure. Route table is a resource that defines how traffic is routed within a
VPC3. AWS Transit Gateway is a service that enables you to connect your VPCs and onpremises
networks to a single gateway4. Amazon VPC is a service that lets you provision a
logically isolated section of the AWS Cloud where you can launch AWS resources in a
virtual network that you define5. References: Achieve up to 60% better performance for
internet traffic with AWS Global Accelerator, Improving Performance on AWS and Hybrid
A company wants to establish a schedule for rotating database user credentials.Which AWS service will support this requirement with the LEAST amount of operationaloverhead?
A. AWS Systems Manager B. AWS Secrets Manager C. AWS License Manager D. AWS Managed Services
Answer: B
Explanation: AWS Secrets Manager is a service that helps you protect access to your
applications, services, and IT resources. This service enables you to easily rotate, manage,
and retrieve database credentials, API keys, and other secrets throughout their lifecycle.
Users and applications retrieve secrets with a call to Secrets Manager APIs, eliminating the
need to hardcode sensitive information in plain text. Secrets Manager offers secret rotation
with built-in integration for Amazon RDS, Amazon Redshift, Amazon DocumentDB, and
other AWS services1. You can also extend Secrets Manager to rotate other types of
secrets, such as credentials for Oracle, SQL Server, or MongoDB databases, by using
custom AWS Lambda functions2. Secrets Manager enables you to control access to
secrets using fine-grained permissions and audit secret rotation centrally for resources in
the AWS Cloud, third-party services, and on-premises3. Therefore, AWS Secrets Manager
supports the requirement of rotating database user credentials with the least amount of
operational overhead, compared to the other options. References:
What Is AWS Secrets Manager? - AWS Secrets Manager
Rotating Your AWS Secrets Manager Secrets - AWS Secrets Manager
AWS Secrets Manager Features - AWS Secrets Manager
Question # 27
A company wants to provide managed Windows virtual desktops and applications to itsremote employees over secure network connections. Which AWS services can thecompany use to meet these requirements? (Select TWO.)
A. Amazon Connect B. Amazon AppStream 2.0 C. Amazon Workspaces D. AWS Site-to-Site VPN E. Amazon Elastic Container Service (Amazon ECS)
Answer: B,C
Explanation: Amazon AppStream 2.0 and Amazon WorkSpaces are AWS services that
can be used to provide managed Windows virtual desktops and applications to remote
employees over secure network connections. Amazon AppStream 2.0 is a fully managed
application streaming service that allows users to access Windows desktop applications
from any device, without installing or managing any software. Amazon AppStream 2.0
delivers applications over an encrypted connection and isolates them from the underlying
infrastructure, ensuring security and compliance1. Amazon WorkSpaces is a fully managed
desktop virtualization service that allows users to access Windows or Linux desktops from
any device, with a consistent user experience. Amazon WorkSpaces provides persistent,
cloud-based virtual desktops that can be customized and scaled according to the user’s
needs. Amazon WorkSpaces also offers encryption, backup, and monitoring features to
ensure security and reliability2. References:
Amazon AppStream 2.0
Amazon WorkSpaces
Question # 28
Which option is a customer responsibility when using Amazon DynamoDB under the AWSShared Responsibility Model?
A. Physical security of DynamoDB B. Patching of DynamoDB C. Access to DynamoDB tables D. Encryption of data at rest in DynamoDB
Answer: C
Explanation: According to the AWS Shared Responsibility Model, AWS is responsible for
the security of the cloud, while the customer is responsible for the security in the cloud.
This means that AWS is responsible for protecting the infrastructure that runs AWS
services, such as DynamoDB, while the customer is responsible for properly configuring
the security of the provided service. For abstracted services, such as DynamoDB, the
customer is primarily responsible for managing their data, classifying their assets, and
using IAM tools to apply the appropriate permissions12. Therefore, the customer is
responsible for controlling the access to DynamoDB tables, such as by creating IAM
policies, roles, and users, and using encryption and authentication
mechanisms3. References:
Shared Responsibility Model - Amazon Web Services (AWS)
Security and compliance in Amazon DynamoDB - Amazon DynamoDB
What is Shared Responsibility Model? - Check Point Software
Question # 29
A social media company wants to protect its web application from common web exploitssuch as SQL injections and cross-site scripting. Which AWS service will meet theserequirements?
A. Amazon Inspector B. AWS WAF C. Amazon GuardDuty D. Amazon CloudWatch
Answer: B
Explanation: AWS WAF is a web application firewall service that helps protect web
applications from common web exploits that could affect availability, compromise security,
or consume excessive resources. AWS WAF gives you control over which traffic to allow or
block to your web applications by defining customizable web security rules. You can use
AWS WAF to create rules that block common attack patterns, such as SQL injection or
cross-site scripting, and rules that filter out specific traffic patterns you define1. AWS WAF
also integrates with other AWS services, such as Amazon CloudFront, Amazon API
Gateway, AWS AppSync, and AWS Load Balancer, to provide a comprehensive defense
against web attacks2. Therefore, AWS WAF meets the requirements of the social media
company, compared to the other options.
The other options are not suitable for the social media company’s requirements, because:
Amazon Inspector is an automated security assessment service that helps
improve the security and compliance of applications deployed on AWS. Amazon
Inspector automatically assesses applications for exposure, vulnerabilities, and deviations from best practices. However, Amazon Inspector does not provide a
web application firewall service that can block malicious web requests3.
Amazon GuardDuty is a threat detection service that continuously monitors for
malicious activity and unauthorized behavior to protect your AWS accounts,
workloads, and data stored in Amazon S3. Amazon GuardDuty analyzes and
processes the following data sources: VPC Flow Logs, AWS CloudTrail event logs,
and DNS logs. However, Amazon GuardDuty does not provide a web application
firewall service that can block malicious web requests4.
Amazon CloudWatch is a monitoring and observability service that provides data
and actionable insights to monitor your applications, respond to system-wide
performance changes, optimize resource utilization, and get a unified view of
operational health. Amazon CloudWatch collects monitoring and operational data
in the form of logs, metrics, and events, and visualizes it using automated
dashboards, alarms, and notifications. However, Amazon CloudWatch does not
provide a web application firewall service that can block malicious web requests.
References:
What Is AWS WAF? - AWS WAF, AWS Firewall Manager, and AWS Shield
Advanced
AWS WAF Features - AWS WAF, AWS Firewall Manager, and AWS Shield
Advanced
What Is Amazon Inspector? - Amazon Inspector
What Is Amazon GuardDuty? - Amazon GuardDuty
[What Is Amazon CloudWatch? - Amazon CloudWatch]
Question # 30
Which AWS service or feature allows users to create new AWS accounts, group multipleaccounts to organize workflows, and apply policies to groups of accounts?
A. AWS Identity and Access Management (1AM) B. AWS Trusted Advisor C. AWS CloudFormation D. AWS Organizations
Answer: D
Explanation: AWS Organizations is the AWS service or feature that allows users to create
new AWS accounts, group multiple accounts to organize workflows, and apply policies to
groups of accounts. AWS Organizations enables users to centrally manage and govern
their AWS environment across multiple accounts. Users can create organizational units
(OUs) to group accounts based on their business needs, such as by function, project, or
region. Users can also apply service control policies (SCPs) to OUs or individual accounts
to define the permissions and restrictions for the AWS services and resources that they can
access. AWS Organizations also offers features such as consolidated billing, account
creation automation, and trusted access12. References:
AWS Organizations
What is AWS Organizations?
Question # 31
Which option is a benefit of the economies of scale based on the advantages of cloudcomputing?
A. The ability to trade variable expense for fixed expense B. Increased speed and agility C. Lower variable costs over fixed costs D. Increased operational costs across data centers
Answer: B
Explanation: Economies of scale are the cost advantages that result from increasing the
scale of production or operation. In cloud computing, economies of scale are achieved by
pooling resources and sharing them among multiple users, which reduces the unit cost of
computing and storage. One of the benefits of economies of scale in cloud computing is
increased speed and agility, which means the ability to deploy applications faster and
respond to changing business needs more quickly. Cloud computing allows users to
access computing resources on demand, without having to invest in expensive
infrastructure or wait for lengthy provisioning processes. This enables users to scale up or
down as needed, experiment with new ideas, and deliver value to customers
faster123. References: Economics of Cloud Computing - GeeksforGeeks
What is Cloud Economics? | VMware Glossary
ECONOMIES OF SCALE WITH CLOUD COMPUTING & SERVICES PRACTICE -
IDC-Online
Question # 32
A company wants to migrate its applications to the AWS Cloud. The company plans toidentity and prioritize any business transformation opportunities and evaluate its AWSCloud readiness. Which AWS service or tool should the company use to meet theserequirements?
A. AWS Cloud Adoption Framework (AWS CAF) B. AWS Managed Services (AMS) C. AWS Well-Architected Framework D. AWS Migration Hub
Answer: A
Explanation: AWS Cloud Adoption Framework (AWS CAF) is a set of best practices, tools,
and guidance that helps organizations get started with cloud technologies. AWS CAF helps
organizations identify and prioritize transformation opportunities, evaluate and improve their
cloud readiness, and iteratively evolve their transformation roadmap. AWS CAF groups its
capabilities in six perspectives: Business, People, Governance, Platform, Security, and
Operations. Each perspective comprises a set of capabilities that functionally related
stakeholders own or manage in the cloud transformation journey1
AWS Managed Services (AMS) is a service that operates AWS infrastructure on behalf of
customers, providing a secure AWS Landing Zone, features that help meet various
compliance program requirements, a proven enterprise operating model, on-going cost
optimization, and day-to-day infrastructure management. AMS does not help customers
identify and prioritize business transformation opportunities or evaluate their cloud
readiness2
AWS Well-Architected Framework is a set of six pillars and lenses that help cloud
architects design and run workloads in the cloud. It provides a consistent approach for
customers and AWS Partners to evaluate and implement designs that scale with their
needs. AWS Well-Architected Framework helps customers understand the pros and cons
of decisions they make while building systems on AWS, but it does not help them identify
and prioritize business transformation opportunities3
AWS Migration Hub is a tool that lets customers discover, plan, and track their existing
servers and applications for migration to AWS. It offers journey templates, cross-team
collaboration, application and server discovery, strategy recommendations, orchestration
and simple dashboard. AWS Migration Hub simplifies the migration and modernization
process, but it does not help customers identify and prioritize business transformation
A company has deployed applications on Amazon EC2 instances. The company needs toassess application vulnerabilities and must identify infrastructure deployments that do notmeet best practices. Which AWS service can the company use to meet theserequirements?
A. AWS Trusted Advisor B. Amazon Inspector C. AWSConfig D. Amazon GuardDuty
Answer: B
Explanation: Amazon Inspector is a service that provides automated security assessment
and management for AWS resources, such as Amazon EC2 instances. Amazon Inspector
can scan applications for common vulnerabilities, such as SQL injection, cross-site
scripting, and remote code execution. Amazon Inspector can also check the configuration
of AWS resources against security best practices, such as the CIS Benchmarks and the
AWS Security Best Practices. Amazon Inspector can help customers identify and
remediate security issues, comply with security standards, and improve the security
posture of their AWS environment12. References:
Amazon Inspector
Improved, Automated Vulnerability Management for Cloud Workloads with a New
Amazon Inspector | AWS News Blog
Question # 34
Which AWS service or feature can be used to create a private connection between an onpremisesworkload and an AWS Cloud workload?
A. Amazon Route 53 B. Amazon Macie C. AWS Direct Connect D. AWS PrivaleLink
Answer: C
Explanation: AWS Direct Connect is a service that establishes a dedicated network
connection between your on-premises network and one or more AWS Regions. AWS
Direct Connect can be used to create a private connection between an on-premises
workload and an AWS Cloud workload, bypassing the public internet and reducing network
costs, latency, and bandwidth issues. AWS Direct Connect can also provide increased
security and reliability for your hybrid cloud applications and data transfers. References:
AWS Direct Connect
What is AWS Direct Connect?
AWS Direct Connect User Guide
Question # 35
Which AWS service is used to provide encryption for Amazon EBS?
A. AWS Certificate Manager B. AWS Systems Manager C. AWS KMS D. AWS Config
Answer: C
Explanation: AWS KMS is the service that is used to provide encryption for Amazon EBS.
AWS KMS is a managed service that enables you to easily create and control the
encryption keys used to encrypt your data. Amazon EBS uses AWS KMS to encrypt and
decrypt your EBS volumes and snapshots. You can choose to use either the default AWS
managed CMK or your own customer managed CMK for encryption. AWS KMS also
provides features such as key rotation, audit logging, and access control policies to help
you manage your encryption keys and protect your data12. The other services are not used
to provide encryption for Amazon EBS. AWS Certificate Manager is a service that lets you
provision, manage, and deploy public and private SSL/TLS certificates for use with AWS
services and your internal connected resources3. AWS Systems Manager is a service that
provides a unified user interface to view and manage your AWS resources, automate
common operational tasks, and apply compliance policies4. AWS Config is a service that
enables you to assess, audit, and evaluate the configurations of your AWS
A company has a compute workload that is steady, predictable, and uninterruptible.Which Amazon EC2 instance purchasing options meet these requirements MOST costeffectively?(Select TWO.)
A. On-Demand Instances B. Reserved Instances C. Spot Instances D. Saving Plans E. Dedicated Hosts
Answer: B,D
Explanation:
Reserved Instances and Savings Plans are the most cost-effective purchasing options for a
compute workload that is steady, predictable, and uninterruptible. Reserved Instances
provide a significant discount compared to On-Demand Instances, and Savings Plans offer
flexible and consistent savings on EC2 usage. Both options require a commitment to a
consistent amount of usage, in USD per hour, for a term of 1 or 3 years. On-Demand
Instances are suitable for short-term, irregular, or unpredictable workloads, but they are
more expensive than Reserved Instances or Savings Plans. Spot Instances are the
cheapest option, but they are not suitable for uninterruptible workloads, as they can be
reclaimed by AWS at any time. Dedicated Hosts and Dedicated Instances are designed for
compliance and licensing requirements, not for cost optimization. They are more expensive
than the other options, as they run on single-tenant hardware. References: Instance
Which tool should a developer use lo integrate AWS service features directly into anapplication?
A. AWS Software Development Kit B. AWS CodeDeploy C. AWS Lambda D. AWS Batch
Answer: A
Explanation:
AWS Software Development Kit (SDK) is a set of platform-specific tools for developers that
let them integrate AWS service features directly into their applications. AWS SDKs provide
libraries, code samples, documentation, and other resources to help developers write code
that interacts with AWS APIs. AWS SDKs support various programming languages, such
as Java, Python, Ruby, .NET, Node.js, Go, and more. AWS SDKs make it easier for
developers to access AWS services, such as Amazon S3, Amazon EC2, Amazon
DynamoDB, AWS Lambda, and more, from their applications. AWS SDKs also handle
tasks such as authentication, error handling, retries, and data serialization, so developers
can focus on their application logic.
Question # 38
Which AWS service or tool can be used to set up a firewall to control traffic going into andcoming out of an Amazon VPC subnet?
A. Security group B. AWS WAF C. AWS Firewall Manager D. Network ACL
Answer: D
Explanation: A network ACL (NACL) is an optional layer of security for your VPC that acts
as a firewall for controlling traffic in and out of one or more subnets. You can create a
network ACL and associate it with a subnet to apply rules that allow or deny traffic to or
from the subnet. Network ACLs are stateless, meaning that they evaluate the source and
destination IP addresses for both inbound and outbound traffic. You can also use network ACLs to block IP address ranges that are known to be malicious12.
The other options are not AWS services or tools that can be used to set up a firewall to
control traffic going into and coming out of an Amazon VPC subnet. Security groups are
another layer of security for your VPC that act as a firewall for your EC2 instances. Security
groups are stateful, meaning that they automatically allow return traffic for allowed inbound
traffic. Security groups can only filter traffic based on protocols, ports, and source or
destination IP addresses, not on IP ranges3. AWS WAF is a web application firewall that
helps protect your web applications from common web exploits. AWS WAF can filter web
requests based on rules that you define, such as IP addresses, HTTP headers, HTTP
body, or URI strings. AWS WAF does not apply to non-web traffic or to traffic within a
VPC4. AWS Firewall Manager is a service that helps you centrally configure and manage
firewall rules across your accounts and resources in AWS Organizations. You can use
Firewall Manager to apply AWS WAF rules, AWS Network Firewall policies, and Amazon
VPC security groups across your AWS accounts. AWS Firewall Manager does not provide
a firewall service itself, but rather helps you manage other firewall services
Question # 39
Which of the following is a managed AWS service that is used specifically for extract,transform, and load (ETL) data?
A. Amazon Athena B. AWS Glue C. Amazon S3 D. AWS Snowball Edge
Answer: B
Explanation: AWS Glue is a serverless data integration service that makes it easy to
discover, prepare, move, and integrate data from multiple sources for analytics, machine
learning, and application development. You can use various data integration engines, such
as ETL, ELT, batch, and streaming, and manage your data in a centralized data
catalog. AWS Glue is designed specifically for extract, transform, and load (ETL) data, whereas the other options are not.
Question # 40
A company has a set of ecommerce applications. The applications need to be able to sendmessages to each other. Which AWS service meets this requirement?
A. AWS Auto Scaling B. Elastic Load Balancing C. Amazon Simple Queue Service (Amazon SOS) D. Amazon Kinesis Data Streams
Answer: C
Explanation: Amazon Simple Queue Service (Amazon SQS) is a fully managed message
queuing service that lets you send, store, and receive messages between software
components at any volume, without losing messages or requiring other services to be
available1. Amazon SQS is designed to provide a simple and reliable way for customers to
decouple and connect components (microservices) together using queues2. Queues are
an important mechanism for providing fault tolerance and scalability in distributed systems,
and help decouple different parts of your application3. The other options are not AWS
services that are used specifically for sending messages between applications
Question # 41
Which pricing model will interrupt a running Amazon EC2 instance if capacity becomestemporarily unavailable?
A. On-Demand Instances B. Standard Reserved Instances C. Spot Instances D. Convertible Reserved Instances
Answer: C
Explanation: Spot Instances are a type of EC2 instance that let you bid on unused compute capacity, which AWS offers at a discount of up to 90% compared to On-Demand
prices1. Spot Instances are suitable for fault-tolerant, stateless, or flexible applications that
can handle interruptions2. Spot Instances can be interrupted with a two-minute warning
when EC2 needs the capacity back3. The other options are not pricing models that will
interrupt a running EC2 instance if capacity becomes temporarily unavailable
Question # 42
Which tasks are the customer's responsibility, according to the AWS shared responsibilitymodel? (Select TWO.)
A. Establish the global infrastructure. B. Perform client-side data encryption. C. Configure 1AM credentials. D. Secure edge locations. E. Patch Amazon RDS DB instances.
Answer: B,C
Explanation: According to the AWS shared responsibility model, AWS is responsible for
the security of the cloud, while the customer is responsible for the security in the cloud.
This means that AWS is responsible for protecting the infrastructure that runs all of the
services offered in the AWS Cloud, such as the global network, the hardware, the software,
and the facilities. The customer is responsible for properly configuring the security of the
provided service, such as the guest operating system, the application software, the data,
and the network traffic. For abstracted services, such as Amazon RDS, AWS operates the
infrastructure layer, the operating system, and the database software, while the customer is
responsible for managing their data, classifying their assets, and using IAM tools to apply
the appropriate permissions12.
Therefore, the tasks that are the customer’s responsibility are:
Perform client-side data encryption: The customer is responsible for encrypting
their data before sending it to AWS, and decrypting it after receiving it from AWS. This ensures that the data is protected in transit and at rest. AWS provides various
encryption options, such as AWS Key Management Service (AWS KMS), AWS
CloudHSM, and AWS Certificate Manager (ACM)3.
Configure IAM credentials: The customer is responsible for creating and managing
IAM users, groups, roles, and policies that control the access to AWS resources
and services. IAM credentials include user names, passwords, access keys, and
permissions4.
The tasks that are not the customer’s responsibility are:
Establish the global infrastructure: AWS is responsible for building and maintaining
the global network of regions, availability zones, and edge locations that provide
low latency, high availability, and fault tolerance for the AWS Cloud5.
Secure edge locations: AWS is responsible for protecting the physical security of
the edge locations, which are sites that deliver cached content to end users with
improved performance6.
Patch Amazon RDS DB instances: AWS is responsible for applying patches and
updates to the operating system and the database software of the Amazon RDS
DB instances, which are managed relational database service for MySQL,
PostgreSQL, Oracle, SQL Server, and Amazon Aurora. References:
Shared Responsibility Model - Amazon Web Services (AWS)
Shared responsibility model - Amazon Web Services: Risk and Compliance
Encryption - Amazon Web Services (AWS)
What Is IAM? - AWS Identity and Access Management
Global Infrastructure - Amazon Web Services (AWS)
Amazon CloudFront Features - Content Delivery Network (CDN)
[What Is Amazon Relational Database Service (Amazon RDS)? - Amazon
Relational Database Service]
Question # 43
Which AWS Cloud benefit gives a company the ability to quickly deploy cloud resources toaccess compute, storage, and database infrastructures in a matter of minutes?
A. Elasticity B. Cost savings C. Agility D. Reliability
Answer: C
Explanation: Agility is the AWS Cloud benefit that gives a company the ability to quickly
deploy cloud resources to access compute, storage, and database infrastructures in a
matter of minutes. Agility means that you can reduce the time to make IT resources
available to your developers from weeks to just minutes, resulting in a dramatic increase in
innovation and responsiveness1. AWS provides a range of services and tools that enable
you to launch, scale, and manage your cloud applications with ease and speed, such as
AWS CloudFormation, AWS Elastic Beanstalk, AWS CodeDeploy, and AWS Quick
Starts2345. References:
Six advantages of cloud computing - Overview of Amazon Web Services
[AWS CloudFormation]
[AWS Elastic Beanstalk]
[AWS CodeDeploy]
AWS Quick Starts
Question # 44
A network engineer needs to build a hybrid cloud architecture connecting on-premisesnetworks to the AWS Cloud using AWS Direct Connect. The company has a few VPCs in asingle AWS Region and expects to increase the number of VPCs to hundreds over time.Which AWS service or feature should the engineer use to simplify and scale thisconnectivity as the VPCs increase in number?
A. VPC endpoints B. AWS Transit Gateway C. Amazon Route 53 D. AWS Secrets Manager
Answer: B
Explanation: AWS Transit Gateway is a network transit hub that you can use to
interconnect your VPCs and on-premises networks through a central gateway. AWS
Transit Gateway simplifies and scales the connectivity between your on-premises networks
and AWS, as you only need to create and manage a single connection from the central
gateway to each on-premises network, rather than individual connections to each
VPC. You can also use AWS Transit Gateway to connect to other AWS services, such as
thousands of VPCs per gateway, and enables you to peer Transit Gateways across AWS
Regions3.
The other options are not AWS services or features that can simplify and scale the
connectivity between on-premises networks and hundreds of VPCs using AWS Direct Connect. VPC endpoints enable private connectivity between your VPCs and supported
AWS services, but do not support on-premises networks4. Amazon Route 53 is a DNS
service that helps you route internet traffic to your resources, but does not provide network
connectivity5. AWS Secrets Manager is a service that helps you securely store and
manage secrets, such as database credentials and API keys, but does not relate to
network connectivity
Question # 45
A company needs to evaluate its AWS environment and provide best practicerecommendations in five categories: cost, performance, service limits, fault tolerance, andsecurity. Which AWS service can the company use to meet these requirements
A. AWS Shield B. AWS WAF C. AWS Trusted Advisor D. AWS Service Catalog
Answer: C
Explanation: AWS Trusted Advisor is the service that can meet these requirements. AWS
Trusted Advisor is a service that helps you optimize your AWS environment by providing
recommendations based on AWS best practices. Trusted Advisor continuously evaluates
your AWS resources and services across five categories: cost optimization, performance,
service limits, fault tolerance, and security. You can view the recommendations on the Trusted Advisor console or access them programmatically using the Trusted Advisor API.
You can also set up notifications and alerts for any changes in the status of your
checks. Trusted Advisor can help you improve your AWS environment by reducing costs,
enhancing performance, increasing security, and ensuring reliability12. The other services
are not designed to provide best practice recommendations in five categories. AWS Shield
is a service that protects your AWS resources from distributed denial-of-service (DDoS)
attacks. AWS WAF is a service that helps you protect your web applications from common
web exploits. AWS Service Catalog is a service that enables you to create and manage
catalogs of IT services that are approved for use on AWS34 . References: AWS Trusted
A company wants a customized assessment of its current on-premises environment. Thecompany wants to understand its projected running costs in the AWS Cloud.Which AWS service or tool will meet these requirements?
A. AWS Trusted Advisor B. Amazon Inspector C. AWS Control Tower D. Migration Evaluator
Answer: D
Explanation: Migration Evaluator is an AWS service that provides a customized
assessment of your current on-premises environment and helps you build a data-driven
business case for migration to AWS. Migration Evaluator collects and analyzes data from
your on-premises servers, such as CPU, memory, disk, network, and utilization metrics,
and compares them with the most cost-effective AWS alternatives. Migration Evaluator also
helps you understand your existing software licenses and running costs, and provides
recommendations for Bring Your Own License (BYOL) and License Included (LI) options in
AWS. Migration Evaluator generates a detailed report that shows your projected running
costs in the AWS Cloud, along with potential savings and benefits. You can use this report
to support your decision-making and planning for cloud migration. References: Cloud
Business Case & Migration Plan - Amazon Migration Evaluator - AWS, Getting started with
Migration Evaluator
Question # 47
Which AWS service provides the ability to manage infrastructure as code?
A. AWS CodePipeline B. AWS CodeDeploy C. AWS Direct Connect D. AWS CloudFormation
Answer: D
Explanation: The AWS service that provides the ability to manage infrastructure as code is
AWS CloudFormation. Infrastructure as code is a process of defining and provisioning
AWS resources using code or templates, rather than manual actions or scripts. AWS
CloudFormation allows you to create and update stacks of AWS resources based on
predefined templates that describe the desired state and configuration of the resources.
AWS CloudFormation automates and simplifies the deployment and management of AWS
resources, and ensures consistency and repeatability across different environments and
regions. AWS CloudFormation also supports rollback, change sets, drift detection, and
nested stacks features that help you to monitor and control the changes to your infrastructure1.
Question # 48
A company wants to manage its AWS Cloud resources through a web interface.Which AWS service will meet this requirement?
A. AWS Management Console B. AWS CLI C. AWS SDK D. AWS Cloud
Answer: A
Explanation: AWS Management Console is a web application that allows you to manage
and monitor your AWS Cloud resources through a user-friendly interface. You can use the
AWS Management Console to access and experiment with over 150 AWS services, view
and modify your account and billing information, get in-console help from AWS Support,
and customize your dashboard with widgets that display key metrics and information for
your applications567. You can also use the AWS Management Console to launch and
configure AWS resources using wizards and templates, without writing any
CloudFront Documentation, 4: AWS Global Accelerator - Amazon Web Services, 5: AWS
Global Accelerator Documentation
Question # 50
A company is running and managing its own Docker environment on Amazon EC2instances. The company wants an alternative to help manage cluster size, scheduling, andenvironment maintenance.Which AWS service meets these requirements?
A. AWS Lambda B. Amazon RDS C. AWS Fargate D. Amazon Athena
Answer: C
Explanation: AWS Fargate is a serverless compute engine for containers that works with
both Amazon Elastic Container Service (Amazon ECS) and Amazon Elastic Kubernetes
Service (Amazon EKS). AWS Fargate allows you to run containers without having to manage servers or clusters of Amazon EC2 instances. With AWS Fargate, you only pay for
the compute resources you use to run your containers, and you don’t need to worry about
scaling, patching, securing, or maintaining the underlying infrastructure. AWS Fargate
simplifies the deployment and management of containerized applications, and enables you
to focus on building and running your applications instead of managing the
infrastructure. References: AWS Fargate, What is AWS Fargate?
Question # 51
Which AWS services or features give users the ability to create a network connectionbetween two VPCs? (Select TWO.)
A. VPC endpoints B. Amazon Route 53 C. VPC peering D. AWS Direct Connect E. AWS Transit Gateway
Answer: C,E
Explanation: VPC peering and AWS Transit Gateway are two AWS services or features
that give users the ability to create a network connection between two VPCs. VPC peering
is a networking connection between two VPCs that enables you to route traffic between
them privately. You can create a VPC peering connection between your own VPCs, with a
VPC in another AWS account, or with a VPC in a different AWS Region. Traffic between
peered VPCs never traverses the public internet. VPC peering does not support transitive
peering relationships, which means that if VPC A is peered with VPC B, and VPC B is
peered with VPC C, then VPC A and VPC C are not automatically peered789. AWS Transit
Gateway is a networking service that acts as a regional router for your VPCs and onpremises
networks. You can attach up to 5,000 VPCs and VPN connections to a single
transit gateway and route traffic between them. AWS Transit Gateway simplifies the
management and scalability of your network architecture, as you only need to create and
manage a single connection from the central transit gateway to each connected
network. AWS Transit Gateway supports transitive routing, which means that any network
that is attached to the transit gateway can communicate with any other network that is
attached to the same transit gateway . References: 7: VPC peering - Amazon Virtual
According to security best practices, how should an Amazon EC2 instance be given accessto an Amazon S3 bucket?
A. Hard code an IAM user's secret key and access key directly in the application, andupload the file. B. Store the IAM user's secret key and access key in a text file on the EC2 instance, readthe keys, then upload the file. C. Have the EC2 instance assume a role to obtain the privileges to upload the file. D. Modify the S3 bucket policy so that any service can upload to it at any time.
Answer: C
Explanation: According to security best practices, the best way to give an Amazon EC2
instance access to an Amazon S3 bucket is to have the EC2 instance assume a role to
obtain the privileges to upload the file. A role is an AWS Identity and Access Management
(IAM) entity that defines a set of permissions for making AWS service requests. You can
use roles to delegate access to users, applications, or services that don’t normally have
access to your AWS resources. For example, you can create a role that allows EC2
instances to access S3 buckets, and then attach the role to the EC2 instance. This way,
the EC2 instance can assume the role and obtain temporary security credentials to access
the S3 bucket. This method is more secure and scalable than storing or hardcoding IAM
user credentials on the EC2 instance, as it avoids the risk of exposing or compromising the
credentials. It also allows you to manage the permissions centrally and dynamically, and to
audit the access using AWS CloudTrail. For more information on how to create and use
roles for EC2 instances, see Using an IAM role to grant permissions to applications running
on Amazon EC2 instances1
The other options are not recommended for security reasons. Hardcoding or storing IAM
user credentials on the EC2 instance is a bad practice, as it exposes the credentials to
potential attackers or unauthorized users who can access the instance or the application
code. It also makes it difficult to rotate or revoke the credentials, and to track the usage of
the credentials. Modifying the S3 bucket policy to allow any service to upload to it at any
time is also a bad practice, as it opens the bucket to potential data breaches, data loss, or
data corruption. It also violates the principle of least privilege, which states that you should
grant only the minimum permissions necessary for a task.
References: Using an IAM role to grant permissions to applications running on Amazon
EC2 instances
Question # 53
Which of the following is an AWS Well-Architected Framework design principle foroperational excellence in the AWS Cloud?
A. Go global in minutes B. Make frequent, small, reversible changes C. Implement a strong foundation of identity and access management D. Stop spending money on hardware infrastructure for data center operations
Answer: B
Explanation: Making frequent, small, reversible changes is one of the design principles for
operational excellence in the AWS Cloud, as defined by the AWS Well-Architected
Framework. This principle means that you should design your workloads to allow for rapid
and safe changes, such as deploying updates, rolling back failures, and experimenting with
new features. By making small and reversible changes, you can reduce the risk of errors,
minimize the impact of failures, and increase the speed of recovery2. References: 2: AWS
A user has a stateful workload that will run on Amazon EC2 for the next 3 years.What is the MOST cost-effective pricing model for this workload?
A. On-Demand Instances B. Reserved Instances C. Dedicated Instances D. Spot Instances
Answer: B
Explanation: Reserved Instances are a pricing model that offers significant discounts on
Amazon EC2 usage compared to On-Demand Instances. Reserved Instances are suitable
for stateful workloads that have predictable and consistent usage patterns for a long-term
period. By committing to a one-year or three-year term, customers can reduce their total
cost of ownership and optimize their cloud spend. Reserved Instances also provide
capacity reservation, ensuring that customers have access to the EC2 instances they need
when they need them. References: AWS Pricing Calculator, Amazon EC2 Pricing, [AWS
Cloud Practitioner Essentials: Module 3 - Compute in the Cloud]
Question # 55
A company wants to integrate its online shopping website with social media logincredentials.Which AWS service can the company use to make this integration?
A. AWS Directory Service B. AWS Identity and Access Management (IAM) C. Amazon Cognito D. AWS IAM Identity Center (AWS Single Sign-On)
Answer: C
Explanation: Amazon Cognito is a service that enables you to add user sign-up and signin
features to your web and mobile applications. Amazon Cognito also supports social and enterprise identity federation, which means you can allow your users to sign in with their
existing credentials from identity providers such as Google, Facebook, Apple, and Amazon.
Amazon Cognito integrates with OpenID Connect (OIDC) and Security Assertion Markup
Language (SAML) 2.0 protocols to facilitate the authentication and authorization process.
Amazon Cognito also provides advanced security features, such as adaptive
authentication, user verification, and multi-factor authentication
(MFA). References: Amazon Cognito, What is Amazon Cognito?
Question # 56
Which maintenance task is the customer's responsibility, according to the AWS sharedresponsibility model?
A. Physical connectivity among Availability Zones B. Network switch maintenance C. Hardware updates and firmware patches D. Amazon EC2 updates and security patches
Answer: D
Explanation: According to the AWS shared responsibility model, customers are
responsible for managing their data, applications, operating systems, security groups, and
other aspects of their AWS environment. This includes installing updates and security
patches of the guest operating system and any application software or utilities installed by
the customer on the instances. AWS is responsible for protecting the infrastructure that
runs all of the services offered in the AWS Cloud, such as data centers, hardware,
software, networking, and facilities. This includes the physical connectivity among
Availability Zones, the network switch maintenance, and the hardware updates and
Question # 57
A company is using Amazon DynamoDB for its application database.Which tasks are the responsibility of AWS, according to the AWS shared responsibility model? (Select TWO.)
A. Classify data. B. Configure access permissions. C. Manage encryption options. D. Provide public endpoints to store and retrieve data. E. Manage the infrastructure layer and the operating system.
Answer: D,E
Explanation: According to the AWS shared responsibility model, AWS is responsible for
security of the cloud, while customers are responsible for security in the cloud. This means
that AWS is responsible for protecting the infrastructure that runs AWS services, such as
hardware, software, networking, and facilities. Customers are responsible for managing
their data, classifying their assets, and using IAM tools to apply the appropriate
permissions. For abstracted services, such as Amazon DynamoDB, AWS operates the
infrastructure layer, the operating system, and platforms, and provides customers with
public endpoints to store and retrieve data. Customers are responsible for classifying their
data, managing their encryption options, and configuring their access
permissions. References: Shared Responsibility Model, Security and compliance in
Amazon DynamoDB, [AWS Cloud Practitioner Essentials: Module 2 - Security in the Cloud]
Question # 58
A development team wants to deploy multiple test environments for an application in a fastrepeatable manner.Which AWS service should the team use?
A. Amazon EC2 B. AWS CloudFormation C. Amazon QuickSight D. Amazon Elastic Container Service (Amazon ECS)
Answer: B
Explanation: AWS CloudFormation is a service that allows you to model and provision
your AWS resources using templates. You can define your infrastructure as code and
automate the creation and update of your resources. AWS CloudFormation also supports
nested stacks, change sets, and rollback features to help you manage complex and
dynamic environments34. References:
AWS CloudFormation
AWS Certified Cloud Practitioner Exam Guide
Question # 59
Which of the following services can be used to block network traffic to an instance? (Select TWO.)
A. Amazon OpenSearch Service B. AWS Control Tower C. AWS IAM Access Analyzer D. AWS Fargate
Answer: C
Explanation: AWS IAM Access Analyzer is an AWS service that helps customers identify
and review the resources in their AWS account that are shared with an external entity, such
as another AWS account, a root user, an organization, or a public entity. AWS IAM Access
Analyzer uses automated reasoning, a form of mathematical logic and inference, to
analyze the resource-based policies in the account and generate comprehensive findings
that show the access level, the source of the access, the affected resource, and the
condition under which the access applies. Customers can use AWS IAM Access Analyzer to audit their shared resources, validate their access policies, and monitor any changes to
the resource sharing status. References: AWS IAM Access Analyzer, Identify and review
resources shared with external entities, How AWS IAM Access Analyzer works
Question # 60
Which of the following services can be used to block network traffic to an instance? (SelectTWO.)
A. Security groups B. Amazon Virtual Private Cloud (Amazon VPC) flow logs C. Network ACLs D. Amazon CloudWatch E. AWS CloudTrail
Answer: A,C
Explanation: Security groups and network ACLs are two AWS services that can be used
to block network traffic to an instance. Security groups are virtual firewalls that control the
inbound and outbound traffic for your instances at the instance level. You can specify which
protocols, ports, and source or destination IP addresses are allowed or denied for each
instance. Security groups are stateful, which means that they automatically allow return
traffic for any allowed inbound or outbound traffic123. Network ACLs are virtual firewalls
that control the inbound and outbound traffic for your subnets at the subnet level. You can
create rules to allow or deny traffic based on protocols, ports, and source or destination IP
addresses. Network ACLs are stateless, which means that you have to explicitly allow
return traffic for any allowed inbound or outbound traffic456. References: 1: Security
groups for your VPC - Amazon Virtual Private Cloud, 2: Security Groups for Your VPC -
Amazon Elastic Compute Cloud, 3: AWS Security Groups: Everything You Need to
Know, 4: Network ACLs - Amazon Virtual Private Cloud, 5: Control traffic to subnets using
A company wants to migrate its PostgreSQL database to AWS. The company does not usethe database frequently.Which AWS service or resource will meet these requirements with the LEAST managementoverhead?
A. PostgreSQL on Amazon EC2 B. Amazon RDS for PostgreSQL C. Amazon Aurora PostgreSQL-Compatible Edition D. Amazon Aurora Serverless
Answer: D
Explanation: Amazon Aurora Serverless is an on-demand, auto-scaling configuration for
Amazon Aurora PostgreSQL-Compatible Edition. It is a fully managed service that
automatically scales up and down based on the application’s actual needs. Amazon Aurora
Serverless is suitable for applications that have infrequent, intermittent, or unpredictable
database workloads, and that do not require the full power and range of options provided
by provisioned Aurora clusters. Amazon Aurora Serverless eliminates the need to provision
and manage database instances, and reduces the management overhead associated with
database administration tasks such as scaling, patching, backup, and
recovery. References: Amazon Aurora Serverless, Choosing between Aurora Serverless
and provisioned Aurora DB clusters, [AWS Cloud Practitioner Essentials: Module 4 -
Databases in the Cloud]
Question # 63
Which of the following actions are controlled with AWS Identity and Access Management(IAM)? (Select TWO.)
A. Control access to AWS service APIs and to other specific resources. B. Provide intelligent threat detection and continuous monitoring. C. Protect the AWS environment using multi-factor authentication (MFA). D. Grant users access to AWS data centers. E. Provide firewall protection for applications from common web attacks.
Answer: A,C
Explanation: AWS Identity and Access Management (IAM) is a service that enables you
to manage access to AWS services and resources securely. You can use IAM to perform
the following actions:
Control access to AWS service APIs and to other specific resources: You can
create users, groups, roles, and policies that define who can access which AWS
resources and how. You can also use IAM to grant temporary access to users or
applications that need to perform certain tasks on your behalf3
Protect the AWS environment using multi-factor authentication (MFA): You can
enable MFA for your IAM users and root user to add an extra layer of security to
your AWS account. MFA requires users to provide a unique authentication code
from an approved device or SMS text message, in addition to their user name and
password, when they sign in to AWS4
Question # 64
Which mechanism allows developers to access AWS services from application code?
A. AWS Software Development Kit B. AWS Management Console C. AWS CodePipeline D. AWS Config
Answer: A
Explanation: AWS Software Development Kit (SDK) is a set of platform-specific building
tools for developers. It allows developers to access AWS services from application code
using familiar programming languages. It provides pre-built components and libraries that
can be incorporated into applications, as well as tools to debug, monitor, and optimize
performance2. References: What is SDK? - SDK Explained - AWS
Question # 65
A company has a physical tape library to store data backups. The tape library is runningout of space. The company needs to extend the tape library's capacity to the AWS Cloud.Which AWS service should the company use to meet this requirement?
A. Amazon Elastic File System (Amazon EFS) B. Amazon Elastic Block Store (Amazon EBS) C. Amazon S3 D. AWS Storage Gateway
Answer: D
Explanation: AWS Storage Gateway is a hybrid cloud storage service that provides onpremises
access to virtually unlimited cloud storage. You can use AWS Storage Gateway
to simplify storage management and reduce costs for key hybrid cloud storage use cases.
One of these use cases is tape-based backup, which allows you to store data backups on
virtual tapes in the AWS Cloud. You can use the Tape Gateway feature of AWS Storage
Gateway to extend your existing physical tape library to the AWS Cloud. Tape Gateway
provides a virtual tape infrastructure that scales seamlessly with your backup needs and
eliminates the operational burden of provisioning, scaling, and maintaining a physical tape
Balancer, 5: Which characteristic of the AWS Cloud helps users eliminate …
Question # 67
What is a customer responsibility when using AWS Lambda according to the AWS sharedresponsibility model?
A. Managing the code within the Lambda function B. Confirming that the hardware is working in the data center C. Patching the operating system D. Shutting down Lambda functions when they are no longer in use
Answer: A
Explanation: According to the AWS shared responsibility model, AWS is responsible for
the security of the cloud, while customers are responsible for the security in the cloud. This
means that AWS is responsible for the physical servers, networking, and operating system
that run Lambda functions, while customers are responsible for the security of their code
and AWS IAM to the Lambda service and within their function1. Customers need to
manage the code within the Lambda function, such as writing, testing, debugging,
deploying, and updating the code, as well as ensuring that the code does not contain any
vulnerabilities or malicious code that could compromise the security or performance of the
A company that has multiple business units wants to centrally manage and govern its AWSCloud environments. The company wants to automate the creation of AWS accounts, applyservice control policies (SCPs), and simplify billing processes.Which AWS service or tool should the company use to meet these requirements?
A. AWS Organizations B. Cost Explorer C. AWS Budgets D. AWS Trusted Advisor
Answer: A
Explanation: AWS Organizations is an AWS service that enables you to centrally manage
and govern your AWS Cloud environments across multiple business units. AWS
Organizations allows you to create an organization that consists of AWS accounts that you
create or invite to join. You can group your accounts into organizational units (OUs) and
apply service control policies (SCPs) to them. SCPs are a type of policy that specify the
maximum permissions for the accounts in your organization, and can help you enforce
compliance and security requirements. AWS Organizations also simplifies billing processes
by enabling you to consolidate and pay for all member accounts with a single payment
method. You can also use AWS Organizations to automate the creation of AWS accounts
by using APIs or AWS CloudFormation templates. References: What is AWS
A company is building an application that needs to deliver images and videos globally withminimal latency.Which approach can the company use to accomplish this in a cost effective manner?
A. Deliver the content through Amazon CloudFront. B. Store the content on Amazon S3 and enable S3 cross-region replication. C. Implement a VPN across multiple AWS Regions. D. Deliver the content through AWS PrivateLink.
Answer: A
Explanation:
Amazon CloudFront is a fast content delivery network (CDN) service that securely delivers
data, videos, applications, and APIs to customers globally with low latency, high transfer
speeds, all within a developer-friendly environment. It works seamlessly with services
including AWS Shield for DDoS mitigation, Amazon S3, Elastic Load Balancing or Amazon
EC2 as origins for your applications, and Lambda@Edge to run custom code closer to
customers’ users and to customize the user experience. By using CloudFront, you can
cache your content at the edge locations that are closest to your end users, reducing the
network latency and improving the performance of your application. CloudFront also offers
a pay-as-you-go pricing model, so you only pay for the data transfer and requests that you
use.
Question # 71
A company wants to allow users to authenticate and authorize multiple AWS accounts byusing a single set of credentials.Which AWS service or resource will meet this requirem
A. AWS Organizations B. IAM user C. AWS IAM Identity Center (AWS Single Sign-On) D. AWS Control Tower
Answer: C
Explanation: AWS IAM Identity Center (AWS Single Sign-On) is a cloud-based service
that makes it easy to centrally manage single sign-on (SSO) access to multiple AWS
accounts and business applications. You can use AWS SSO to enable your users to sign in
to the AWS Management Console or the AWS Command Line Interface (AWS CLI) with
their existing corporate credentials2. You can also manage SSO access and user
permissions across all your AWS accounts in AWS Organizations3. References: AWS
Single Sign-On - AWS Documentation, AWS Organizations - AWS Documentation
Question # 72
Which AWS service or feature allows a user to establish a dedicated network connectionbetween a company's on-premises data center and the AWS Cloud?
A. AWS Direct Connect B. VPC peering C. AWS VPN D. Amazon Route 53
Answer: A
Explanation: AWS Direct Connect is an AWS service that allows users to establish a
dedicated network connection between their on-premises data center and the AWS Cloud.
This connection bypasses the public internet and provides more predictable network
performance, reduced bandwidth costs, and increased security. Users can choose from
different port speeds and connection types, and use AWS Direct Connect to access AWS
services in any AWS Region globally. Users can also use AWS Direct Connect in
conjunction with AWS VPN to create a hybrid network architecture that combines the
benefits of both private and public connectivity. References: AWS Direct Connect, [AWS
Cloud Practitioner Essentials: Module 3 - Compute in the Cloud]
Question # 73
A company has deployed an application in the AWS Cloud. The company wants to ensurethat the application is highly resilient.Which component of AWS infrastructure can the company use to meet this requirement?
A. Content delivery network (CDN) B. Edge locations C. Wavelength Zones D. Availability Zones
Answer: D
Explanation: Availability Zones are components of AWS infrastructure that can help the
company ensure that the application is highly resilient. Availability Zones are multiple,
isolated locations within each AWS Region. Each Availability Zone has independent power,
cooling, and physical security, and is connected to the other Availability Zones in the same
Region via low-latency, high-throughput, and highly redundant networking. Availability
Zones allow you to operate production applications and databases that are more highly
available, fault tolerant, and scalable than would be possible from a single data center.
Testimonials
CLF-C02 is considered a difficult task for normal learners but now Dumps4download has made everything far more easy for everyone by producing their material suitable even for average students. The more you work the more you gain, same is with their material.
Ashton
I have never met a person who used Dumps4download CLF-C02 study Guide and got disappointed. It brings full satisfaction for you if you work hard. I think it is better because of its simplicity and easiness that suites to all the candidates. I prepared my exams very easily because of its help.
Dee
Study guides are written by so many and everyone likes the one that is more easy to understand for him but Dumps4download CLF-C02 study guide is the one that is favorite for all. That suites all levels of candidates and enhances their performances.
geovanni
CLF-C02 Dumps4download provide a source that gives yo guarantee if you work according to their schedule. I worked according to schedule and aced my exam without any worries.
Aung
Dumps4download CLF-C02 study Guide is of great value for the candidates who are determined to pass the exam. It provides to the point information regarding exam. It was basically its conciseness that saved my time and I could go on with exam during my strict routine also and I passed the exam.
