You can use the consolidated billing feature in AWS Organizations to consolidate billing and payment for multiple AWS accounts or multiple Amazon Internet Services Pvt. Ltd (AISPL) accounts. Every organization in AWS Organizations has a master (payer) account that pays the charges of all the member (linked) accounts.

Consolidated billing has the following benefits:

• One bill – You get one bill for multiple accounts.

• Easy tracking – You can track the charges across multiple accounts and download the combined cost and usage data.

• Combined usage – You can combine the usage across all accounts in the organization to share the volume pricing discounts, Reserved Instance discounts, and Savings Plans. This can result in a lower charge for your project, department, or company than with individual standalone accounts.

• No extra fee – Consolidated billing is offered at no additional cost.

CORRECT: "By pooling usage across multiple accounts to achieve a pricing tier discount" is the correct answer.

INCORRECT: "By providing a consolidated view of monthly billing across multiple accounts" is incorrect. This is useful, but doesn’t lower costs.

INCORRECT: "By automating the creation of new accounts through APls" is incorrect as this does not lower costs.

INCORRECT: "By leveraging service control policies (SCP) for centralized service management" is incorrect. SCPs are used for controlling the API actions you can use, not for lowering costs.

References:

https://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/consolidated-billing.html

Save time with our AWS cheat sheets:

https://digitalcloud.training/aws-billing-and-pricing/

Amazon Cognito lets you add user sign-up, sign-in, and access control to your web and mobile apps quickly and easily. Amazon Cognito scales to millions of users and supports sign-in with social identity providers, such as Facebook, Google, and Amazon, and enterprise identity providers via SAML 2.0.

CORRECT: "AWS Cognito" is the correct answer.

INCORRECT: "AWS Artifact" is incorrect. AWS Artifact is your go-to, central resource for compliance-related information that matters to you.

INCORRECT: "AWS CloudHSM" is incorrect. AWS CloudHSM is a cloud-based hardware security module (HSM) that enables you to easily generate and use your own encryption keys on the AWS Cloud

INCORRECT: "AWS Directory Service" is incorrect. AWS Directory Service for Microsoft Active Directory, also known as AWS Managed Microsoft AD, enables your directory-aware workloads and AWS resources to use managed Active Directory in the AWS Cloud.

References:

https://aws.amazon.com/cognito/

Save time with our AWS cheat sheets:

https://digitalcloud.training/additional-aws-services/

AWS is responsible for security of the AWS Cloud as well as capacity planning and maintenance of the AWS infrastructure. This includes physical infrastructure such as data centers, servers, storage systems, and networking equipment.

CORRECT: "AWS manages the maintenance of the cloud infrastructure" is a correct answer.

CORRECT: "AWS manages capacity planning for physical servers" is also a correct answer.

INCORRECT: "AWS manages the security of applications built on AWS" is incorrect. This is the responsibility of the customer.

INCORRECT: "AWS manages the development of applications on AWS" is incorrect. This is the responsibility of the customer.

INCORRECT: "AWS manages cost planning for virtual servers" is incorrect. This is the responsibility of the customer.

References:

https://aws.amazon.com/compliance/shared-responsibility-model/

Save time with our AWS cheat sheets:

https://digitalcloud.training/aws-shared-responsibility-model/

Amazon CloudFront is a content delivery network (CDN) service that helps you distribute your static and dynamic content quickly and reliably with high speed globally.

Amazon Route 53 is a highly available and scalable Domain Name System (DNS) web service which is also deployed globally.

CORRECT: "Amazon CloudFront" is the correct answer (as explained above.)

CORRECT: "Amazon Route 53" is also a correct answer (as explained above.)

INCORRECT: "Amazon EC2" is incorrect. You launch EC2 instances within an Availability Zone, not globally.

INCORRECT: "Amazon VPC" is incorrect. A VPC is a regional construct which spans all the Availability Zones within a Region.

INCORRECT: "Amazon RDS" is incorrect. You also choose to launch RDS instances within an Availability Zone, not globally.

References:

https://aws.amazon.com/cloudfront/

https://aws.amazon.com/route53/

Save time with our AWS cheat sheets:

https://digitalcloud.training/aws-global-infrastructure/

To perform a TCO you need to document all of the costs you’re incurring today to run your IT operations. That includes facilities equipment installation and data center security costs. That way you get to compare the full cost of running your IT on-premises today, to running it in the cloud.

CORRECT: "Facility equipment installation" is a correct answer.

CORRECT: "Data center security costs" is also a correct answer.

INCORRECT: "IT Manager salary" is incorrect. The IT manager’s salary should not be included, as it will still need to be paid when the organization moves to the cloud.

INCORRECT: "Application development" is incorrect. Application development still needs to continue as you will still have applications running in the cloud.

INCORRECT: "Company-wide marketing" is incorrect. Company-wide marketing campaigns are unaffected by moving to the cloud

References:

https://aws.amazon.com/tco-calculator/

Save time with our AWS cheat sheets:

https://digitalcloud.training/aws-billing-and-pricing/

It is an architectural best practice to deploy your resources into multiple availability zones and design for fault tolerance. These both ensure that if resources or infrastructure fails, your application continues to run.

CORRECT: "Deploy into multiple Availability Zones" is a correct answer.

CORRECT: "Design for fault tolerance" is also a correct answer.

INCORRECT: "Deploy into a single availability zone" is incorrect. You should not deploy all of your resources into a single availability zone as any infrastructure failure will take down access to your resources.

INCORRECT: "Close coupling" is incorrect. Close coupling is not an architectural best practice – loose coupling is. With loose coupling you reduce interdependencies between components of an application and often put a middle layer such as a message bus between components.

INCORRECT: "Create monolithic architectures" is incorrect. You should not create monolithic architectures. With monolithic architectures you have a single instance running multiple components of the application, if any of these components fails, your application fails. It is better to design microservices architectures where components are spread across more instances.

References:

https://aws.amazon.com/architecture/well-architected/

Save time with our AWS cheat sheets:

https://digitalcloud.training/architecting-for-the-cloud/

Security of the virtualization layer comes down to the responsibility of AWS, as the AWS customer has no insight into this layer within the physical infrastructure.

Patching the operating system on Amazon RDS instances is AWS’s responsibility as Amazon RDS is a managed service. As part of this, you do not need to manage or patch the operating system within the RDS database.

CORRECT: "Securing the virtualization layer" is the correct answer (as explained above.)

CORRECT: "Patching the operating system on Amazon RDS instances" is also a correct answer (as explained above.)

INCORRECT: "Patching the operating system on Amazon EC2 instances" is incorrect as EC2 is an Amazon EC2 instance is an Infrastructure as a Service tool, in which you simply have direct access to the underlying virtual machine. Therefore it is your responsibility to patch the operating system on any EC2 instance you use.

INCORRECT: "Enforcing a strict password policy for IAM users" is incorrect. It would be the responsibility of an AWS customer to regulate the password policy of IAM users.

INCORRECT: "Configuring security groups and network ACLs" is incorrect. It would be the responsibility of an AWS customer to configure security groups and network ACLs..

References:

https://aws.amazon.com/compliance/shared-responsibility-model/

Save time with our AWS cheat sheets:

https://digitalcloud.training/aws-shared-responsibility-model/

S3 Standard-IA is for data that is accessed less frequently, but requires rapid access when needed. S3 Standard-IA offers the high durability, high throughput, and low latency of S3 Standard with 99.9% availability

CORRECT: "Amazon S3 Standard-IA" is the correct answer.

INCORRECT: "Amazon S3 Standard" is incorrect as this class will cost more and is designed for data that requires regular access.

INCORRECT: "Amazon S3 One Zone-IA" is incorrect. S3 One Zone-IA is for data that is accessed less frequently, but requires rapid access when needed. Unlike other S3 Storage Classes which store data in a minimum of three Availability Zones (AZs), S3 One Zone-IA stores data in a single AZ and offers lower availability.

INCORRECT: "Amazon Glacier" is incorrect. Glacier is a data archiving solution so not suitable for a storage tier that requires infrequent access.

References:

https://aws.amazon.com/s3/storage-classes/

Save time with our AWS cheat sheets:

https://digitalcloud.training/aws-storage-services/

AWS Enterprise Support is a support plan which provides a less than 15 minutes response time for business-critical system failure, and AWS Enterprise On-Ramp provides a less than 30 minutes response time for business-critical system failure.

CORRECT: "AWS Enterprise Support" is the correct answer (as explained above.)

CORRECT: "AWS Enterprise On-Ramp Support" is also a correct answer (as explained above.)

INCORRECT: "AWS Developer Support" is incorrect. AWS Developer Support is a support plan which provides a less than 12-hour response time for system impaired cases and has no guarantee on business-critical system down.

INCORRECT: "AWS Basic Support" is incorrect. The only support you can get via business support is for billing queries.

INCORRECT: AWS Business Support"" is incorrect. AWS Business Support is a support plan which provides a less than 1 hour response time for production system impaired cases and has no guarantee on business-critical system down.

References:

https://aws.amazon.com/premiumsupport/plans/

Save time with our AWS cheat sheets:

https://digitalcloud.training/aws-billing-and-pricing/

AWS CloudTrail tracks API calls that are made within a particular AWS account. it will track the API call made, the IP address it originated from and which IAM principal initiated the action and in this case will capture who stopped an EC2 instance.

CORRECT: "AWS CloudTrail" is the correct answer (as explained above.)

INCORRECT: "Amazon Inspector" is incorrect. Inspector is a fully managed vulnerability assessment tool and does not investigate who initiated any API call.

INCORRECT: "Amazon CloudWatch" is incorrect. Amazon CloudWatch is a monitoring and observability service which does not track API calls made within the account.

INCORRECT: "VPC Flow Logs" is incorrect. VPC Flow Logs is a feature that enables you to capture information about the IP traffic going to and from network interfaces in your VPC.

References:
https://aws.amazon.com/cloudtrail/

Save time with our AWS cheat sheets:

https://digitalcloud.training/aws-security-services/

Amazon S3 is an object-based storage system that is accessed using a RESTful API over HTTP(S). It consists of buckets, which are root level folders, and objects, which are the files, images etc. that you upload

The terms directory, file system and block device do not apply to Amazon S3.

CORRECT: "Buckets" is a correct answer.

CORRECT: "Objects" is also a correct answer.

INCORRECT: "Directories" is incorrect as explained above.

INCORRECT: "Block devices" is incorrect as explained above.

INCORRECT: "File systems" is incorrect as explained above.

References:

https://docs.aws.amazon.com/AmazonS3/latest/dev/Welcome.html

Save time with our AWS cheat sheets:

https://digitalcloud.training/aws-storage-services/

Customers are responsible for configuring their own IAM password policies and installing operating system patches on Amazon EC2 instances

AWS are responsible for installing patches on physical hardware devices, data center access controls and secure disposal of disk drives

CORRECT: "Installing patches on Windows operating systems" is the correct answer.

CORRECT: "Implementing IAM password policies" is the correct answer.

INCORRECT: "Secure disposal of faulty disk drives" is incorrect as this is an AWS responsibility.

INCORRECT: "Implementing data center access controls" is incorrect as this is an AWS responsibility.

INCORRECT: "Installing patches on network devices" is incorrect as this is an AWS responsibility.

References:

https://aws.amazon.com/compliance/shared-responsibility-model/

Save time with our AWS cheat sheets:

https://digitalcloud.training/aws-shared-responsibility-model/

AWS CloudTrail tracks API calls that are made within a particular AWS account. it will track the API call made, the IP address it originated from and which IAM principal initiated the action.

CORRECT: "AWS CloudTrail" is the correct answer (as explained above.)

INCORRECT: "AWS Trusted Advisor" is incorrect. AWS Trusted Advisor provides recommendations that help you follow AWS best practices. Trusted Advisor evaluates your account by using checks. These checks identify ways to optimize your AWS infrastructure, improve security and performance, reduce costs, and monitor service quotas. You can then follow the check recommendations to optimize your services and resources.

INCORRECT: "Amazon Inspector" is incorrect. Inspector is a fully managed vulnerability assessment tool, which doesn’t track who is performing what actions within an account.

INCORRECT: "Amazon Detective" is incorrect. Amazon Detective automatically collects log data from your AWS resources and uses machine learning, statistical analysis, and graph theory to build a linked set of data that enables you to easily conduct faster and more efficient security investigations. It does not however track API calls within an account.

References:

https://aws.amazon.com/cloudtrail/

Save time with our AWS cheat sheets:

https://digitalcloud.training/aws-security-services/

Elasticity is the ability to dynamically adjust the capacity of a service or resource based on demand. Scaling can be vertical (e.g. increase instance size) or horizontal (e.g. add more EC2 instances).

CORRECT: "Elasticity" is the correct answer.

INCORRECT: "Economy of scale" is incorrect. This refers to pricing benefits based on AWS purchasing large amounts of resources.

INCORRECT: "High availability" is incorrect. This is an example of resilience.

INCORRECT: "Agility" is incorrect. This is an example of flexibility and speed of implementation.

References:

https://d1.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf

Save time with our AWS cheat sheets:

https://digitalcloud.training/architecting-for-the-cloud/

In IAM, a user can be a member of multiple groups. One IAM user can be a part of a maximum of 5 groups. Also Groups are a flat hierarchy of users with similar permissions, and you cannot place a group within another group.

CORRECT: "A user can be a member of multiple groups” is the correct answer (as explained above.)

CORRECT: "Groups can contain users only and cannot be nested” is also a correct answer (as explained above.)

INCORRECT: "Groups can be nested and can contain other groups” is incorrect. This is also explained above.

INCORRECT: "A user can only be a member of a single group at one time” is incorrect. A user group can contain many users, and a user can belong to multiple user groups.

INCORRECT: "All new users are automatically added to a default group” is incorrect. Users do not have to be added to any group and can exist simply as users.

References:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_groups.html

Save time with our AWS cheat sheets:

https://digitalcloud.training/aws-security-services/

AWS Direct Connect is a low-latency, high-bandwidth, private connection to AWS. This can be used to create a private hybrid cloud connection between on-premises and the AWS Cloud.

CORRECT: "AWS Direct Connect" is the correct answer.

INCORRECT: "AWS Managed VPN" is incorrect. AWS Managed VPN uses the Internet for network connections, so it is not creating a private connection. The connection is secured but uses the Internet.

INCORRECT: "AWS VPN CloudHub" is incorrect. AWS VPN CloudHub uses the Internet for network connections, so it is not creating a private connection. The connection is secured but uses the Internet.

INCORRECT: "AWS VPC Endpoint" is incorrect. An AWS VPC Endpoint is a PrivateLink connection that connects an AWS public service to a VPC using a private connection. This does not connect on-premises environments to AWS.

References:

https://aws.amazon.com/directconnect/faqs/

Save time with our AWS cheat sheets:

https://digitalcloud.training/aws-networking-services/

IAM is used to securely control individual and group access to AWS resources. Groups are collections of users and have policies attached to them. You can use IAM to attach a policy to a group

CORRECT: "AWS IAM" is the correct answer.

INCORRECT: "Amazon Cognito" is incorrect. Amazon Cognito is used for authentication using mobile apps

INCORRECT: "AWS STS" is incorrect. The AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for IAM users or for users that you authenticate (federated users)

INCORRECT: "AWS Shield" is incorrect. AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS.

References:

https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html

Save time with our AWS cheat sheets:

https://digitalcloud.training/aws-identity-and-access-management/

AWS organizations allow you to consolidate multiple AWS accounts into an organization that you create and centrally manage. Unused reserved instances (RIs) for EC2 are applied across the group so the organization can utilize their unused reserved instance instead of consuming on-demand instances which will lower their costs.

CORRECT: "Create an AWS Organization configuration linking the accounts" is the correct answer.

CORRECT: "Setup consolidated billing between the accounts" is the correct answer.

INCORRECT: "Use Spot instances instead" is incorrect. Spot instance pricing is variable so it is not guaranteed to lower the cost and it is not suitable for workloads that cannot be unexpectedly terminated by AWS.

INCORRECT: "Redeem their reserved instances" is incorrect. You cannot redeem your reserved instances. You can sell them on the AWS marketplace, however.

INCORRECT: "Switch to using placement groups" is incorrect. Using placement groups will not lower their costs.

References:

https://docs.aws.amazon.com/organizations/latest/userguide/orgs_introduction.html

Save time with our AWS cheat sheets:

https://digitalcloud.training/aws-billing-and-pricing/

Facility operations and hardware procurement costs are something you no longer need to pay for in the AWS Cloud. These factors therefore must be included as an on-premise cost so you can understand the cost of staying in your own data centers.

Database administration, operating system licensing and application licensing will still be required in the AWS Cloud.

CORRECT: "Hardware procurement teams" is a correct answer.

CORRECT: "Facility operations costs" is also a correct answer.

INCORRECT: "Operating system licensing" is incorrect as these are factors that are relevant to both on-premise and the cloud.

INCORRECT: "Database administration" is incorrect as these are factors that are relevant to both on-premise and the cloud.

INCORRECT: "Application licensing" is incorrect as these are factors that are relevant to both on-premise and the cloud.

References:

https://media.amazonwebservices.com/AWS_TCO_Web_Applications.pdf

Save time with our AWS cheat sheets:

https://digitalcloud.training/aws-billing-and-pricing/

Amazon CloudFront is a content delivery network (CDN) that caches content at Edge Locations around the world. This gets the content closer to users which improves performance.

CORRECT: "Amazon CloudFront" is the correct answer.

INCORRECT: "AWS LightSail" is incorrect. AWS LightSail is a compute service that offers a lower cost and easier to use alternative to Amazon EC2.

INCORRECT: "Amazon Connect" is incorrect. Amazon Connect Amazon Connect is a self-service, cloud-based contact center service that makes it easy for any business to deliver better customer service at lower cost.

INCORRECT: "Amazon ElastiCache" is incorrect. Amazon ElastiCache is a caching service for databases. Though it does improve read performance for database queries, it is not a global service that is designed to improve performance for users around the world.

References:

https://aws.amazon.com/cloudfront/faqs/

Save time with our AWS cheat sheets:

https://digitalcloud.training/aws-content-delivery-and-dns-services/

The AWS Storage Gateway service enables hybrid storage between on-premises environments and the AWS Cloud.

The Gateway Virtual Tape Library can be used with popular backup software such as NetBackup, Backup Exec and Veeam. Uses a virtual media changer and tape drives.

CORRECT: "Gateway Virtual Tape Library" is the correct answer.

INCORRECT: "File Gateway" is incorrect. File gateway provides a virtual on-premises file server, which enables you to store and retrieve files as objects in Amazon S3.

INCORRECT: "Volume Gateway" is incorrect. The volume gateway represents the family of gateways that support block-based volumes, previously referred to as gateway-cached and gateway-stored modes.

INCORRECT: "Backup Gateway" is incorrect. There is no such thing as a Backup Gateway in the AWS products.

References:

https://docs.aws.amazon.com/storagegateway/latest/userguide/WhatIsStorageGateway.html

Save time with our AWS cheat sheets:

https://digitalcloud.training/additional-aws-services/

As application complexity increases, a desirable attribute of an IT system is that it can be broken into smaller, loosely coupled components. This means that IT systems should be designed in a way that reduces interdependencies—a change or a failure in one component should not cascade to other components.

CORRECT: "Reduce interdependencies so a failure in one component does not cascade to other components" is the correct answer.

INCORRECT: "Reduce operational complexity" is incorrect. Loose coupling does not reduce operational complexity. In fact, it may increase complexity as you have more services running and more interactions.

INCORRECT: "Automate the deployment of infrastructure using code" is incorrect. This is an example of “Infrastructure as code” – services such as CloudFormation provide this functionality.

INCORRECT: "Enables applications to scale automatically based on current demand" is incorrect. This is an example of Elasticity.

References:

https://aws.amazon.com/architecture/well-architected/

Save time with our AWS cheat sheets:

https://digitalcloud.training/architecting-for-the-cloud/

Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation.

CORRECT: "Amazon GuardDuty" is the correct answer (as explained above.)

INCORRECT: "Amazon Macie" is incorrect. Amazon Macie helps identify PII data within S3 Bucket and does not detect threats.

INCORRECT: "AWS Config" is incorrect. AWS Config is a service that enables you to assess, audit, and evaluate the configurations of your AWS resources. Config continuously monitors and records your AWS resource configurations and allows you to automate the evaluation of recorded configurations against desired configurations. It does not detect threats.

INCORRECT: "Amazon Inspector" is incorrect also as Inspector is a fully managed vulnerability assessment tool - it doesn’t detect threat.

References:

https://aws.amazon.com/guardduty/

Save time with our AWS cheat sheets:

https://digitalcloud.training/aws-security-services/

Amazon Redshift uses SQL to analyze structured and semi-structured data across data warehouses, operational databases, and data lakes, using AWS-designed hardware and machine learning to deliver the best price performance at any scale.

Data warehouses are built on databases designed for online analytics processing (OLAP) use cases.

CORRECT: "Amazon Redshift" is the correct answer (as explained above.)

INCORRECT: "Amazon Athena" is incorrect. Amazon Athena is a serverless query service which you can use to query S3 using standard SQL.

INCORRECT: "Amazon EMR" is incorrect. Amazon EMR is a cloud big data platform for running large-scale distributed data processing jobs, interactive SQL queries, and machine learning (ML) applications using open-source analytics frameworks such as Apache Spark, Apache Hive, and Presto.

INCORRECT: "Amazon RDS" is incorrect. RDS is typically used as an online transaction processing (OLTP) database rather than an OLAP database.

References:

https://aws.amazon.com/redshift/

Save time with our AWS cheat sheets:

https://digitalcloud.training/aws-database-services/

Fully managed services reduce your operational overhead as AWS manage not just the infrastructure layer but the service layers above it. Examples are Amazon Aurora and Amazon ElastiCache where the database is managed for you.

CORRECT: "Reduced operational overhead" is the correct answer.

INCORRECT: "You don’t need to back-up your data" is incorrect. You do still need to backup your data. For instance, with Amazon ElastiCache it’s up to you to configure backups to S3.

INCORRECT: "Improved security" is incorrect. Security is not necessarily improved by managing your own software stack. AWS are extremely good at securing their services and there is arguably less chance that they will expose vulnerabilities than a customer who deploys their own applications.

INCORRECT: "You have greater control and flexibility" is incorrect. You do not have greater control and flexibility with fully managed services. AWS take more responsibility for providing the service and you therefore have fewer options. For example you may not be able to configure the performance parameters of a database as you’d like to or use your own backup or operational software.

Save time with our AWS cheat sheets:

https://digitalcloud.training/architecting-for-the-cloud/

AWS PrivateLink provides private connectivity between VPCs, AWS services, and your on-premises networks, without exposing your traffic to the public internet.

CORRECT: "AWS PrivateLink" is the correct answer (as explained above.)

INCORRECT: "VPC endpoints" is incorrect. A VPC endpoint enables users to privately connect their VPC to supported AWS services and does not connect AWS to an on-premises network.

INCORRECT: "AWS Global Accelerator" is incorrect. AWS Global Accelerator is a networking service that improves the performance of your users’ traffic by up to 60% using Amazon Web Services’ global network infrastructure. When the internet is congested, AWS Global Accelerator optimizes the path to your application to keep packet loss, jitter, and latency consistently low. It is not used as a tool to communicate between your VPC and on-premises environments.

INCORRECT: "AWS Site-to-Site VPN" is incorrect, because although traffic can be encrypted between a VPC and on-premises environments, it is over the public interview therefore it is not suitable for the needs of the IT company.

References:

https://aws.amazon.com/privatelink/?

Save time with our AWS cheat sheets:

https://digitalcloud.training/aws-networking-services/

It is recommended that you design for failure. This means always considering what would happen if a component of an application fails and ensuring there is resilience in the architecture.

CORRECT: "Design for failure" is the correct answer.

INCORRECT: "Design for success" is incorrect. Design for success sounds good, but this is not an architectural best practice. As much as we want our applications to be successful, we should always be cognizant of the potential failures that might occur and ensure we are prepared for them.

INCORRECT: "Think servers, not services" is incorrect. AWS do not recommend that you “think servers, not services”. What they do recommend is that you “think services, not servers”. This means that you should consider using managed services and serverless services rather than just using Amazon EC2.

INCORRECT: "Use manual operational processes" is incorrect. You should not use manual operational processes; this is not an architectural best practice. You should automate as much as possible in the cloud.

References:

https://aws.amazon.com/architecture/well-architected/

Save time with our AWS cheat sheets:

https://digitalcloud.training/architecting-for-the-cloud/

EFS is a fully-managed service that makes it easy to set up and scale file storage in the Amazon Cloud. EFS uses the NFSv4.1 protocol. Can concurrently connect 1 to 1000s of EC2 instances, from multiple AZs.

CORRECT: "Amazon EFS" is the correct answer.

INCORRECT: "Amazon Instance Store" is incorrect. Amazon Instance Store is a type of ephemeral block-based volume that can be attached to a single EC2 instance at a time.

INCORRECT: "Amazon EBS" is incorrect. EBS volumes can only be attached to a single EC2 instance at a time and are block devices (not NFS).

INCORRECT: "Amazon S3" is incorrect. Amazon S3 is an object store and is connected to using a RESTful protocol over HTTP.

References:

https://aws.amazon.com/efs/

Save time with our AWS cheat sheets:

https://digitalcloud.training/aws-storage-services/

With the AWS cloud you pay for what you use. This is a significant advantage compared to on-premises infrastructure where you need to purchase more equipment than you need to allow for peak capacity. You also need to pay for that equipment upfront.

CORRECT: "Pay for what you use" is the correct answer.

INCORRECT: "Outsource all IT operations" is incorrect. You do not outsource all IT operations when moving to the AWS Cloud. AWS provide some higher-level managed services which reduces your operations effort but does not eliminate it.

INCORRECT: "Capital purchases" is incorrect. Capital purchases are not a benefit of moving to the cloud. The AWS Cloud is mostly an operational expenditure which is favored by many CFOs.

INCORRECT: "Long term commitments" is incorrect. You do not need to enter into long term commitments with the AWS Cloud. There are options for 1 or 3 year commitments to lower prices with some services but this is not an advantage of the cloud.

References:

https://aws.amazon.com/pricing/

Save time with our AWS cheat sheets:

https://digitalcloud.training/aws-billing-and-pricing/

An IAM user is an entity that represents a person or service. Users can be assigned an access key ID and secret access key for programmatic access to the AWS API, CLI, SDK, and other development tools and a password for access to the management console.

CORRECT: "An access key ID and secret access key" is the correct answer.

CORRECT: "A password for access to the management console" is the correct answer.

INCORRECT: "An SSL/TLS certificate" is incorrect. You cannot assign an SSL/TLS certificate to a user.

INCORRECT: "A key pair" is incorrect. Key pairs are used with Amazon EC2 as a method of using public key encryption to securely access EC2 instances.

INCORRECT: "A password for logging into Linux" is incorrect. You cannot assign an IAM user with a password for logging into a Linux instance.

References:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html

Save time with our AWS cheat sheets:

https://digitalcloud.training/aws-identity-and-access-management/

Website capacity expanding and contracting is a sign of elasticity, and this is one of the most popular benefits of moving to the cloud. This is defined as the ability to acquire resources as you need them and release resources when you no longer need them.

Also, when you move to the cloud you do not pay upfront for your resources as standard and move to a OPEX model (operational expenditure.)

CORRECT: "Website capacity can expand or contract as website traffic changes” is the correct answer (as explained above.)

CORRECT: "The company can take advantage of the pay-as-you-go pricing model" is also a correct answer (as explained above.)

INCORRECT: "Data that is stored in the AWS Cloud is automatically encrypted” is incorrect as this sits on the customer side of the AWS Shared responsibility model and is therefore not enabled automatically.

INCORRECT: "AWS automatically provides the company with the lowest-cost pricing model” is incorrect. This is simply not true, as the price varies widely depending on many different features.

INCORRECT: "The website shows up with higher priority in internet search engines” is incorrect. Search Engine Optimization (SEO) sits entirely outside of the realm of AWS, and you do not gain any SEO benefits from moving to the cloud.

References:

https://docs.aws.amazon.com/whitepapers/latest/aws-overview/six-advantages-of-cloud-computing.html

Save time with our AWS cheat sheets:

https://digitalcloud.training/aws-cloud-computing-concepts/

The AWS Storage Gateway service enables hybrid cloud storage between on-premises environments and the AWS Cloud. It seamlessly integrates on-premises enterprise applications and workflows with Amazon’s block and object cloud storage services through industry standard storage protocols.

CORRECT: "AWS Storage Gateway" is the correct answer.

INCORRECT: "Amazon S3 Cross Region Replication (CRR)" is incorrect. Amazon S3 CRR is used for copying data from one S3 bucket to another S3 bucket in another region. That is not an examples of hybrid cloud.

INCORRECT: "Amazon Elastic File System (EFS)" is incorrect. Amazon EFS is not a hybrid cloud storage solution. With EFS you can mount file systems from on-premises servers, however it does not offer a local cache or method of moving data into the cloud.

INCORRECT: "Amazon CloudFront" is incorrect. Amazon CloudFront is a content delivery network. It is used to get content closer to users, it is not a hybrid cloud storage solution.

References:

https://docs.aws.amazon.com/storagegateway/latest/userguide/WhatIsStorageGateway.html

Save time with our AWS cheat sheets:

https://digitalcloud.training/aws-storage-services/

AWS Secrets Manager helps you protect secrets needed to access your applications, services, and IT resources. The service enables you to easily rotate, manage, and retrieve database credentials, API keys, and other secrets throughout their lifecycle. Users and applications retrieve secrets with a call to Secrets Manager APIs, eliminating the need to hardcode sensitive information in plain text.

CORRECT: "Store passwords in AWS Secrets Manager” is the correct answer (as explained above.)

INCORRECT: "Store passwords in an Amazon S3 bucket” is incorrect. Although you can encrypt information within your S3 bucket, it is not as secure as using AWS Secrets Manager.

INCORRECT: "Store passwords as AWS CloudFormation parameters” is incorrect. Although you can store parameters, it is not the safest and most secure way of storing passwords and doesn’t have the added functionality that AWS Secrets Manager does.

INCORRECT: "Store passwords in AWS Storage Gateway. " is incorrect. Storage Gateway is a hybrid storage service which is not suitable for storing passwords.

References:

https://aws.amazon.com/secrets-manager/

Save time with our AWS cheat sheets:

https://digitalcloud.training/aws-security-services/

The company is responsible for enabling encryption on the bucket because the customer is responsible for the data within the bucket, and the way it is protected using things like Bucket Policies, permissions, and encryption.

CORRECT: "Managing the encryption options on the S3 bucket" is the correct answer (as explained above.)

INCORRECT: "Managing the infrastructure that runs the S3 bucket" is incorrect. AWS manages the physical infrastructure underlying the cloud and the customer has no insight or input into this.

INCORRECT: "Managing the data in transit" is incorrect. When you push VPC flow logs to S3 this will be done over the AWS backbone, meaning that it will be encrypted by default and the customer has no insight into this.

INCORRECT: "Managing the operating system updates on the S3 bucket" is incorrect. Amazon S3 gives no exposure to the underlying operating system to the end-user, and the user interacts with the S3 console, CLI, or API and has no insight into the underlying operating system.

References:

https://aws.amazon.com/compliance/shared-responsibility-model/

Save time with our AWS cheat sheets:

https://digitalcloud.training/aws-shared-responsibility-model/

Elasticity refers to the automatic scaling of resources based on demand. The benefit is that you provision only the necessary resources at a given time (optimizing cost) and don’t have to worry about absorbing spikes in demand.

CORRECT: "By automatically scaling resources based on demand" is the correct answer.

INCORRECT: "By reducing interdependencies between application components" is incorrect. Elasticity does not reduce interdependencies between systems – this is known as loose coupling.

INCORRECT: "By selecting the correct storage tier for your workload" is incorrect. Selecting the correct storage tier would be an example of right-sizing, not elasticity.

INCORRECT: "By reserving capacity to reduce cost" is incorrect. Reserving capacity to reduce cost refers to using reservations such as EC2 Reserved Instances.

References:

https://wa.aws.amazon.com/wat.concept.elasticity.en.html

Save time with our AWS cheat sheets:

https://digitalcloud.training/architecting-for-the-cloud/

Data stored within an AWS region is not replicated outside of that region automatically. It is up to customers of AWS to determine whether they want to replicate their data to other regions. You must always consider compliance and network latency when making this decision.

CORRECT: "Data is not replicated outside of a region unless you configure it" is the correct answer.

INCORRECT: "Data is always replicated to another region" is incorrect. Data is never replicated outside of a region unless you configure it.

INCORRECT: "Data is automatically archived after 90 days" is incorrect. Data is never automatically archived. You must configure data to be archived.

INCORRECT: "Data is always automatically replicated to at least one other availability zone" is incorrect. Data is not automatically replicated to at least one availability zone – this is specific to each service and you must check how your data is stored and whether the availability and durability is acceptable.

References:

https://d1.awsstatic.com/whitepapers/Security/AWS_Security_Best_Practices.pdf

Save time with our AWS cheat sheets:

https://digitalcloud.training/aws-storage-services/

Amazon FSx for Windows File Server provides fully managed Microsoft Windows file servers, backed by a fully native Windows file system. Amazon FSx supports a broad set of enterprise Windows workloads with fully managed file storage built on Microsoft Windows Server. Amazon FSx has native support for Windows file system features and for the industry-standard Server Message Block (SMB) protocol to access file storage over a network.

CORRECT: "Amazon FSx for Windows File Server" is the correct answer (as explained above.)

INCORRECT: "Amazon S3" is incorrect, as Amazon S3 is an object storage service, and does not use the SMB protocol.

INCORRECT: "Amazon Elastic File System (Amazon EFS)" is incorrect. Although it is a file, it is a Linux based file system which uses the NFS protocol, not the SMB like a Windows server.

INCORRECT: "Amazon Elastic Block Store (Amazon EBS)" is incorrect. This service is a block-based storage system, not a file-based storage system. SMB is a file-based storage protocol.

References:

https://aws.amazon.com/fsx/windows/

Save time with our AWS cheat sheets:

https://digitalcloud.training/aws-storage-services/

AWS customers are welcome to carry out security assessments or penetration tests against their AWS infrastructure without prior approval for the following eight services:

• Amazon EC2 instances, NAT Gateways, and Elastic Load Balancers.

• Amazon RDS.

• Amazon CloudFront.

• Amazon Aurora.

• Amazon API Gateways.

•  AWS Lambda and Lambda Edge functions.

• Amazon LightSail resources.

• Amazon Elastic Beanstalk environments.

CORRECT: "Customers to carry out security assessments or penetration tests against their AWS infrastructure without prior approval for selected services" is the correct answer.

INCORRECT: "Customers to carry out security assessments or penetration tests against their AWS infrastructure after obtaining authorization from AWS" is incorrect as you do not need authorization.

INCORRECT: "AWS to perform penetration testing against customer resources without notification" is incorrect as AWS will not perform penetration testing on customer resources.

INCORRECT: "Authorized security assessors to perform penetration tests against any AWS customer without authorization" is incorrect. This is not something that is authorized

References:

https://aws.amazon.com/security/penetration-testing/

Save time with our AWS cheat sheets:

https://digitalcloud.training/aws-security-services/

You don’t need to do anything except start deploying resources in the new region. With the AWS cloud you can use any region around the world at any time. There is no need for a separate account, and IAM is a global service.

CORRECT: "Just start deploying resources in the additional region" is the correct answer.

INCORRECT: "Create a separate IAM account for that region" is incorrect as IAM is a global service.

INCORRECT: "Apply for another AWS account in that region" is incorrect as you can use IAM across Regions and do not need another account.

INCORRECT: "Submit an application to extend their account to the additional region" is incorrect as you do not need to extend accounts across Regions.

References:

https://aws.amazon.com/iam/faqs/

Save time with our AWS cheat sheets:

https://digitalcloud.training/aws-identity-and-access-management/

https://digitalcloud.training/aws-global-infrastructure/

The AWS Health API is available to all Business, Enterprise On-Ramp, or Enterprise Support customers. You can use the API operations to get information about events that might affect your AWS services and resources.

CORRECT: "AWS Health API" is the correct answer (as explained above.)

INCORRECT: "AWS DDoS Response Team (DRT)" is incorrect. This is not available through a support plan, but through the AWS Shield Advanced service.

INCORRECT: "AWS technical account manager (TAM)" is incorrect. You get a dedicated AWS TAM when you have Enterprise Support, and you get access to a pool of TAMs when you are using Enterprise On-Ramp.

INCORRECT: "AWS Support concierge" is incorrect. This is only available to Enterprise Support customers.

References:

https://docs.aws.amazon.com/health/latest/ug/health-api.html

Save time with our AWS cheat sheets:

https://digitalcloud.training/aws-cloud-management-services/

AWS Budgets gives you the ability to set custom budgets that alert you when your costs or usage exceed (or are forecasted to exceed) your budgeted amount.

You can also use AWS Budgets to set reservation utilization or coverage targets and receive alerts when your utilization drops below the threshold you define. Reservation alerts are supported for Amazon EC2, Amazon RDS, Amazon Redshift, Amazon ElastiCache, and Amazon Elasticsearch reservations.

CORRECT: "AWS Budgets" is the correct answer.

INCORRECT: "AWS Cost Explorer" is incorrect. Cost Explorer lets you visualize and understand your costs but AWS Budgets should be used for alerting based on forecast or actual usage.

INCORRECT: "AWS Cost and Usage report" is incorrect. This is another tool that can be used to view usage for AWS services by category but AWS Budgets should be used for alerting based on forecast or actual usage.

INCORRECT: "AWS CloudTrail" is incorrect. CloudTrail is used for logging API activity, it will not alert you based on usage of AWS services.

References:

https://aws.amazon.com/aws-cost-management/aws-budgets/

Save time with our AWS cheat sheets:

https://digitalcloud.training/aws-billing-and-pricing/

AWS Shield is a managed Distributed Denial of Service (DDoS) protection service that safeguards applications running on AWS. AWS Shield provides always-on detection and automatic inline mitigations that minimize application downtime and latency, so there is no need to engage AWS Support to benefit from DDoS protection. There are two tiers of AWS Shield - Standard and Advanced.

CORRECT: "AWS Shield" is the correct answer (as explained above.)

INCORRECT: "AWS Firewall Manager" is incorrect. AWS Firewall Manager is a security management service which allows you to centrally configure and manage firewall rules across your accounts and does not protect from DDoS attacks.

INCORRECT: "Amazon GuardDuty" is incorrect. Amazon GuardDuty is a threat detection service that continuously monitors your AWS accounts and workloads for malicious activity and delivers detailed security findings for visibility and remediation. It does not protect you from DDoS attacks.

INCORRECT: "Amazon Inspector" is incorrect also as Inspector is a fully managed vulnerability assessment tool and does not protect from DDoS attacks.

References:

https://aws.amazon.com/shield/

Save time with our AWS cheat sheets:

https://digitalcloud.training/aws-security-services/

Included as part of the Enterprise Support plan, the Support Concierge Team are AWS billing and account experts that specialize in working with enterprise accounts.

CORRECT: "AWS Concierge" is the correct answer.

INCORRECT: "AWS Technical Support" is incorrect as this is not the name of the team.

INCORRECT: "AWS Billing and Accounts" is incorrect as the Support Concierge Team fulfil this role.

INCORRECT: "AWS Technical Account Manager" is incorrect. The Technical Account Manager provides expert monitoring and optimization for your environment and coordinates access to other programs and experts.

References:

https://aws.amazon.com/premiumsupport/features/

Save time with our AWS cheat sheets:

https://digitalcloud.training/aws-billing-and-pricing/

You can monitor your estimated AWS charges by using Amazon CloudWatch. When you enable the monitoring of estimated charges for your AWS account, the estimated charges are calculated and sent several times daily to CloudWatch as metric data.

Billing metric data is stored in the US East (N. Virginia) Region and represents worldwide charges. This data includes the estimated charges for every service in AWS that you use, in addition to the estimated overall total of your AWS charges.

The alarm triggers when your account billing exceeds the threshold you specify. It triggers only when actual billing exceeds the threshold. It doesn't use projections based on your usage so far in the month.

CORRECT: "Amazon CloudWatch" is the correct answer.

INCORRECT: "AWS Trusted Advisor" is incorrect. AWS Trusted Advisor is an online tool that provides you real time guidance to help you provision your resources following AWS best practices.

INCORRECT: "AWS CloudTrail" is incorrect. CloudTrail logs API activity, not performance or billing metrics.

INCORRECT: "Amazon QuickSight" is incorrect. Amazon QuickSight is a fast, cloud-powered business intelligence service that makes it easy to deliver insights to everyone in your organization.

References:

https://docs.aws.amazon.com/AmazonCloudWatch/latest/monitoring/monitor_estimated_charges_with_cloudwatch.html

Save time with our AWS cheat sheets:

https://digitalcloud.training/aws-monitoring-and-logging-services/

The Business support plan provides a service level agreement (SLA) of < 1 hour for production system down support cases.

CORRECT: "Open a production system down support case" is the correct answer.

INCORRECT: "Contact the dedicated Technical Account Manager" is incorrect. The dedicated TAM only comes with the Enterprise support plan.

INCORRECT: "Contact the dedicated AWS Concierge Support team" is incorrect. The concierge support team only comes with the Enterprise support plan.

INCORRECT: "Open a business-critical system down support case" is incorrect. The business-critical system down support only comes with the Enterprise support plan.

References:

https://aws.amazon.com/premiumsupport/plans/

Save time with our AWS cheat sheets:

https://digitalcloud.training/aws-billing-and-pricing/

Amazon EC2 Dedicated Hosts allow you to use your eligible software licenses from vendors such as Microsoft and Oracle on Amazon EC2, so that you get the flexibility and cost effectiveness of using your own licenses, but with the resiliency, simplicity and elasticity of AWS. An Amazon EC2 Dedicated Host is a physical server fully dedicated for your use, so you can help address corporate compliance requirements.

CORRECT: "Dedicated Hosts" is the correct answer.

INCORRECT: "On-Demand Instances" is incorrect. This is a standard pricing model and does not offer the advantages requested.

INCORRECT: "Spot Instances" is incorrect. This is used to obtain discounted pricing for short-term requirements that can be interrupted.

INCORRECT: "Reserved Instances" is incorrect. This is used to lower cost by reserving usage of an instance for a term of 1 or 3 years.

References:

https://aws.amazon.com/ec2/dedicated-hosts/

Save time with our AWS cheat sheets:

https://digitalcloud.training/aws-billing-and-pricing/

You can configure subnets and endpoints within the VPC section of AWS management console.

EBS volumes and ELB must be configured in the EC2 section of the AWS management console and DNS records must be configured in Amazon Route 53.

CORRECT: "Subnet" is a correct answer.

CORRECT: "Endpoints" is also a correct answer.

INCORRECT: "EBS volumes" is incorrect as explained above.

INCORRECT: "DNS records" is incorrect as explained above.

INCORRECT: "Elastic Load Balancer" is incorrect as explained above.

References:

https://aws.amazon.com/vpc/

Save time with our AWS cheat sheets:

https://digitalcloud.training/aws-networking-services/

Amazon Workspaces is a fully managed desktop virtualization service for Windows and Linux that enables you to access resources from any supported device.

To secure your network you would use the AWS Site-to-Site VPN. AWS Site-to-Site VPN allows you to encrypt traffic across your networks.

CORRECT: "Amazon Workspaces" is the correct answer (as explained above.)

CORRECT: "AWS Site-to-Site VPN" is also a correct answer (as explained above.)

INCORRECT: "Amazon Connect" is incorrect. Amazon Connect is a cloud-based telecommunications service providing managed cloud-based customer contact centers.

INCORRECT: "Amazon AppStream 2.0" is incorrect. Amazon AppStream is a non-persistent desktop and application service for remotely accessing your work. The non-persistent feature of this service would make the product unsuitable.

INCORRECT: "Amazon Elastic Container Service (Amazon ECS)" is incorrect. Amazon ECS is a managed container service which makes it manage your containers in the cloud. Amazon EC2 cannot provide access to persistent topics.

References:

https://aws.amazon.com/workspaces/

https://docs.aws.amazon.com/vpn/latest/s2svpn/VPC_VPN.html

The Reliability pillar encompasses the ability of a workload to perform its intended function correctly and consistently when it's expected to. This includes the ability to operate and test the workload through its total lifecycle.

CORRECT: "Reliability" is the correct answer (as explained above.)

INCORRECT: "Security" is incorrect. Security simply refers to the ability to ensure your workloads and infrastructure are safe from attack or from exploitation.

INCORRECT: "Operational excellence" is incorrect. The operational excellence pillar focuses on running and monitoring systems, and continually improving processes and procedures. Key topics include automating changes, responding to events, and defining standards to manage daily operations, and it does not include initial resilience and recovery of workloads.

INCORRECT: "Performance Efficiency" is incorrect. The performance efficiency pillar focuses on structured and streamlined allocation of IT and computing resources. Key topics include selecting resource types and sizes optimized for workload requirements, monitoring performance, and maintaining efficiency as business needs evolve.

References:

https://aws.amazon.com/architecture/well-architected/

Save time with our AWS cheat sheets:

https://digitalcloud.training/architecting-for-the-cloud/

Security and compliance are shared responsibilities between AWS and the customer. Depending on the services deployed, this shared model can help relieve the customer’s operational burden. This is because AWS operates, manages, and controls the components from the host operating system and virtualization layer down to the physical security of the facilities in which the service operates.

CORRECT: "Security" is the correct answer (as explained above.)

INCORRECT: "Operational excellence" is incorrect. The Operational Excellence pillar includes the ability to support development and run workloads effectively, gain insight into their operations, and to continuously improve supporting processes and procedures to deliver business value.

INCORRECT: "Performance efficiency" is incorrect. The performance efficiency pillar focuses on the efficient use of computing resources to meet requirements, and how to maintain efficiency as demand changes and technologies evolve.

INCORRECT: "Reliability" is incorrect. Reliability is the ability of a workload to perform its intended function correctly and consistently when it's expected to.

References:

https://aws.amazon.com/architecture/well-architected/

Save time with our AWS cheat sheets:

https://digitalcloud.training/architecting-for-the-cloud/

AWS CloudHSM is a cloud-based hardware security module (HSM) that allows you to easily add secure key storage and high-performance crypto operations to your AWS applications

CORRECT: "AWS CloudHSM" is the correct answer.

INCORRECT: "AWS IAM" is incorrect. AWS Identity and Access Management (IAM) is used for managing users, groups, and roles in AWS.

INCORRECT: "Amazon Cloud Directory" is incorrect. Amazon Cloud Directory enables you to build flexible cloud-native directories for organizing hierarchies of data along multiple dimensions.

INCORRECT: "AWS WAF" is incorrect. AWS WAF is a web application firewall that helps protect your web applications from common web exploits.

References:

https://aws.amazon.com/cloudhsm/features/

Save time with our AWS cheat sheets:

https://digitalcloud.training/aws-security-services/

AWS Managed Services (AMS) helps you adopt AWS at scale and operate more efficiently and securely. We leverage standard AWS services and offer guidance and execution of operational best practices with specialized automations, skills, and experience that are contextual to your environment and applications. You can easily leave a lot of the heavy lifting to AWS when you are using managed services.

CORRECT: "Use AWS Managed Services to provision, run, and support the company infrastructure" is the correct answer (as explained above.)

INCORRECT: "Build hardware refreshes into the operational calendar to ensure availability” is incorrect. This is not the easiest way to help ensure availability and would not necessarily work.

INCORRECT: "Use Amazon Elastic Container Service (Amazon ECS) on Amazon EC2 instances” is incorrect. ECS is a managed container service, which would only work for migrating specific containerized workloads - not for general migrations.

INCORRECT: "Overprovision compute capacity for seasonal events and traffic spikes to prevent downtime" is incorrect. When you are over provisioning capacity in the cloud, you are not adhering to the best practices of the cloud by using scalability and elasticity to scale your workloads up and down as and when needed.

References:

https://aws.amazon.com/managed-services/

IAM is used to securely control individual and group access to AWS resources. IAM is universal (global) and does not apply to regions.

CORRECT: "Nothing, IAM is global" is the correct answer.

INCORRECT: "Enable global mode in IAM to provision the required access" is incorrect as you do not need to do anything to use IAM globally.

INCORRECT: "Update the user accounts to allow access from another region" is incorrect as you don’t need to update user accounts.

INCORRECT: "Create new user accounts in the new region" is incorrect as IAM is global.

References:

https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html

Save time with our AWS cheat sheets:

https://digitalcloud.training/aws-identity-and-access-management/

Asynchronous integration is a form of loose coupling between services. This model is suitable for any interaction that does not need an immediate response and where an acknowledgement that a request has been registered will suffice.

Amazon Simple Queue Service (SQS) and Amazon Step Functions both provide asynchronous integration. SQS provides a durable message bus and Step Functions is an orchestrated workflow service.

Amazon EC2 Auto Scaling helps with horizontal scaling of your EC2 instances. This is not an example of asynchronous integration.

AWS CloudFormation automates the deployment of infrastructure based on templates.

AWS Route 53 is a DNS service that resolves domain names to IP addresses.

References:

https://digitalcloud.training/certification-training/aws-certified-cloud-practitioner/architecting-for-the-cloud/

https://d1.awsstatic.com/whitepapers/AWS_Cloud_Best_Practices.pdf

AWS Config is a fully-managed service that provides you with an AWS resource inventory, configuration history, and configuration change notifications to enable security and regulatory compliance.

CORRECT: "AWS Config" is the correct answer.

INCORRECT: "AWS Service Catalog" is incorrect. AWS Service Catalog is used to create and manage catalogs of IT services that you have approved for use on AWS, including virtual machine images, servers, software, and databases to complete multi-tier application architectures.

INCORRECT: "AWS Artifact" is incorrect. AWS Artifact is a central resource for compliance-related information. This service can be used to get compliance information related to AWS’ certifications/attestations.

INCORRECT: "Amazon Inspector" is incorrect. Inspector is an automated security assessment service that helps improve the security and compliance of applications deployed on AWS.

References:

https://docs.aws.amazon.com/config/latest/developerguide/how-does-config-work.html

Save time with our AWS cheat sheets:

https://digitalcloud.training/aws-security-services/

The IAM console provides information about when IAM users and roles last attempted to access AWS services. This information is called service last accessed data. This data can help you identify unnecessary permissions so that you can refine your IAM policies to better adhere to the principle of “least privilege.”

That means granting the minimum permissions required to perform a specific task. You can find the data on the Access Advisor tab in the IAM console by examining the detail view for any IAM user, group, role, or managed policy.

CORRECT: "Access Advisor" is the correct answer.

INCORRECT: "Role Advisor" is incorrect as this is not a valid feature.

INCORRECT: "Permissions Advisor" is incorrect as this is not a valid feature.

INCORRECT: "Group Advisor" is incorrect as this is not a valid feature.

References:

https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html

Save time with our AWS cheat sheets:

https://digitalcloud.training/aws-identity-and-access-management/

Amazon SageMaker is a managed Machine Learning service. With Amazon SageMaker, you can package your own algorithms that can then be trained and deployed in the SageMaker environment.

CORRECT: "Amazon SageMaker" is the correct answer (as explained above.)

INCORRECT: "AWS Artifact" is incorrect. AWS Artifact is your go-to, central resource for compliance-related information. It has nothing to do with Machine Learning.

INCORRECT: "AWS Data Pipeline" is incorrect. AWS Data Pipeline is a web service that helps you reliably process and move data between different AWS compute and storage services, as well as on-premises data sources, at specified intervals. It does not use Machine Learning.

INCORRECT: "Amazon Forecast" is incorrect. Amazon Forecast is a time- series forecasting service based on machine learning (ML) and built for business metrics analysis. Although it is based on Machine Learning, it does not allow you to bring your own algorithms,

References:

https://aws.amazon.com/sagemaker/

Save time with our AWS cheat sheets:

https://digitalcloud.training/aws-machine-learning/

AWS Application Discovery Service helps you plan your migration to the AWS cloud by collecting usage and configuration data about your on-premises servers.

CORRECT: "AWS Application Discovery Service" is the correct answer (as explained above.)

INCORRECT: "AWS Resource Groups" is incorrect. You can use resource groups to organize your AWS resources. AWS Resource Groups is the service that lets you manage and automate tasks on large numbers of resources at one time.

INCORRECT: "AWS Service Catalog" is incorrect. AWS Service Catalog allows organizations to create and manage catalogs of IT services that are approved for use on AWS and is not related to migration.

INCORRECT: "AWS Systems Manager" is incorrect. AWS Systems Manager provides an operations console and APIs for centralized application and resource management in hybrid environments. It is not a tool related to migration.

References:

https://docs.aws.amazon.com/application-discovery/latest/userguide/what-is-appdiscovery.html

Amazon ElastiCache provides in-memory caching which improves performance for read requests when the data is cached in ElastiCache. ElastiCache can be placed in front of your database.

CORRECT: "Amazon ElastiCache" is the correct answer.

INCORRECT: "Amazon RedShift" is incorrect. Amazon RedShift is a data warehouse that is used for performing analytics on data.

INCORRECT: "Amazon EFS" is incorrect. Amazon EFS is an Elastic File System, not a caching service.

INCORRECT: "Amazon RDS" is incorrect. Amazon RDS is a relational SQL type of database. It is not a service that you place in front of another database to improve performance. Instead you might use RDS as your back-end database and use ElastiCache in front of it to improve performance through its in-memory caching.

References:

https://aws.amazon.com/elasticache/

Save time with our AWS cheat sheets:

https://digitalcloud.training/aws-database-services/

CloudWatch Logs Insights enables you to interactively search and analyze your log data in Amazon CloudWatch Logs. You can perform queries to help you more efficiently and effectively respond to operational issues. If an issue occurs, you can use CloudWatch Logs Insights to identify potential causes and validate deployed fixes.

CORRECT: "Amazon CloudWatch Logs Insights" is the correct answer (as explained above.)

INCORRECT: "Amazon EventBridge (Amazon CloudWatch Events)" is incorrect. Amazon EventBridge is a serverless event bus that ingests data from your own apps, SaaS apps and AWS services and routes that data to targets.

INCORRECT: "Amazon CloudWatch Logs streams" is incorrect. A log stream is a sequence of log events that share the same source. Each separate source of logs in CloudWatch Logs makes up a separate log stream. This does not utilize queries.

INCORRECT: "Amazon CloudWatch anomaly detection" is incorrect. When you enable anomaly detection for a metric, CloudWatch applies statistical and machine learning algorithms. These algorithms continuously analyze metrics of systems and applications, determine normal baselines, and surface anomalies with minimal user intervention.

References:

https://docs.aws.amazon.com/AmazonCloudWatch/latest/logs/AnalyzingLogData.html

Save time with our AWS cheat sheets:

https://digitalcloud.training/aws-cloud-management-services/

AWS Organizations is a web service that enables you to consolidate your multiple AWS accounts into an organization and centrally manage your accounts and their resources. The AWS Organizations API can be used to create AWS accounts and this can be automated through code.

CORRECT: "AWS Organizations" is the correct answer.

INCORRECT: "AWS QuickSight" is incorrect. Amazon QuickSight is a fast, cloud-powered business intelligence service that makes it easy to deliver insights to everyone in your organization.

INCORRECT: "Amazon LightSail" is incorrect. LightSail offers virtual servers (instances) that are easy to set up and backed by the power and reliability of AWS.

INCORRECT: "Amazon Connect" is incorrect. Amazon Connect is an easy to use omnichannel cloud contact center that helps companies provide superior customer service at a lower cost

References:

https://docs.aws.amazon.com/organizations/latest/APIReference/Welcome.html

Save time with our AWS cheat sheets:

https://digitalcloud.training/aws-security-services/

Amazon RDS for SQL Server is a fully managed SQL database service which you can migrate your on-premises database into. You do not need to refactor or change your on-premises database and you can perform homogeneous migrations with ease.

CORRECT: "Amazon RDS for SQL Server" is the correct answer (as explained above.)

INCORRECT: "Amazon Redshift" is incorrect. RedShift is a data warehousing solution which would not accept a migration using SQL Server.

INCORRECT: "Microsoft SQL Server on Amazon EC2" is incorrect. Although you can launch a SQL server on EC2, this question states that the company wants to reduce operational overhead and managing SQL Server on EC2 would include more operational overhead compared to using RDS for SQL Server.

INCORRECT: "Amazon DynamoDB" is incorrect. DynamoDB is a No-SQL database that is not suitable for a direct 1-1 migration from an SQL database without schema conversion.

References:

https://aws.amazon.com/rds/

Save time with our AWS cheat sheets:

https://digitalcloud.training/aws-database-services/

AWS are responsible for “Security of the Cloud”. AWS is responsible for protecting the infrastructure that runs all of the services offered in the AWS Cloud. This infrastructure is composed of the hardware, software, networking, and facilities that run AWS Cloud services, and this includes regions, availability zones and edge locations.

Customers are responsible for “Security in the Cloud”. This includes encrypting customer data, patching operating systems but not patching or maintaining the underlying infrastructure.

CORRECT: "AWS are responsible for the security of regions and availability zones" is the correct answer.

INCORRECT: "Customers are responsible for patching storage systems" is incorrect as this is an AWS responsibility.

INCORRECT: "AWS are responsible for encrypting customer data" is incorrect as this is a customer responsibility.

INCORRECT: "Customers are responsible for security of the cloud" is incorrect as this is an AWS responsibility.

References:

https://aws.amazon.com/compliance/shared-responsibility-model/

Save time with our AWS cheat sheets:

https://digitalcloud.training/aws-shared-responsibility-model/

Reserved instances allow a customer to use on-demand EC2 instances at a discounted price based on a commitment of usage. If you require cost optimization of non-interruptible workloads, you can use Reserved instances to provide discounts on your EC2 spend.

CORRECT: "Reserved instances" is the correct answer (as explained above.)

INCORRECT: "On-Demand Instances" is incorrect as On-demand instances are the most expensive, and the default billing option for EC2 instances. The customer requires significant cost savings, which cannot be provided by on-demand instances.

INCORRECT: "Spot Instances" is incorrect. Spot Instances are not suitable as spot instances let you take advantage of unused EC2 capacity in the AWS cloud, which can be terminated at a 2-minute notice if AWS requires the capacity for on-demand customers.

INCORRECT: "Dedicated Hosts" is incorrect, as this is a specific billing option if you require a dedicated server for server-bound-licenses. This is not required for this use case and is an expensive EC2 pricing option.

References:

https://aws.amazon.com/ec2/pricing/reserved-instances/

Save time with our AWS cheat sheets:

https://digitalcloud.training/aws-compute-services/

AWS CloudFormation is an Infrastructure as Code (IaC) tool which allows users to provision infrastructure services using either JSON or YAML. With AWS CloudFormation you can easily provision resources in a different Region easily.

CORRECT: "Create and use an AWS CloudFormation template” is the correct answer (as explained above.)

INCORRECT: "Use AWS CodeStar to set up a continuous delivery toolchain for automated deployment” is incorrect. AWS CodeStar is a cloud‑based development service that provides the tools you need to quickly develop, build, and deploy applications on AWS.

INCORRECT: "Create and launch an Amazon EC2 Amazon Machine Image (AMI) containing the source code with built-in deployment hooks to launch other AWS services” is incorrect. This would not inherently provide multi-Region functionality as AMIs are Region specific.

INCORRECT: "Use AWS Systems Manager to automate management tasks, such as creating Amazon EC2 Amazon Machine Images (AMIs) and applying patches” is incorrect. AWS Systems Manager can be used for automation of management tasks, such as creating Amazon EC2 Amazon Machine Images (AMIs) and applying patches - however this is not related to the question of launching applications across multiple Regions.

References:

https://aws.amazon.com/cloudformation/

Save time with our AWS cheat sheets:

https://digitalcloud.training/aws-networking-services/