AWS-Certified-DevOps-Engineer-Professional Amazon Exam Questions and Free Practice Test

Question 7

Your company wants to understand where cost is coming from in the company's production AWS account. There are a number of applications and services running at any given time. Without expending too much initial development time, how best can you give the business a good understanding of which applications cost the most per month to operate?

A. Create an automation script which periodically creates AWS Support tickets requesting detailed intra-month information about your bill.

B. Use custom CIoudWatch Metrics in your system, and put a metric data point whenever cost is incurred.

C. Use AWS Cost Allocation Tagging for all resources which support i

D. Use the Cost Explorer to analyze costs throughout the month.

E. Use the AWS Price API and constantly running resource inventory scripts to calculate total price based on multiplication of consumed resources over time.

Correct Answer:C
Cost Allocation Tagging is a built-in feature of AWS, and when coupled with the Cost Explorer, provides a simple and robust way to track expenses.
You can also use tags to filter views in Cost Explorer. Note that before you can filter views by tags in Cost Explorer, you must have applied tags to your resources and activate them, as described in the following sections. For more information about Cost Explorer, see Analyzing Your Costs with Cost Explorer. Reference: http://docs.aws.amazon.com/awsaccountbilling/latest/aboutv2/cost-alloc-tags.html

Question 8

Which of these configuration or deployment practices is a security risk for RDS?

A. Storing SQL function code in plaintext

B. Non-MuIti-AZ RDS instance

C. Having RDS and EC2 instances exist in the same subnet

D. RDS in a public subnet

Correct Answer:D
Making RDS accessible to the public internet in a public subnet poses a security risk, by making your database directly addressable and spammable.
DB instances deployed within a VPC can be configured to be accessible from the Internet or from EC2 instances outside the VPC. If a VPC security group specifies a port access such as TCP port 22, you would not be able to access the DB instance because the firewall for the DB instance provides access only via the IP addresses specified by the DB security groups the instance is a member of and the port defined when the DB instance was created.
Reference: http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.RDSSecurityGroups.htmI

Question 9

You need your CI to build AMIs with code pre-installed on the images on every new code push. You need to do this as cheaply as possible. How do you do this?

A. Bid on spot instances just above the asking price as soon as new commits come in, perform all instance configuration and setup, then create an AMI based on the spot instance.

B. Have the CI launch a new on-demand EC2 instance when new commits come in, perform all instance configuration and setup, then create an AMI based on the on-demand instance.

C. Purchase a Light Utilization Reserved Instance to save money on the continuous integration machin

D. Use these credits whenever your create AMIs on instances.

E. When the CI instance receives commits, attach a new EBS volume to the CI machin

F. Perform all setup on this EBS volume so you don't need a new EC2 instance to create the AMI.

Correct Answer:A
Spot instances are the cheapest option, and you can use minimum run duration if your AMI takes more than a few minutes to create.
Spot instances are also available to run for a predefined duration — in hourly increments up to six hours in length — at a significant discount (30-45%) compared to On-Demand pricing plus an additional 5% during off-peak timesl for a total of up to 50% savings.
Reference: https://aws.amazon.com/ec2/spot/pricing/

Question 10

Your CTO thinks your AWS account was hacked. What is the only way to know for certain if there was unauthorized access and what they did, assuming your hackers are very sophisticated AWS engineers and doing everything they can to cover their tracks?

A. Use CloudTrai| Log File Integrity Validation.

B. Use AWS Config SNS Subscriptions and process events in real time.

C. Use CIoudTraiI backed up to AWS S3 and Glacier.

D. Use AWS Config Timeline forensic

Correct Answer:A
You must use CloudTraiI Log File Validation (default or custom implementation), as any other tracking method is subject to forgery in the event of a full account compromise by sophisticated enough hackers. Validated log files are invaluable in security and forensic investigations. For example, a validated log file enables you to assert positively that the log file itself has not changed, or that particular user credentials performed specific API actMty. The CIoudTraiI log file integrity validation process also lets you know if a log file has been deleted or changed, or assert positively that no log files were delivered to your account during a given period of time.
Reference:
http://docs.aws.amazon.com/awscloudtrail/latest/userguide/cloudtrail-log-fiIe-validation-intro.html

Question 11

Your system uses a multi-master, multi-region DynamoDB configuration spanning two regions to achieve high availablity. For the first time since launching your system, one of the AWS Regions in which you operate over went down for 3 hours, and the failover worked correctly. However, after recovery, your users are experiencing strange bugs, in which users on different sides of the globe see different data. What is a likely design issue that was not accounted for when launching?

A. The system does not have Lambda Functor Repair Automations, to perform table scans and chack for corrupted partition blocks inside the Table in the recovered Region.

B. The system did not implement DynamoDB Table Defragmentation for restoring partition performance in the Region that experienced an outage, so data is served stale.

C. The system did not include repair logic and request replay buffering logic for post-failure, to re-synchronize data to the Region that was unavailable for a number of hours.

D. The system did not use DynamoDB Consistent Read requests, so the requests in different areas are not utilizing consensus across Regions at runtime.

Correct Answer:C
When using multi-region DynamoDB systems, it is of paramount importance to make sure that all requests made to one Region are replicated to the other. Under normal operation, the system in question would correctly perform write replays into the other Region. If a whole Region went down, the system would be unable to perform these writes for the period of downtime. Without buffering write requests somehow, there would be no way for the system to replay dropped cross-region writes, and the requests would be serviced differently depending on the Region from which they were served after recovery. Reference: http://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Streams.CrossRegionRepI.htmI

Question 12

If you're trying to configure an AWS Elastic Beanstalk worker tier for easy debugging if there are problems finishing queue jobs, what should you configure?

A. Configure Rolling Deployments.

B. Configure Enhanced Health Reporting

C. Configure Blue-Green Deployments.

D. Configure a Dead Letter Queue

Correct Answer:D
Elastic Beanstalk worker environments support Amazon Simple Queue Service (SQS) dead letter queues. A dead letter queue is a queue where other (source) queues can send messages that for some reason could not be successfully processed. A primary benefit of using a dead letter queue is the ability to sideline and isolate the unsuccessfully processed messages. You can then analyze any messages sent
to the dead letter queue to try to determine why they were not successfully processed. Reference:
http://docs.aws.amazon.com/elasticbeanstaIk/latest/dg/using-features-managing-env-tiers.htmI#worker-d eadletter

START AWS-Certified-DevOps-Engineer-Professional EXAM