AWS-SysOps Amazon Exam Questions and Free Practice Test

Question 85

- (Topic 3)
Your organization is preparing for a security assessment of your use of AWS.
In preparation for this assessment, which two IAM best practices should you consider implementing? Choose 2 answers

A. Create individual IAM users for everyone in your organization

B. Configure MFA on the root account and for privileged IAM users

C. Assign IAM users and groups configured with policies granting least privilege access

D. Ensure all users have been assigned and are frequently rotating a password, access ID/secret key, and X.509 certificate

Correct Answer:BC
Reference:
http://docs.aws.amazon.com/AmazonS3/latest/dev/example-bucket-policies.html

Question 86

- (Topic 3)
A user has hosted an application on EC2 instances. The EC2 instances are configured with ELB and Auto Scaling. The application server session time out is 2 hours. The user wants to configure connection draining to ensure that all in-flight requests are supported by ELB even though the instance is being deregistered. What time out period should the user specify for connection draining?

A. 5 minutes

B. 1 hour

C. 30 minutes

D. 2 hours

Correct Answer:B

Question 87

- (Topic 3)
A user runs the command “dd if=/dev/zero of=/dev/xvdfbs=1M” on a fresh blank EBS volume attached to a Linux instance. Which of the below mentioned activities is the user performing with the command given above?

A. Creating a file system on the EBS volume

B. Mounting the device to the instance

C. Pre warming the EBS volume

D. Formatting the EBS volume

Correct Answer:C

When the user creates a new EBS volume and is trying to access it for the first time it will encounter reduced IOPS due to wiping or initiating of the block storage. To avoid this as well as achieve the best performance it is required to pre warm the EBS volume. For a blank volume attached with a Linux OS, the “dd” command is used to write to all the blocks on the device. In the command “dd if=/dev/zero of=/dev/xvdfbs=1M” the parameter “if =import file” should be set to one of the Linux virtual devices, such as /dev/zero. The “of=output file” parameter should be set to the drive that the user wishes to warm. The “bs” parameter sets the block size of the write operation; for optimal performance, this should be set to 1 MB.

Question 88

- (Topic 3)
A user has created a VPC with public and private subnets using the VPC wizard. The VPC has CIDR
20.0.0.0/16. The private subnet uses CIDR 20.0.0.0/24 . The NAT instance ID is i-a12345. Which of the below mentioned entries are required in the main route table attached with the private subnet to allow instances to connect with the internet?

A. Destination: 0.0.0.0/0 and Target: i-a12345

B. Destination: 20.0.0.0/0 and Target: 80

C. Destination: 20.0.0.0/0 and Target: i-a12345

D. Destination: 20.0.0.0/24 and Target: i-a12345

Correct Answer:A

A user can create a subnet with VPC and launch instances inside that subnet. If the user has created a public private subnet, the instances in the public subnet can receive inbound traffic directly from the Internet, whereas the instances in the private subnet cannot. If these subnets are created with Wizard, AWS will create two route tables and attach to the subnets. The main route table will have the entry “Destination: 0.0.0.0/0 and Target: ia12345”, which allows all the instances in the private subnet to connect to the internet using NAT.

Question 89

- (Topic 2)
A root account owner has created an S3 bucket testmycloud. The account owner wants to allow everyone to upload the objects as well as enforce that the person who uploaded the object should manage the permission of those objects. Which is the easiest way to achieve this?

A. The root account owner should create a bucket policy which allows the IAM users to upload the object

B. The root account owner should create the bucket policy which allows the other account owners to set the object policy of that bucket

C. The root account should use ACL with the bucket to allow everyone to upload the object

D. The root account should create the IAM users and provide them the permission to upload content to the bucket

Correct Answer:C

Each AWS S3 bucket and object has an ACL (Access Control List. associated with it. An ACL is a list of grants identifying the grantee and the permission granted. The user can use ACLs to grant basic read/write permissions to other AWS accounts. ACLs use an Amazon S3–specific XML schema. The user cannot grant permissions to other users in his account. ACLs are suitable for specific scenarios. For example, if a bucket owner allows other AWS accounts to upload objects, permissions to these objects can only be managed using the object ACL by the AWS account that owns the object.

Question 90

- (Topic 2)
An organization is planning to create 5 different AWS accounts considering various security requirements. The organization wants to use a single payee account by using the
consolidated billing option. Which of the below mentioned statements is true with respect to the above information?

A. Master (Paye

B. account will get only the total bill and cannot see the cost incurred by each account

C. Master (Paye

D. account can view only the AWS billing details of the linked accounts

E. It is not recommended to use consolidated billing since the payee account will have access to the linked accounts

F. Each AWS account needs to create an AWS billing policy to provide permission to the payee account

Correct Answer:B

AWS consolidated billing enables the organization to consolidate payments for multiple Amazon Web Services (AWS. accounts within a single organization by making a single paying account. Consolidated billing enables the organization to see a combined view of the AWS charges incurred by each account as well as obtain a detailed cost report for each of the individual AWS accounts associated with the paying account. The payee account will not have any other access than billing data of linked accounts.

START AWS-SysOps EXAM