AWS Question and Answer (SAA-C02) – PartI

Leave a Comment / FAQ / By
Spread the love
  • You are responsible for optimizing performance of a movie streaming website. Currently, you are working on the search functionality and have discovered that anytime the library database of titles is searched, the load on the database is reaching peak levels. Your current architecture consists of a PostgreSQL database on an extra-large instance. How would you update your architecture to better handle the load? (Choose two.)
    • Re-create the database instance on a larger instance using EBS volumes with provisioned IOPS as the volume type.
    • Add an RDS Multi-AZ setup to increase the read performance of the media library database.
    • Add an ElastiCache store to cache data because searches will often return common data over multiple reads.
    • Shard the database into multiple copies installed on multiple instances.

Ans. (A, C). First, a larger instance with the fastest possible volume type—provisioned IOPS—is generally going to improve overall performance, so A is a good idea. Second, ElastiCache will provide faster responses and reduce database reads over time. A and C are both valid approaches. A Multi-AZ setup is for disaster recovery, and sharding is high overhead and could potentially increase response time, rather than reduce it, in this use case.

  • Which of the following are engines used by ElastiCache?
    • reddit, memcached
    • redis, memcached
    • Sharding, redis
    • memcached, Redshift

Ans. (B). redis and memcached are engines available for use by ElastiCache. reddit is an online information site, and Redshift is a data warehousing and OLAP service.

  • Which of the following are AWS-supported solutions for encrypting data at rest when that data is objects stored in S3 buckets? (Choose two.)
    • ElastiCache for memcached
    • AWS Key Management Service
    • Customer-provided keys
    • AWS Encryption

Ans. (B, C). AWS allows a number of options for encrypting data at rest. In the supplied solutions, AWS Key Management Service (KMS) is an AWS-managed solution for data encryption, and customer-provided keys are allowed as well. In the latter case, customers provide the keys and AWS handles encryption of data using those keys. ElastiCache for memcached does not support encryption and, further, is not a solution for encrypting data but instead a caching service. AWS Encryption is not an actual AWS service.

  • You have been brought into a new organization with over 20 different AWS accounts. You are tasked with improving the cost management of the organization and want to recommend the use of AWS Organizations and the consolidated billing feature. Which of the following are advantages of consolidated billing that you could use to support your case? (Choose two.)
    • Multiple accounts can be combined and, through that combination, receive discounts that may reduce the total cost of all the accounts.
    • Traffic between accounts will not be subject to data transfer charges if those accounts are all in AWS Organizations.
    • All accounts in AWS Organizations will receive a 5% billing reduction in consolidated billing.
    • All accounts can be tracked individually and through a single tool.

Ans. (A, D). AWS Organizations allows the management of multiple accounts in one place and allows tracking of those individual accounts (D). Additionally, in many cases, AWS will allow discounts based on total services used rather than treating each account individually (A).

  • You are tasked with improving security at an organization that has recently begun using the cloud. It has five developers, a financial manager, and two support engineers. Currently, all eight staff are using the AWS root user for their account. What changes would you make to improve security? (Choose two.)
    • Get all the users to download the AWS CLI and change the root password.
    • Create a new IAM user for each of the eight staff members and provide credentials to each user.
    • Put the five developers in the Power Users group, the financial manager in the Billing group, and the support engineers in the Support User group.
    • Create a new group with access to the IAM service and ensure that at least one developer is in that group.

Ans. (B, C). The biggest issue here is that all the users are using the root account, meaning there’s a shared password and that users have far more permissions than they should. These can both be addressed by creating new IAM users for each user (B) and putting those users in predefined groups according to their job function (C). Developers don’t need access to IAM in general, so D is incorrect, and while changing the root password is a good idea, A is also incorrect because a financial manager (and possibly support engineers) may not need the AWS CLI as their access mechanism.

  • You need to support a cluster of instances that will host a high-volume, high-load Oracle database installation. You cannot use RDS because of a custom plug-in that the database instances require. Which EBS volume type should you choose for the instances?
    • Cold HDD
    • Throughput Optimized HDD
    • General Purpose SSD
    • Provisioned IOPS SSD

Ans.  (D). The best choice for I/O intensive applications and databases is provisioned IOPS (D). The only other potentially confusing option is B, throughput optimized HDD. These are not SSD volumes, and they are better for data warehousing rather than intensive I/O.

  • You are responsible for a large AWS environment, and specifically, several subnets within a custom VPC. The VPC contains both public and private subnets. There are approximately 300 EC2 instances within one of the private subnets that uses a NAT device to reach the Internet. Each evening at 11 p.m., the instances push the day’s date to an external data store outside of AWS, available via an API that is Internet accessible. However, you are seeing that not all of the data is getting out each evening, and several of the instances show failed transmissions to the external API. Assuming the API itself is not an issue, what should you consider when attempting to fix this issue? (Choose two.)
    • The instances are saturating the VPC’s internet gateway. Consider attaching an additional internet gateway to the VPC.
    • The NAT device could be a NAT instance that is on an instance size too small to handle the traffic. Reprovision the NAT instance on a larger instance size with more CPU.
    • Set up an SQS queue with all the desired transmissions as entries in the queue. Have the EC2 instances poll the queue and transmit data until the queue is completely empty. Add a Lambda job to detect failed transmissions and re-add the failed operation to the SQS queue.
    • The instances cannot support the required throughput. Re-provision the instances to use EBS volumes with provisioned IOPS as the volume type.

Ans. (B, C). There are two potential problems here: network throughput and failed transmissions not being retried. Solution B addresses throughput by increasing the ability of the NAT instance to handle large amounts of data from multiple instances. Solution C addresses failed transmissions by treating them as a problem that should be retried by instances.

  • Which of the following will AWS not allow with regard to EBS? (Choose two.)
    • Encrypt an existing EBS volume.
    • Create an unencrypted copy of an encrypted snapshot.
    • Attach an encrypted volume to an EC2 instance.
    • Create an encrypted copy of an unencrypted snapshot.

Ans. (A, B). You cannot encrypt an existing EBS volume (A). Additionally, once a snapshot is encrypted, you cannot create an unencrypted copy of that snapshot (B). You can attach encrypted volumes to instances (C), and you can create an encrypted volume from an unencrypted snapshot (D).

Ans. (C). First, realize that when you see a question asking about writing to S3, you want a URL that is not set up for static website hosting. This means that the bucket name follows the trailing slash and is not part of the domain itself. This means that B and C are the only valid options. Then, remember that the service (s3) and the region (in this case, eu-west-2) are not separated by a dot delimiter, but instead a dash. This leaves C as the correct answer.

  • You are handling a logging update to a fleet of EC2 instances. You have set up a VPC flow log on the group of instances and now want to monitor these logs for a specific set of events, in particular security breaches. To where should the logs be forwarded?
    • RDS
    • S3
    • CloudWatch
    • RedShift

Ans. (C). CloudWatch is the AWS preferred solution for monitoring events. While data from flow logs could be handled by RDS and analyzed by Redshift, neither of these are as targeted a solution for monitoring as CloudWatch.

  • You want to provide task- and event-level tracking in a complex application. You’ve been asked to then attach custom code to these tasks and events. However, you are working on an MVP that needs to quickly go to market. Which AWS services would provide you with the most out-of-the-box functionality and require the least amount of infrastructure coding?
    • SQS, Lambda
    • SWF, CloudWatch
    • SWF, Lambda
    • Elastic Beanstalk, CloudWatch

Ans. (C). Lambda is best for writing custom code without the overhead of provisioning EC2 instances, so both A and C are potentially correct answers. While SQS does offer queuing of code, SWF (the Simple Workflow Service) offers you prebuilt tracking of application-level events and tasks. Attach Lambda to this and you have a ready-to-use event-driven service.

  • You are troubleshooting a custom VPC with two subnets. One subnet contains database instances and is not Internet accessible. The other subnet has EC2 instances running web servers. The instances have elastic network interfaces assigned with public IP addresses. However, you are unable to access these instances from the Internet, and they cannot access Internet resources either. What might be causing these problems? (Choose two.)
    • The instances need to use public IP addresses, but not elastic network interfaces. Remove the elastic network interfaces.
    • The VPC needs an internet gateway. Attach an internet gateway and update the VPC’s routing tables to route Internet traffic from the instances through the internet gateway.
    • The instances are being prevented from accessing the Internet by the default security group they have been assigned. Add permissions to allow outgoing Internet traffic to the group.
    • Update the NACL for the subnet with the EC2 instances to allow inbound HTTP and HTTPS traffic to the EC2 instances in the public subnet.

Ans. (B, D). Non-default VPCs do not have an internet gateway attached, so B provides that remedy. Attaching an internet gateway to the VPC will provide public instances with a path out to the Internet. Solution D is also correct; NACLs on non-default VPCs will not allow HTTP or HTTPS traffic in (nor will security groups, for that matter) and need to explicitly allow in HTTP/S traffic.

  • What common step that is often omitted in setting up a NAT instance can cause a failure in routing traffic from an EC2 instance through the NAT instance and out to the Internet?
    • Adding a rule to the security group for the NAT instance that allows traffic out to the Internet
    • Setting the NAT instance up to use an EBS volume with provisioned IOPS
    • Setting the NACL on the subnet with the EC2 instances to allow in traffic from the Internet
    • Ensuring that the Source/Destination Check option is disabled on the NAT instance

Ans. (D). Most of these answers will not help the problem. The NAT instance should be in a public subnet, so A is not useful. The EBS volume of the NAT can be an issue, but not in providing Internet access for connecting instances (B). The subnet containing the EC2 instances using the NAT instance should be private, so C is both incorrect and a bad design decision. This leaves D: NAT instances must have Source/Destination Check disabled to function properly.

  • Which of these S3 storage classes is the most durable?
    • S3
    • S3-IA
    • S3 One Zone-IA
    • All of these classes are equally durable.

Ans. (D). All S3 storage classes share the same durability: 11 9s (99.999999999%). That’s often unintuitive, so it’s best to recall that all S3 classes have durability in common and decrease in availability from S3 to S3-IA to S3 One Zone-IA.

  • You have been tasked with setting up storage for an application that loads large photos from an existing RDS. These photos are then processed by a Lambda function and have metadata added, along with additional filters. The Lambda code is inexpensive and can easily be rerun if needed. You need to decide on where to store the photos once they have been processed. Each photo will likely be accessed between 1 and 5 times over the course of a month and should be quickly accessible. The chief driver for the application and your decision should be cost and user experience. What S3 storage class would you select?
    • S3
    • S3 IA
    • S3 One Zone-IA
    • Glacier

Ans. (C). The keys here are that cost is a driver and that the image processing code is fast and inexpensive. That effectively means that if images were lost after processing, they could be reprocessed without affecting the overall system cost. As a result, it’s possible to pick an S3 class where images post-processing might be lost, if that results in a lower overall cost. This allows for S3 One Zone-IA, the cheapest of the provided S3 classes aside from Glacier, which has load times much longer than would be acceptable. S3 One Zone-IA might lose your processed images, but since they can easily be re-created, this isn’t a deterrent.

  • You have a growing fleet of EC2 instances that have been using EBS volumes for data storage. Each instance needs access to all other instances’ data, and your custom replication scripts are growing increasingly taxed and complex. What would you recommend to replace the current usage of EBS volumes and replication?
    • EBS
    • DynamoDB
    • EFS
    • Service Catalog

Ans. (C). EFS, the Elastic File System, is effectively a NAS in the cloud and can provide storage accessible to multiple EC2 instances at one time.

  • You are responsible for setting up the architecture for a new web-based online dating site. You need to create a public subnet in a custom VPC and already have a subnet in the VPC with EC2 instances within it. What other steps would you need to take to make the subnet public? (Choose two.)
    • Attach a customer gateway to the VPC.
    • Make the subnet public using the AWS CLI and the subnet command.
    • Attach an internet gateway to the VPC.
    • Add a route for the instances in the subnet to the Internet through the attached gateway.

Ans. (C, D). Non-default VPCs do not have an internet gateway attached and will need one to host any public subnets, so C is required. Then, with the internet gateway attached, instances within the subnet will need a route through this gateway for Internet traffic (D).

  • Which of the following are valid S3 request headers? (Choose two.)
    • X-amz-date
    • Content-Length
    • X-aws-date
    • Content-Size

Ans. (A, B). AWS defines several custom request headers, and all begin with x-amz rather than x-aws. This will help you eliminate incorrect answers; in this case, it means that A is valid and C is not. Then, you’ll simply have to memorize the other request headers; Content-Length (C) is valid, while Content-Size (D) is not.

  • Which of the following are support levels offered by AWS? (Choose two.)
    • Developer
    • Professional
    • Business
    • Corporate

Ans. (A, C). There are four AWS support levels: basic, developer, business, and enterprise. Neither professional nor corporate is a valid support level.

  • Which of the following database options are available through RDS? (Choose two.)
    • DynamoDB
    • Aurora
    • DB2
    • MariaDB

Ans. (B, D). RDS supports a number of database options: MariaDB, Aurora, PostgreSQL, MySQL, Oracle, and SQL Server. DynamoDB is not a relational database, and DB2 is not supported.

  • You have an Auto Scaling group that has a number of instances spread over several availability zones. Currently, there are 10 instances running, and the Auto Scaling group has rules that allow it to grow to as many as 20 instances and shrink to as few as 3. You have been told by another architect that the group needs to scale in. When this scaling is completed, how many instances might still be running?
    • 10
    • 5
    • 15
    • 20

Ans. (B). Scaling in is the process by which an Auto Scaling group removes instances. You can think of scaling in as “moving in the boundaries of the group” and scaling out as “moving out the boundaries of the group.” Of the available choices, only B—5 instances—represents a reduction of instances.

  • Which of the following are options for writing a CloudFormation template? (Choose two.)
    • XML
    • YAML
    • MML
    • JSON

Ans. (B, D). CloudFormation templates can be written in JSON and YAML.

  • You are responsible for building out an application that serves user bases in California, USA; in Tokyo, Japan; and in Sydney, Australia. The application is hosted in regions close to all three major user bases. You want to ensure that users receive localized content in their own area. Which of the following routing policies should you consider for this application in Route 53?
    • Failover routing
    • Latency-based routing
    • Geolocation routing
    • Weighted routing

Ans. (C). Only geolocation routing will ensure that the location of the user is the primary factor. While latency-based routing would seem to translate to location-based, it is conceivable that network traffic to a nearby region could cause latency to be lower for a user in (for example) Australia to be routed to US regions. Therefore, only geolocation routing would ensure that the closest region geographically is used by the major user bases.

  • You have four EC2 instances serving web content with an ELB in front of the instances. You are configuring Route 53 and want to ensure that the ELB is directing traffic. What sort of record should you create in Route 53?
    • A record
    • MX record
    • CNAME record
    • AAAA record

Ans. (C). A CNAME record allows you to direct traffic to a DNS name, and in this case, that DNS name would be the ELB. ELBs do not provide an IP address, so an A record would not work. An MX record is for email, and an AAAA record is for IPv6 addresses.

  • You are the architect for a large migration from on-premises data stores to DynamoDB. As part of this migration, you need to manage the access and authorization for users, but the organization wants all existing users to maintain their Active Directory usernames. What steps will you need to do in order to facilitate this move? (Choose two.)
    • Select an identity provider.
    • Create a new IAM user for each user of the data.
    • Use the AWS security token service to create temporary tokens.
    • Create a service control policy in AWS Organizations for the imported data.

Ans. (A, C). The key here is that you are not creating new users (and B is therefore incorrect); instead, you need to use an existing Active Directory setup. That requires an identity provider (A). Then, you can issue temporary tokens (C) to get users started, and they can update credentials from there.

Leave a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top