AWS CSAA – Released February 2018 Exam Questions

  • Only the launch configuration name, AMI, and instance type are needed to create an Auto Scaling launch configuration. Identifying a key pair, security group, and a block device mapping are optional elements for an Auto Scaling launch configuration.
  • An Elastic Load Balancing health check may be a ping, a connection attempt, or a page that is checked. Not a status check.
  • Programmatic access to AWS services is authenticated with an access key, not with user names/passwords. IAM roles provide a temporary security token to an application using an SDK.
  • Which of the following techniques can you use to help you meet Recovery Point Objective (RPO) and Recovery Time Objective (RTO) requirements? (Choose 3 answers)
    • DB snapshots allow you to back up and recover your data,
    • read replicas and a Multi-AZ deployment allow you to replicate your data and reduce the time to failover.
  • The main difference between Amazon SQS policies and IAM policies is that an Amazon SQS policy enables you to grant a different AWS account permission to your Amazon SQS queues, but an IAM policy does not.
  • After a message has been successfully published to a topic, it cannot be recalled.
  • The CNAME record maps a name to another name. It should be used only when there are no other records on that name.
  • You either transfer the existing domain registration from another registrar to Amazon Route 53 to configure it as your DNS service or change NS records to point to Route 53 name servers
  • Redis clusters can only contain a single node; however, you can group multiple clusters together into a replication group.
  • Amazon ElastiCache is Application Programming Interface (API)-compatible with existing Memcached clients and does not require the application to be recompiled or linked against the libraries. Amazon ElastiCache manages the deployment of the Amazon ElastiCache binaries.
  • When the clients are configured to use AutoDiscovery, they can discover new cache nodes as they are added or removed. AutoDiscovery must be configured on each client and is not active server side. Updating the configuration file each time will be very difficult to manage. Using an Elastic Load Balancer is not recommended for this scenario.
  •  “popular” and supports “users around the world,” key indicators that CloudFront is appropriate.  “heavily used,” and requires private content, which is supported by Amazon CloudFront. Corporate use cases where the requests come from a single geographic location or appear to come from one (because of the VPN). These use cases will generally not see benefit from Amazon CloudFront.
  • You have a web application that contains both static content in an Amazon Simple Storage Service (Amazon S3) bucket—primarily images and CSS files—and also dynamic content currently served by a PHP web app running on Amazon Elastic Compute Cloud (Amazon EC2). What features of Amazon CloudFront can be used to support this application with a single Amazon CloudFront distribution? (Choose 2 answers)
    • Using multiple origins and setting multiple cache behaviors allow you to serve static and dynamic content from the same distribution.
    • Origin Access Identifiers and signed URLs support serving private content from Amazon CloudFront,
    • multiple edge locations are simply how Amazon CloudFront serves any content.
  • AWS KMS CMKs are the fundamental resources that AWS KMS manages. CMKs can never leave AWS KMS unencrypted, but data keys can
  • Encryption context is a set of key/value pairs that you can pass to AWS KMS when you call the Encrypt, Decrypt, ReEncrypt, GenerateDataKey, and GenerateDataKeyWithoutPlaintext APIs. Although the encryption context is not included in the ciphertext, it is cryptographically bound to the ciphertext during encryption and must be passed again when you call the Decrypt (or ReEncrypt) API. Invalid ciphertext for decryption is plaintext that has been encrypted in a different AWS account or ciphertext that has been altered since it was originally encrypted.
  • The Amazon Kinesis services enable you to work with large data streams. Within the Amazon Kinesis family of services, Amazon Kinesis Firehose saves streams to AWS storage services, while Amazon Kinesis Streams provide the ability to process the data in the stream.
  • By default, network access is turned off to a DB Instance. You can specify rules in a security group that allows access from an IP address range, port, or Amazon Elastic Compute Cloud (Amazon EC2) security group.
  • When you choose AWS KMS for key management with Amazon Redshift, there is a four-tier hierarchy of encryption keys. These keys are the master key, a cluster key, a database key, and data encryption keys.
  • Elastic Load Balancing supports the Server Order Preference option for negotiating connections between a client and a load balancer. During the SSL connection negotiation process, the client and the load balancer present a list of ciphers and protocols that they each support, in order of preference. By default, the first cipher on the client’s list that matches any one of the load balancer’s ciphers is selected for the SSL connection. If the load balancer is configured to support Server Order Preference, then the load balancer selects the first cipher in its list that is in the client’s list of ciphers. This ensures that the load balancer determines which cipher is used for SSL connection. If you do not enable Server Order Preference, the order of ciphers presented by the client is used to negotiate connections between the client and the load balancer.
  • Amazon WorkSpaces uses PCoIP, which provides an interactive video stream without transmitting actual data.
  • An instance profile is a container for an IAM role that you can use to pass role information to an Amazon EC2 instance when the instance starts.
  • The Signature Version 4 signing process describes how to add authentication information to AWS requests. For security, most requests to AWS must be signed with an access key (Access Key ID [AKI] and Secret Access Key [SAK]). If you use the AWS Command Line Interface (AWS CLI) or one of the AWS Software Development Kits (SDKs), those tools automatically sign requests for you based on credentials that you specify when you configure the tools. However, if you make direct HTTP or HTTPS calls to AWS, you must sign the requests yourself.
  • The shared responsibility model can include IT controls, and it is not just limited to security considerations. Therefore, answer C is correct.
  • AWS provides IT control information to customers through either specific control definitions or general control standard compliance.
  • By default, the log files delivered by CloudTrail to your bucket are encrypted by Amazon server-side encryption with Amazon S3-managed encryption keys (SSE-S3). To provide a security layer that is directly manageable, you can instead use server-side encryption with AWS KMS–managed keys (SSE-KMS) for your CloudTrail log files.
<<< Architecting for the AWS Cloud – Best PracticesMy day at the AWS CSAA (Released February 2018) certification exam >>>
Copyright 2005-2016 KnowledgeHills. Privacy Policy. Contact .