AWS Certified Cloud Practitioner

Correct answer: B

Amazon EFS is the perfect solution for this scenario because it provides a fully managed, scalable file system that can be accessed simultaneously by multiple EC2 instances across different AZs. It works like a traditional network file system, supporting full file system features, permissions, and concurrent access. When EC2 instances need to share common data or when you need a central file repository, EFS provides the necessary file-level access and sharing capabilities.

Why the other answers are incorrect:

Amazon EBS volumes can only be attached to one EC2 instance at a time within the same AZ. While you can create snapshots and replicate data across AZs, EBS doesn't support simultaneous access from multiple instances, making it unsuitable for shared file storage needs.

Amazon S3 is an object storage service, not a file system. While it's excellent for storing large amounts of data, it doesn't provide the file system interface for applications requiring standard file system operations. You can't mount S3 as a drive or use it for traditional file operations without significant application modifications.

EC2 Instance Store is temporary block-level storage that's physically attached to the host computer. This storage is ephemeral and is lost when the instance stops or terminates. It cannot be shared between instances and doesn't persist beyond the instance's lifecycle, making it inappropriate for shared, persistent file storage.

Correct answer: B

In an IAM policy, Effect and Action are the only mandatory elements that must be present in every policy statement. The Effect element specifies whether the statement allows or denies access (must be either Allow or Deny). In contrast, the Action element defines what type of service operation is being controlled (like s3:GetObject or ec2:StartInstances).

Here's a minimal valid IAM policy example:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "s3:GetObject",
            "Resource": "arn:aws:s3:::mybucket/*"
        }
    ]
}

Let's examine why the other combinations are incorrect:

Sid (Statement ID) is an optional identifier that helps differentiate between multiple statements in a policy. It's useful for policy management but not required for the policy to function.

Principal is only required in resource-based policies (like S3 bucket policies) and is not used in IAM identity-based policies. For identity-based policies, the principal implicitly includes the IAM user, group, or role to which the policy is attached.

Condition is an optional element that specifies special circumstances under which the policy is in effect, such as time of day or IP address ranges. While powerful for creating precise access controls, it's not required.

Reference:

• https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#access_policies-json

Correct answer: C, D

Amazon DynamoDB and Amazon EFS are architected with built-in high availability from the ground up. They automatically replicate data across multiple Availability Zones without any additional configuration needed.

DynamoDB automatically maintains three replicas of your data across multiple Availability Zones in an AWS Region. When you write data to DynamoDB, it synchronously replicates across these locations, ensuring your data remains available even if an entire Availability Zone becomes unavailable.

Amazon EFS automatically stores your files redundantly across multiple Availability Zones. The service manages data replication transparently, ensuring continuous availability of your file systems without any manual intervention. Even if an Availability Zone fails, your applications can continue accessing their files without disruption.

Instance Store provides temporary block-level storage for EC2 instances. However, this storage is physically attached to a single host machine. If the underlying hardware fails or the instance stops, all data is lost. It offers no built-in high-availability features.

A Subnet exists within a single Availability Zone by definition. While you can create multiple subnets across different Availability Zones for high availability, a single subnet cannot provide high availability on its own.

Amazon EBS volumes are also tied to a single Availability Zone. While you can create snapshots and replicate volumes across Availability Zones, this requires manual configuration. EBS volumes don't provide high availability by default.

References:

• https://aws.amazon.com/efs/faq/
• https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Introduction.html
• https://docs.aws.amazon.com/vpc/latest/userguide/configure-subnets.html
• https://aws.amazon.com/ebs/

Correct answer: A

AWS Shield Advanced includes DDoS cost protection as one of its key features. AWS will credit you for the associated fees if your AWS resources experience increased usage due to a DDoS attack. This protection explicitly covers potential spikes in your AWS bill that result from increased EC2, ELB, CloudFront, and Route 53 usage during a verified DDoS attack.

AWS Shield Advanced is not a free service for any support plan level. It's a paid service requiring a separate subscription and a significant annual commitment. The service costs $3,000 per month with a 12-month commitment, plus additional data transfer usage fees.

The misconception about AWS Shield Advanced being free likely stems from confusion with AWS Shield Standard, which is included at no additional cost for all AWS customers. Shield Standard provides basic DDoS protection against common layer 3 and layer 4 attacks.

Business Support plan customers do not receive AWS Shield Advanced for free. While the Business Support plan includes many benefits, Shield Advanced requires a separate payment.

Enterprise Support plan customers also need to pay separately for AWS Shield Advanced. While Enterprise Support provides extensive benefits, it doesn't include Shield Advanced as a free service.

Reference:

• https://docs.aws.amazon.com/waf/latest/developerguide/ddos-overview.html

Correct answer: C

Amazon S3 Glacier Flexible Retrieval is specifically designed for data archiving, offering the lowest storage costs in the S3 family for long-term data retention. This storage class is ideal for data that needs to be preserved for years but doesn't require frequent or immediate access. Data retrieval typically takes several hours, which is acceptable for archival use cases.

Let's examine why the other options aren't optimal for archival storage:

S3 Standard is designed for frequently accessed data with high availability and durability. While it offers immediate access, it comes at a higher cost, making it unsuitable for long-term archival storage where immediate access isn't required.

S3 Intelligent-Tiering automatically moves data between access tiers based on usage patterns. While this is great for data with changing access patterns, it's not cost-optimal for archival data that will rarely, if ever, be accessed.

S3 One Zone-IA stores data in a single Availability Zone at a lower cost than Standard storage. However, it's designed for infrequently accessed data that can be recreated, not critical archival data that needs long-term durability across multiple Availability Zones.

References:

• https://aws.amazon.com/glacier/
• https://aws.amazon.com/s3/storage-classes/

Correct answer: C

The Business perspective is indeed one of the six core perspectives of the AWS Cloud Adoption Framework (CAF). The AWS CAF is designed to help organizations develop efficient plans for their cloud adoption journey.

The Business perspective focuses on ensuring that IT aligns with business needs and that IT investments link to key business results. It helps business managers develop a strong business case for cloud adoption and ensures that the business strategies and goals align with the cloud initiatives. Senior leadership, finance managers, budget owners, and strategy stakeholders typically drive this perspective.

The other options mentioned are not official perspectives of the AWS CAF. To provide complete context, the six actual perspectives of AWS CAF are:

• Business
• People
• Governance
• Platform
• Security
• Operations

While important in cloud adoption, Process is not a dedicated CAF perspective. Instead, processes are considered from multiple perspectives, particularly Operations and Governance.

Architecture is a component that falls under the Platform perspective rather than being a separate perspective itself.

Product is not a CAF perspective, though product development strategies might be considered within the Business perspective.

Reference:

• https://aws.amazon.com/premiumsupport/plans/enterprise/

Correct answer: B, D

AWS Lambda and Amazon Rekognition are regional services operating within specific AWS regions. Let me explain why this matters and break down each service.

Lambda functions run in the region where they are created. When you deploy a Lambda function, it exists only in that specific region unless you explicitly create copies in other regions. This regional scope is important for latency considerations - you'll want to deploy your functions in regions closest to your users or data sources.

Similarly, Amazon Rekognition is region-specific. When you use Rekognition for image and video analysis, you interact with the service in a particular region. The models and processing happen within that region, which helps with data residency requirements and performance optimization.

Now, let's look at why the other options are not correct:

AWS IAM is a global service that manages access across your entire AWS account. Creating an IAM user, group, or role is automatically available across all regions. This global scope is essential for maintaining consistent security across your AWS infrastructure.

Amazon CloudFront is also global by design. As a content delivery network (CDN), it uses edge locations worldwide to cache and serve content, regardless of the region where your origin server is located. CloudFront's global nature enables it to reduce latency for users worldwide.

AWS WAF, like CloudFront, operates globally. When you create WAF rules to protect your applications, these rules can be applied to resources across different regions, making it a global service rather than regional.

Correct answer: B

A company has recently migrated to AWS Cloud and needs to receive detailed hourly cost breakdowns delivered to an S3 bucket. Which AWS service provides this capability?

Options:

• AWS Cost Explorer
• [✓] AWS Cost & Usage Report (AWS CUR)
• AWS Pricing Calculator
• AWS Budgets

The AWS Cost and Usage Report (AWS CUR) service is designed for this scenario as it provides the most comprehensive set of AWS cost and usage data. CUR can generate highly detailed reports down to the hourly level and deliver them directly to an S3 bucket - precisely what the company needs.

What makes AWS CUR the perfect solution is its ability to provide the most granular cost data available, breaking down charges by the hour and including resource-level usage details. The service automatically delivers these comprehensive reports to an S3 bucket on a schedule that works for you - hourly, daily, or monthly. For companies that need advanced analysis capabilities, CUR seamlessly integrates with Amazon Athena and Amazon Redshift, allowing for sophisticated data analysis and custom reporting.

While valuable for interactive cost analysis and providing excellent visualizations, AWS Cost Explorer doesn't offer the automatic report generation and S3 delivery functionality needed in this scenario. It's better suited for hands-on exploration of cost trends and patterns.

The AWS Pricing Calculator service serves a different purpose entirely - it's a planning tool used before deployment to estimate future AWS costs. It helps model different scenarios but doesn't deal with actual usage data or report generation.

AWS Budgets focuses on proactive cost control through threshold setting and alerts. While this is crucial for financial management, it doesn't provide the detailed historical usage reporting capability the company requires.

References:

• https://docs.aws.amazon.com/cur/latest/userguide/what-is-cur.html
• https://aws.amazon.com/aws-cost-management/aws-cost-explorer/
• https://aws.amazon.com/aws-cost-management/aws-cost-and-usage-reporting/

Correct answer: D

The Failover routing policy is specifically designed for active-passive configurations, where you want your primary site to handle all traffic under normal conditions but need automatic redirection to a backup site if the primary site fails. Route 53 accomplishes this by monitoring the health of your primary site and quickly redirecting traffic when issues are detected.

Here's how it works:

• Route 53 performs health checks on your primary endpoint.
• Route 53 automatically routes traffic to the secondary (passive) endpoint if the health check fails.
• Once the primary endpoint returns to a healthy state, traffic is routed back to it.

Let's examine why the other options aren't suitable for active-passive configurations:

Latency-based routing directs users to the region that provides the lowest latency. While useful for optimizing user experience, it doesn't provide the failover functionality needed for active-passive setups.

Simple routing sends traffic to a single resource or distributes it randomly among multiple resources. It doesn't support health checks or failover capabilities.

Weighted routing lets you distribute traffic across multiple resources based on assigned weights. While you could assign different weights to primary and secondary resources, it doesn't provide the automatic failover functionality needed for true active-passive configurations.

Reference:

• https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/routing-policy.html

Correct answer: B

AWS Region is a fundamental component of AWS Global Infrastructure, which consists of Regions, Availability Zones, and Edge Locations distributed worldwide to provide reliable and low-latency cloud services.

Here's why AWS Region is the correct answer:

• A Region is a physical location where AWS clusters data centers (called Availability Zones)
• Each Region is completely independent and isolated from other Regions
• Regions allow customers to deploy applications closer to their end users for better performance
• They enable data sovereignty compliance by keeping data within specific geographic boundaries
• As of 2024, AWS operates dozens of Regions globally, with more being added regularly

The other options are logical networking constructs, not physical infrastructure:

Virtual Private Network (VPN) is a networking service that creates a secure connection between your network and AWS. While it's important for connectivity, it's a service running on top of the global infrastructure, not a part of it.

Virtual Private Cloud (VPC) is a logically isolated section of the AWS cloud where you launch your resources. It's a networking service that operates within a Region, making it a service that runs on the global infrastructure rather than being part of it.

Subnet is a segment of a VPC's IP address range where you place AWS resources. Like VPC, it's a networking construct that helps organize resources within a Region, not a physical infrastructure component.

Reference:

• https://aws.amazon.com/about-aws/global-infrastructure/regions_az/

Correct answer: D

An Availability Zone consists of one or more data centers located within close geographical proximity to each other. Think of it like a neighborhood where several data centers are clustered together, all connected by high-speed, low-latency networks. While physically separate, these data centers work together as a single unit to provide redundant power, networking, and connectivity.

This design is crucial for AWS's high-availability architecture. By having multiple data centers in the same location forming an AZ, AWS can ensure continuous operation even if one data center experiences issues. For example, if one data center loses power, the others within the same AZ can continue serving customer workloads without interruption.

Let's understand why the other descriptions aren't accurate:

Having just server racks in the same location would be too small in scale to provide the robust infrastructure needed for an AZ. Server racks alone couldn't deliver the level of redundancy and fault tolerance that AWS customers require.

Having data centers or server racks spread across multiple locations would describe a Region rather than an AZ. AZs are specifically designed to be in close proximity to minimize latency while maintaining enough distance to avoid shared points of failure.

Reference:

• https://aws.amazon.com/about-aws/global-infrastructure/regions_az/

Correct answer: C, E

Subnets and Internet Gateways are fundamental building blocks of an Amazon VPC, working together to create a secure and functional network architecture in the cloud. Let me explain how these components work together to form your virtual network.

A subnet is like a smaller network segment within your VPC. Just as you might divide a physical office building into different departments with their own security requirements, subnets allow you to segment your VPC into smaller networks. For example, you might create public subnets for web servers needing internet access and private subnets for databases that should remain isolated. Each subnet exists within a single Availability Zone, helping you build highly available applications.

An Internet Gateway serves as your VPC's connection to the Internet – think of it as the front door of your cloud network. Without an Internet Gateway, resources in your public subnets can't communicate with the Internet, much like a building without an entrance. When you attach an Internet Gateway to your VPC and configure your routing properly, resources in your public subnets can access the Internet, and Internet-based clients can access your public resources.

Now, let's understand why the other components aren't part of a VPC's core architecture:

AWS Storage Gateway is a hybrid storage service that connects on-premises environments with cloud storage. While it can work with resources in a VPC, it's not a VPC component itself.

API Gateway is a service for creating and managing APIs. Though it can integrate with VPC resources, it exists as a separate service outside your VPC.

Objects typically refer to items stored in Amazon S3 and have no direct relationship with VPC architecture.

Reference:

• https://docs.amazonaws.cn/en_us/vpc/latest/userguide/what-is-amazon-vpc.html

Correct answer: D, E

AWS Partner Network (APN) provides access to thousands of professional AWS partners who can offer expert guidance during cloud migration. These partners have deep AWS expertise and can help organizations evaluate their current infrastructure, recommend suitable AWS services, and plan migration strategies. APN partners often have experience with similar migrations and can share best practices and proven architectures.

AWS Service Catalog allows organizations to create and manage catalogs of approved AWS services for use within their company. IT administrators can create pre-configured service offerings that comply with organizational standards, making it easier for teams to identify and deploy appropriate AWS services. This helps maintain consistency and compliance while accelerating the adoption of AWS services across the organization.

AWS CloudTrail is a service for governance, compliance, and operational auditing of your AWS account. While valuable for security and compliance, it doesn't help identify which AWS services to use. CloudTrail records API activity after you're already using AWS services, but it doesn't provide guidance on service selection.

AWS Organizations helps you centrally manage and govern multiple AWS accounts. While it's useful for managing accounts at scale, it doesn't provide guidance on which AWS services to use. Its primary purpose is to consolidate billing and apply policies across accounts.

Amazon CloudWatch is a monitoring and observability service for AWS resources and applications. It collects operational data and metrics from resources you're already using but doesn't help identify which services to use during migration planning.

References:

• https://aws.amazon.com/servicecatalog/
• https://aws.amazon.com/partners/

Correct answer: C, D

The correct answers are:

• Enable multi-factor authentication (MFA) for all users
• Rotate credentials regularly

Let's first understand why these two practices are crucial for AWS security:

Enabling MFA for all users is a fundamental security practice that AWS strongly recommends. MFA adds an essential second layer of protection beyond just passwords. Users need their password and a temporary code from their MFA device when they log in. This significantly reduces the risk of account compromise even if passwords are exposed. For example, even if a malicious actor obtains an employee's password through phishing, they still can't access the account without the MFA device.

Regular credential rotation is another critical security practice. By changing access keys and passwords periodically, you limit the damage that could occur if credentials are compromised. AWS recommends rotating credentials every 90 days. This includes IAM user access keys, console passwords, and any other authentication credentials.

Now, let's examine why the other options are incorrect and potentially dangerous:

Granting maximum privileges violates the least privilege principle, a cornerstone of AWS security. Users should only have the minimum permissions needed to perform their tasks. For instance, if a developer only needs to work with EC2 instances, they shouldn't have access to database or billing services.

Creating minimal accounts and sharing credentials among employees is a serious security risk. Each user must have their own unique IAM user account to maintain accountability and auditability. Shared credentials make it impossible to track who performed what actions and complicate access revocation when employees leave.

Sharing root user access keys with other administrators is extremely dangerous. The root user has unrestricted access to all AWS services and resources. AWS explicitly recommends never sharing root credentials and instead creating individual IAM admin users with appropriate permissions.

Reference:

• https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html

Correct answer: A

Amazon ElastiCache is designed as an in-memory caching service supporting sub-millisecond latency for high-performance applications. It allows you to retrieve data from fast, managed, in-memory caches instead of relying on slower disk-based databases.

Amazon ElastiCache achieves its exceptional performance by storing frequently accessed data in memory rather than on disk. The service supports two popular open-source caching engines: Redis and Memcached. For example, suppose you have a web application that repeatedly queries the same product information. In that case, ElastiCache can store this data in memory, reducing database load and dramatically improving response times from milliseconds to microseconds.

Amazon DynamoDB is a NoSQL database service that provides consistent single-digit millisecond performance. While extremely fast, it's primarily a disk-based service, though it does offer DynamoDB Accelerator (DAX) as a separate caching solution.

Amazon RDS is a managed relational database service that stores data on disk. While it can be optimized for performance through various configurations, it doesn't provide the sub-millisecond latency that in-memory solutions offer.

Amazon Athena is a serverless query service designed to analyze data in Amazon S3 using standard SQL. It's optimized for data analytics and reporting rather than high-performance transactional operations.

Reference:

• https://aws.amazon.com/elasticache/

Correct answer: B, E

The correct actions the company should take are to create an IAM user and provide programmatic access only, and to create an IAM policy with Amazon RDS access and attach it to that IAM user. By doing so, the company ensures that the user can access Amazon RDS while restricting the manner in which they can interact with AWS.

Providing programmatic access only means that the IAM user can interact with AWS resources using the AWS CLI or SDKs, but not through the AWS Management Console. This satisfies the requirement to restrict access to purely command-line and SDK operations. Such restrictions are useful when automating tasks or integrating AWS services as part of a software development process.

Additionally, creating an IAM policy with Amazon RDS access and attaching it to the IAM user adheres to the principle of least privilege. This principle advises granting the minimum permissions necessary for the user to accomplish their tasks, reducing the risk of unauthorized activities or accidental configurations that could affect critical services. Instead of broad permissions, specify only what the employee actually needs, such as viewing RDS instances or starting/stopping them, depending on their role.

Creating an IAM user with AWS Management Console access deviates from the requirement to limit interactions to CLI and SDKs, hence why it is incorrect. Similarly, creating an IAM role with console access also doesn't meet the stated needs. Providing administrator access through an IAM policy would violate the principle of least privilege because it grants excessive permissions beyond the specific access requested for Amazon RDS.

Correct answer: D

Spot Instances are the perfect choice for this scenario because they offer the largest discount (up to 90% off On-Demand prices) and are ideal for workloads that can handle interruptions. These instances take advantage of AWS's unused EC2 capacity, making them extremely cost-effective.

When using Spot Instances, you place a bid for spare EC2 computing capacity. However, there's a catch - AWS can reclaim these instances with just a two-minute warning if capacity is needed elsewhere or if the market price exceeds your bid price. For a research application that can handle interruptions, this limitation is acceptable.

Let's examine why the other options aren't optimal for this case:

Reserved Instances require a 1-3 year commitment and are best for steady-state workloads that need consistent compute power. While they offer significant discounts, they're unsuitable for interruptible workloads because you're paying for the capacity whether you use it or not.

On-Demand Instances provide flexibility but at a higher cost. You pay a fixed rate by the hour or second with no commitment. While they're good for unpredictable workloads, they're much more expensive than Spot Instances.

Dedicated Hosts provide physical EC2 servers dedicated to your use. They're the most expensive option and are typically used for licensing requirements or compliance needs, making them overkill for this scenario.

Reference:

• https://aws.amazon.com/ec2/pricing/