CLF-C02: AWS Certified Cloud Practitioner

41%

Question 121

A company wants to implement threat detection on its AWS infrastructure. However, the company does not want to deploy additional software.

Which AWS service should the company use to meet these requirements?
Amazon VPC
Amazon EC2
Amazon GuardDuty
AWS Direct Connect




Answer is Amazon GuardDuty

1. Continuously monitor your AWS accounts, instances, container workloads, users, and storage for potential threats.

2. Expose threats quickly using anomaly detection, machine learning, behavioral modeling, and threat intelligence feeds from AWS and leading third-parties.

3. Mitigate threats early by initiating automated responses.

Reference:
https://aws.amazon.com/guardduty/

Question 122

Service control policies (SCPs) manage permissions for which of the following?
Availability Zones
AWS Regions
AWS Organizations
Edge locations




Answer is AWS Organizations

Service control policies (SCPs) are a type of organization policy that you can use to manage permissions in your organization.

Reference:
https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html

Question 123

In which situations should a company create an IAM user instead of an IAM role? (Choose two.)
When an application that runs on Amazon EC2 instances requires access to other AWS services
When the company creates AWS access credentials for individuals
When the company creates an application that runs on a mobile phone that makes requests to AWS
When the company needs to add users to IAM groups
When users are authenticated in the corporate network and want to be able to use AWS without having to sign in a second time




Answers are;
B. When the company creates AWS access credentials for individuals
D. When the company needs to add users to IAM groups


An AWS Identity and Access Management (IAM) user is an entity that you create in AWS to represent the person or application that uses it to interact with AWS. A user in AWS consists of a name and credentials.

Reference:
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users.html

Question 124

A company is designing its AWS workloads so that components can be updated regularly and so that changes can be made in small, reversible increments.

Which pillar of the AWS Well-Architected Framework does this design support?
Security
Performance efficiency
Operational excellence
Reliability




Answer is

The operational excellence pillar focuses on running and monitoring systems, and continually improving processes and procedures. Key topics include automating changes, responding to events, and defining standards to manage daily operations.

Reference:
https://wa.aws.amazon.com/wellarchitected/2020-07-02T19-33-23/wat.pillar.operationalExcellence.en.html

Question 125

Which of the following acts as an instance-level firewall to control inbound and outbound access?
Network access control list
Security groups
AWS Trusted Advisor
Virtual private gateways




Answer is Security groups

Security group Operates at the instance level, while Network ACL Operates at the subnet level.

Reference:
https://docs.aws.amazon.com/vpc/latest/userguide/VPC_SecurityGroups.html

Question 126

Which AWS service helps protect against DDoS attacks?
AWS Shield
Amazon Inspector
Amazon GuardDuty
Amazon Detective




Answer is AWS Shield


Question 127

Using AWS Config to record, audit, and evaluate changes to AWS resources to enable traceability is an example of which AWS Well-Architected Framework pillar?
Security
Operational excellence
Performance efficiency
Cost optimization




Answer is Security

Enable traceability: Monitor, alert, and audit actions and changes to your environment in real time. Integrate log and metric collection with systems to automatically investigate and take action.

Reference:
https://d1.awsstatic.com/whitepapers/architecture/AWS_Well-Architected_Framework.pdf

Question 128

Which AWS tool or feature acts as a VPC firewall at the subnet level?
Security group
Network ACL
Traffic Mirroring
Internet gateway




Answer is Network ACL

A network access control list (ACL) allows or denies specific inbound or outbound traffic at the subnet level.

Reference:
https://docs.aws.amazon.com/vpc/latest/userguide/vpc-network-acls.html

Question 129

Which AWS service can be used to decouple applications?
AWS Config
Amazon Simple Queue Service (Amazon SQS)
AWS Batch
Amazon Simple Email Service (Amazon SES)




Answer is Amazon Simple Queue Service (Amazon SQS)

Amazon Simple Queue Service (Amazon SQS) is a fully managed message queuing service that makes it easy to decouple and scale microservices, distributed systems, and serverless applications. Amazon SQS moves data between distributed application components and helps you decouple these components.

Reference:
https://docs.aws.amazon.com/sqs/?id=docs_gateway

Question 130

Which of the following is a characteristic of the AWS account root user?
The root user is the only user that can be configured with multi-factor authentication (MFA).
The root user is the only user that can access the AWS Management Console.
The root user is the first sign-in identity that is available when an AWS account is created.
The root user has a password that cannot be changed.




Answer is The root user is the first sign-in identity that is available when an AWS account is created.


< Previous PageNext Page >

Quick access to all questions in this exam